Anybody doing http redirect with BNG? Been trying to get a walled garden for suspended users thrown together. Policy is applied, but traffic isnt getting redirected.
On Mon, Apr 27, 2020 at 2:14 AM Brian Turnbow via cisco-nsp < cisco-nsp@puck.nether.net> wrote: > > > > ---------- Forwarded message ---------- > From: Brian Turnbow <b.turn...@twt.it> > To: Scott Miller <fordl...@gmail.com> > Cc: cisco-nsp <cisco-nsp@puck.nether.net>, Tom Chambers < > tom.chamb...@kcom.com> > Bcc: > Date: Mon, 27 Apr 2020 08:10:45 +0000 > Subject: RE: [c-nsp] ASR 9010 BNG setup > Hi Scott > > Yes you need to check all your attributes being passed because they are > different for the 9ks with respect to 1ks > For example > ip:ip-unnumbered=loopback 0 would need to be > ipv4:ipv4-unnumbered=loopback 0 > to send routes you need to use framed-route and not cisco avpair ip:route > and several others > one that took us awhile to find was needing service-type outbound-user to > set up l2tp tunnels out to some of our customers. > And as Tom said if one attributes comes in that is not accepted the user > will not come up. > So make sure to test well > > Brian > > > -----Original Message----- > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > > Tom Chambers > > Sent: Saturday, April 25, 2020 5:32 AM > > To: Scott Miller <fordl...@gmail.com> > > Cc: cisco-nsp <cisco-nsp@puck.nether.net> > > Subject: Re: [c-nsp] ASR 9010 BNG setup > > > > The attribute list there is to just accept the attributes from the > RADIUS server > > defined in that list, if you don’t have one configured then the BNG will > accept > > all from the RADIUS server. > > > > You might want to use them depending on your setup; when an IOS-XR device > > receives an unsupported attribute from the RADIUS server it won’t > > authenticate the subscriber session and will remain down, whereas IOS-XE > will > > ignore the unsupported attributes and authenticate the subscriber > regardless. > > > > You may find this interesting/useful > https://community.cisco.com/t5/service- > > providers-documents/asr9000-xr-bng-deployment-guide/ta-p/3110436 > > > > Regards, > > Tom > > > > From: Scott Miller <fordl...@gmail.com> > > Sent: 24 April 2020 23:24 > > To: Tom Chambers <tom.chamb...@kcom.com> > > Cc: cisco-nsp <cisco-nsp@puck.nether.net> > > Subject: Re: [c-nsp] ASR 9010 BNG setup > > > > Ah, now that makes more sense. Got it. Clear as mud now. > > > > aaa group server radius RADIUS_SERVER > > deadtime 40 > > server-private xx.xx.xx.xx auth-port 1812 acct-port 1813 > > key 7 xyzxyzxyz > > ! > > > > Another question. The doc's talk about the attribute list. Looks like > they want > > them in some sort of access-list. Is that correct? On the 1002 we have > no > > such access-list > > > > Example: > > SUMMARY STEPS > > configure > > aaa group server radius name > > accounting accept radius_attribute_list_name authorization reply accept > > radius_attribute_list_name > > > > > > All we have on the 1002 is: > > aaa group server radius RADIUS_SERVER > > server xx.xx.xx.xx auth-port 1812 acct-port 1813 ! > > aaa authentication login VTY_Auth_List group AAA_TACACs_Servers enable > > aaa authentication login VTY_Auth_None none aaa authentication ppp > default > > group RADIUS_SERVER aaa authorization exec default group tacacs+ if- > > authenticated aaa authorization network default group RADIUS_SERVER aaa > > authorization auth-proxy default group RADIUS_SERVER aaa accounting send > > stop-record authentication failure aaa accounting send stop-record always > > aaa accounting delay-start aaa accounting nested aaa accounting update > > newinfo periodic 60 aaa accounting exec default start-stop group tacacs+ > aaa > > accounting commands 0 default start-stop group tacacs+ aaa accounting > > commands 1 default start-stop group tacacs+ aaa accounting commands 15 > > default start-stop group tacacs+ aaa accounting network default > start-stop > > group RADIUS_SERVER aaa accounting connection default start-stop group > > RADIUS_SERVER aaa accounting system default action-type start-stop > group > > RADIUS_SERVER ! > > aaa accounting resource default start-stop group RADIUS_SERVER ! > > aaa server radius dynamic-author > > server-key 7 xyzxyzxyz > > port 3799 > > auth-type any > > ! > > Then a bba-group > > sub interface layer 2 with vlan specified virtual-template > > > > and that's it. If I'm making it out to be harder than it really is, > just ignore me. > > I'm still following the doc to get it set up. Just jumping ahead and > probably > > confusing myself. > > > > Thanks, > > > > > > > > On Fri, Apr 24, 2020 at 4:11 PM Tom Chambers > > <tom.chamb...@kcom.com<mailto:tom.chamb...@kcom.com>> wrote: > > Hi, > > > > The 'server x.x.x.x auth-port Y acct-port X' command in the RADIUS server > > group is looking for an already configured public (global) server, > you'll need to > > configure the server globally using 'radius-server host x.x.x.x > auth-port Y acct- > > port Z' for this to work. > > Alternatively you could use 'server-private x.x.x.x auth-port Y > acct-port Z' in > > the RADIUS server group, this will specify the server for just the group > you are > > using and not require it to be in the global config as well. > > > > Regards, > > Tom > > -----Original Message----- > > From: cisco-nsp <cisco-nsp-boun...@puck.nether.net<mailto:cisco-nsp- > > boun...@puck.nether.net>> On Behalf Of Scott Miller > > Sent: 24 April 2020 20:21 > > To: cisco-nsp <cisco-nsp@puck.nether.net<mailto:cisco- > > n...@puck.nether.net>> > > Subject: [c-nsp] ASR 9010 BNG setup > > > > Hello all. We have an ASR9010 we're using as a PE router, and we'd like > to > > migrate our PPPoE off of an ASR1002x onto the 9010. Reading the > > documentation here: > > > > https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6- > > 4/bng/configuration/guide/b-bng-cg-asr9000-64x/b-bng-cg-asr9000- > > 64x_chapter_011.html > > > > > > on the Configuring RADIUS Server Group section, I enter the following, > but > > get an error: > > > > RP/0/RSP0/CPU0:asbr1.kalhoc#config t > > Fri Apr 24 13:13:47.801 MDT > > RP/0/RSP0/CPU0:asbr1.kalhoc(config)#aaa group server radius > > RADIUS_SERVER RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)# deadtime > > 40 RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)# source-interface > > Loopback1 RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#server > xx.xx.xx.xx > > auth-port > > 1812 acct-port 1813 > > RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#commit > > Fri Apr 24 13:13:58.996 MDT > > > > % Failed to commit one or more configuration items during a pseudo-atomic > > operation. All changes made have been reverted. Please issue 'show > > configuration failed [inheritance]' from this session to view the errors > > RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)# > > > > if I remove the server IP line, it commits fine, but I can't add > anything else > > under the aaa group server radius RADIUS_SERVER config. I see in the > error > > it's an "inheritance" issue, but not seeing what I'm missing. > > Following the doc top down. And yes, Loopback1 does exist. > > > > show config: > > ! > > aaa group server radius RADIUS_SERVER > > deadtime 40 > > source-interface Loopback1 > > ! > > > > Cisco ASR9010 > > Version 6.4.2 > > RSP440-SE > > RP/0/RSP0/CPU0:asbr1.kalhoc#show install active Fri Apr 24 13:16:10.341 > > MDT Secure Domain Router: Owner > > > > Node 0/RSP0/CPU0 [RP] [SDR: Owner] > > Boot Device: disk0: > > Boot Image: > > /disk0/asr9k-os-mbi-6.4.2.CSCvj68649-1.0.0/0x100305/mbiasr9k-rsp3.vm > > Active Packages: > > disk0:asr9k-services-infra-6.4.2 > > disk0:asr9k-bng-px-6.4.2 > > disk0:asr9k-doc-px-6.4.2 > > disk0:asr9k-fpd-px-6.4.2 > > disk0:asr9k-li-px-6.4.2 > > disk0:asr9k-mcast-px-6.4.2 > > disk0:asr9k-mgbl-px-6.4.2 > > disk0:asr9k-mini-px-6.4.2 > > disk0:asr9k-mpls-px-6.4.2 > > disk0:asr9k-optic-px-6.4.2 > > disk0:asr9k-services-px-6.4.2 > > disk0:asr9k-video-px-6.4.2 > > disk0:asr9k-k9sec-px-6.4.2 > > disk0:asr9k-px-6.4.2.CSCvh04484-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvi41352-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvj53644-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvj60378-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvj68649-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvk28954-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvk68799-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvm95530-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvn15572-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvn20544-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvn71097-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvn81268-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvn92927-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvn95386-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvo03672-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvo42210-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvo43692-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvo47563-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvo48401-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvo64374-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvo90073-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvp25269-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvp52020-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvp53808-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvq07763-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvq08552-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvq27252-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvq41820-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvq55791-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvq61177-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvq75447-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvr23452-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvr29912-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvr58491-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvr62647-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvs00535-1.0.0 > > disk0:asr9k-px-6.4.2.CSCvs03903-1.0.0 > > > > Any help in where I'm going wrong already would be greatly appreciated. > > > > Scott > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:cisco- > > n...@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > > This email has been scanned for all viruses. > > > > Please consider the environment before printing this email. > > > > The content of this email and any attachment is private and may be > > privileged. If you are not the intended recipient, any use, disclosure, > copying > > or forwarding of this email and/or its attachments is unauthorised. If > you have > > received this email in error please notify the sender by email and > delete this > > message and any attachments immediately. Nothing in this email shall bind > > the Company or any of its subsidiaries or businesses in any contract or > > obligation, unless we have specifically agreed to be bound. > > > > KCOM Group Limited is a private limited company incorporated in England > > and Wales, company number 02150618 and whose registered office is at 37 > > Carr Lane, Hull, HU1 3RE > > > > > > > > > > This email has been scanned for all viruses. > > > > Please consider the environment before printing this email. > > > > The content of this email and any attachment is private and may be > > privileged. If you are not the intended recipient, any use, disclosure, > copying > > or forwarding of this email and/or its attachments is unauthorised. If > you have > > received this email in error please notify the sender by email and > delete this > > message and any attachments immediately. Nothing in this email shall bind > > the Company or any of its subsidiaries or businesses in any contract or > > obligation, unless we have specifically agreed to be bound. > > > > KCOM Group Limited is a private limited company incorporated in England > > and Wales, company number 02150618 and whose registered office is at 37 > > Carr Lane, Hull, HU1 3RE > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > ---------- Forwarded message ---------- > From: Brian Turnbow via cisco-nsp <cisco-nsp@puck.nether.net> > To: Scott Miller <fordl...@gmail.com> > Cc: cisco-nsp <cisco-nsp@puck.nether.net> > Bcc: > Date: Mon, 27 Apr 2020 08:10:45 +0000 > Subject: Re: [c-nsp] ASR 9010 BNG setup > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
