Hi all,
I tried to test some tacacs config with VPDN. The purpose was to implement
per user interface & router config. I observed that I cannot use some
commands like "ip vrf forwarding" or "service-policy" or "ip rtp priority"
in the interface config AVPAIR (but it seems to be supported). Log is below
:
00:22:18: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
00:22:18: Vi1 AAA/AUTHOR/LCP: Authorization succeeds trivially
00:22:20: AAA/AUTHOR (0xB): Pick method list 'default'
00:22:20: AAA/AUTHOR (0xB): Pick method list 'default'
00:22:20: Vi1 PPP/AAA: Check Attr: Framed-Protocol
00:22:20: Vi1 PPP/AAA: Check Attr: username
00:22:20: Vi1 PPP/AAA: Check Attr: interface-config:Peruser I/F
00:22:20: Vi1 PPP/AAA: Check Attr: interface-config:Peruser I/F
00:22:20: Vi1 PPP/AAA: Check Attr: interface-config:Peruser I/F
00:22:20: Vi1 AAA/AUTHOR/FSM: We can start LCP
00:22:20: Vi1 PPP/AAA: Check Attr: Framed-Protocol
00:22:20: Vi1 PPP/AAA: Check Attr: username
00:22:20: Vi1 AAA/AUTHOR/FSM: We can start IPCP
00:22:20: Vi1 AAA/AUTHOR/LCP: Process Author
00:22:20: Vi1 AAA/AUTHOR/LCP: Process Attr: interface-config
00:22:20: AAA/AUTHOR: Processing PerUser AV interface-config
00:22:20: Vi1 AAA/AUTHOR/LCP: Process Attr: interface-config
00:22:20: AAA/AUTHOR: Processing PerUser AV interface-config
00:22:20: Vi1 AAA/AUTHOR/LCP: Process Attr: interface-config
00:22:20: AAA/AUTHOR: Processing PerUser AV interface-config
00:22:20: Vi1 AAA/AUTHOR/LCP: Process Attr: interface-config
00:22:20: Vi1 AAA/AUTHOR/LCP: Process Attr: interface-config
00:22:20: Vi1 AAA/AUTHOR/LCP: Process Attr: interface-config
00:22:20: Vi1 AAA/AUTHOR/LCP: IF_config:
bandwidth 128
peer default ip address pool gvpn-pool2
service-policy output 4CB
00:22:21: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
Here the service-policy seems to cause the problem, if I put it off the
config of the user profile it works fine.
The user profile is (LINUX TAC_PLUS server) :
user = gvpn_voice {
global = cleartext "xxxx"
service = ppp protocol = lcp {
interface-config#1="bandwidth 128"
interface-config#2="peer default ip address pool gvpn-pool2"
interface-config#3="service-policy output 4CB"
}
service = ppp protocol = ip {
}
}
The config of the router (2500, IOS 12.2(11)T) is :
aaa new-model
!
!
aaa authentication fail-message ^CYou have been deconnected^C
aaa authentication password-prompt "Secure password :"
aaa authentication username-prompt "Secure username :"
aaa authentication login default group tacacs+ local
aaa authentication ppp default group tacacs+ local
aaa authorization network default group tacacs+ if-authenticated
aaa session-id common
!
virtual-profile aaa
vpdn enable
!
vpdn-group 2
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 2
!
vpdn-group 3
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 2
ip tos reflect
!
(...)
!
interface Ethernet0
description Private LAN interface
ip address 172.16.4.254 255.255.0.0 secondary
ip address 10.0.0.254 255.255.255.0
no ip proxy-arp
ip nat inside
no ip mroute-cache
no cdp enable
!
interface Ethernet1
description Public LAN interface
bandwidth 160
ip address dhcp
ip helper-address 10.0.0.1
no ip proxy-arp
ip nat outside
no ip mroute-cache
max-reserved-bandwidth 100
service-policy output 4CB
no cdp enable
!
interface Virtual-Template2
ip unnumbered Loopback0
max-reserved-bandwidth 100
no peer default ip address
ppp authentication chap ms-chap callin
!
(...)
!
ip local pool gvpn-pool1 192.168.254.1 192.168.254.253
ip local pool gvpn-pool2 192.168.255.1 192.168.255.253
!
tacacs-server host 10.0.0.3
tacacs-server key cisco42
Did someone already experience this kind of config ?
Thanks
Stephane Litkowski
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57970&t=57970
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
