For those of you (un)lucky enough to be searching for Cisco, PPPoE,
RADIUS, static IP addresses, and the like, here's the skinny.
1. Yes, Virginia, you can do static IP address via RADIUS, Cisco 7206,
and PPPoE for DSL-type applications. At least as of 12.2(24), and
possibly much earlier.
2. The standard radius attributes work:
Framed-Protocol = PPP,
Framed-IP-Address = X.X.X.X,
Framed-IP-Netmask = 255.255.255.255,
and the like (including Framed-Compression = Van-Jacobson-TCP-IP).
You don't need any of the Cisco-AVPair, at least not for the usual
stuff.
3. However, you MUST have this:
aaa authorization network default group radius none
Or nothing will work.
The none is important if you have any non-authorized PPP sessions (like
regular serial lines) or you will break all of your non-RADIUS
authenticated connections. Apparently, if you just have THIS:
aaa authorization network default none
you will automatically be authorized for network information, but (here's
the kicker) the Cisco will silently ignore the attributes returned by
RADIUS because you didn't specify that they come from RADIUS. So it will
blithly ignore the return attributes.
Hopefully this will save somebody out there more time than I wasted on
this, and thus the world will even out.
Cheers,
David.
-
On Mon, 19 Jul 2004, David Birnbaum wrote:
On Sun, 18 Jul 2004, Kevin Bonner wrote:
On Friday 16 July 2004 17:12, David Birnbaum wrote:
1. Cisco doesn't seem to support Framed-Address for PPPoE (if anyone
knows different that would be great, because nobody at Cisco knows
how to do this. If you can tell me how, stop reading the rest of
the
message and help me out!)
Here are some of the entries we use for our PPPoE connections on a 7505:
Cisco-AVPair += ip:addr=1.2.3.1,
Cisco-AVPair += ip:route=1.2.3.4 255.255.255.0,
Cisco-AVPair += ip:inacl#1=permit ip any 1.2.3.0 0.0.0.255,
Try the ip:addr line rather than assigning an addr-pool and post your
results.
If that doesn't work, the cisco config may need to be tweaked.
Kevin, I tried this out. The cisco log still shows:
Jul 19 15:51:39: Invalid attribute in radius buffer
Jul 19 15:51:39: Unable to dump packet further
Obviously Cisco-AVPair is working for other people; could you share you
working 7505 config? I think the problem is that the radius packet is not
built right or otherwise undecodable, which makes it hard to debug whether
the AVPair syntax is right! radiusd -X shows this:
Sending Access-Accept of id 185 to X.X.X.X:1645
Cisco-AVPair = ip:addr=Y.Y.Y.Y
Service-Type = Framed-User
Framed-Protocol = PPP
which sure looks good to me
David.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
