For those of you (un)lucky enough to be searching for Cisco, PPPoE, RADIUS, static IP addresses, and the like, here's the skinny.

1.  Yes, Virginia, you can do static IP address via RADIUS, Cisco 7206,
    and PPPoE for DSL-type applications.  At least as of 12.2(24), and
    possibly much earlier.

2.  The "standard" radius attributes work:

                Framed-Protocol = PPP,
                Framed-IP-Address = X.X.X.X,
                Framed-IP-Netmask = 255.255.255.255,

    and the like (including Framed-Compression = Van-Jacobson-TCP-IP).
    You don't need any of the Cisco-AVPair, at least not for the usual
    stuff.

3.  However, you MUST have this:

      aaa authorization network default group radius none

    Or nothing will work.

The "none" is important if you have any non-authorized PPP sessions (like regular serial lines) or you will break all of your non-RADIUS authenticated connections. Apparently, if you just have THIS:

      aaa authorization network default none

you will automatically be authorized for network information, but (here's the kicker) the Cisco will silently ignore the attributes returned by RADIUS because you didn't specify that they come from RADIUS. So it will blithly ignore the return attributes.

Hopefully this will save somebody out there more time than I wasted on this, and thus the world will even out.

Cheers,

David.

-----

On Mon, 19 Jul 2004, David Birnbaum wrote:

On Sun, 18 Jul 2004, Kevin Bonner wrote:

On Friday 16 July 2004 17:12, David Birnbaum wrote:
1. Cisco doesn't seem to support Framed-Address for PPPoE (if anyone
knows different that would be great, because nobody at Cisco knows
how to do this. If you can tell me how, stop reading the rest of the
message and help me out!)

Here are some of the entries we use for our PPPoE connections on a 7505:

        Cisco-AVPair += "ip:addr=1.2.3.1",
        Cisco-AVPair += "ip:route=1.2.3.4 255.255.255.0",
        Cisco-AVPair += "ip:inacl#1=permit ip any 1.2.3.0 0.0.0.255",

Try the ip:addr line rather than assigning an addr-pool and post your results.
If that doesn't work, the cisco config may need to be tweaked.

Kevin, I tried this out. The cisco log still shows:

 Jul 19 15:51:39:     Invalid attribute in radius buffer
 Jul 19 15:51:39:     Unable to dump packet further

Obviously Cisco-AVPair is working for other people; could you share you working 7505 config? I think the problem is that the radius packet is not built right or otherwise undecodable, which makes it hard to debug whether the AVPair syntax is right! radiusd -X shows this:

 Sending Access-Accept of id 185 to X.X.X.X:1645
       Cisco-AVPair = "ip:addr=Y.Y.Y.Y"
       Service-Type = Framed-User
       Framed-Protocol = PPP

which sure looks good to me....

David.


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to