Table Of Contents
Per VRF AAA
Contents
Prerequisites for Per VRF AAA
Restrictions for Per VRF AAA
Information About Per VRF AAA
How Per VRF AAA Works
Benefits
AAA Accounting Records
New Vendor-Specific Attributes
How to Configure Per VRF AAA
Configuring Per VRF AAA
Configuring AAA
Configuring Server Groups
Configuring Authentication, Authorization, and Accounting for Per VRF AAA
Configuring RADIUS-Specific Commands for Per VRF AAA
Configuring Interface-Specific Commands for Per VRF AAA
Configuring Per VRF AAA Using Local Customer Templates
Configuring AAA
Configuring Server Groups
Configuring Authentication, Authorization, and Accounting for Per VRF AAA
Configuring Authorization for Per VRF AAA with Local Customer Templates
Configuring Local Customer Templates
Configuring Per VRF AAA Using Remote Customer Templates
Configuring AAA
Configuring Server Groups
Configuring Authentication for Per VRF AAA with Remote Customer Profiles
Configuring Authorization for Per VRF AAA with Remote Customer Profiles
Configuring the RADIUS Profile on the SP RADIUS Server
Verifying VRF Routing Configurations
Troubleshooting Per VRF AAA Configurations
Configuration Examples for Per VRF AAA
Per VRF Configuration: Examples
Per VRF AAA: Example
Per VRF AAA Using a Locally Defined Customer Template: Example
Per VRF AAA Using a Remote RADIUS Customer Template: Example
Customer Template: Examples
Locally Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting: Example
Remotely Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting: Example
AAA Accounting Stop Records: Examples
AAA Accounting Stop Record and Successful Call: Example
AAA Accounting Stop Record and Rejected Call: Example
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Command Reference
aaa accounting
aaa accounting delay-start
aaa accounting send stop-record authentication
aaa authorization template
ip radius source-interface
ip vrf forwarding (server-group)
radius-server attribute 44 include-in-access-req
radius-server domain-stripping
server-private (RADIUS)
Glossary
Per VRF AAA
First Published: June 4, 2001
Last Updated: March 20, 2006
The Per VRF AAA feature allows authentication, authorization, and accounting (AAA) on the basis of Virtual Private Network (VPN) routing and forwarding (VRF) instances. For Cisco IOS Release 12.2(15)T or later releases, you can use a customer template, which may be stored either locally or remotely, and AAA services can be performed on the information that is stored in the customer template.
History for the Per VRF AAA Feature
Release
|
Modification
|
12.2(1)DX
|
This feature was introduced on the Cisco 7200 series and the Cisco 7401ASR.
|
12.2(2)DD
|
This feature was integrated into Cisco IOS Release 12.2(2)DD. The ip vrf forwarding and radius-server domain-stripping commands were added.
|
12.2(4)B
|
This feature was integrated into Cisco IOS Release 12.2(4)B.
|
12.2(13)T
|
This feature was integrated into Cisco IOS Release 12.2(13)T.
|
12.2(15)T
|
The aaa authorization template command was added in Cisco IOS Release 12.2(15)T.
|
12.4(2)T
|
The aaa accounting send stop-record authentication command was updated with additional support for AAA accounting stop records in the Cisco IOS Release 12.4(2)T. Relevant sections were updated to support this new functionality.
|
12.2(28)SB
|
This feature was integrated into Cisco IOS Release 12.2(28)SB.
|
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Per VRF AAA
•Restrictions for Per VRF AAA
•Information About Per VRF AAA
•How to Configure Per VRF AAA
•Configuration Examples for Per VRF AAA
•Additional References
•Command Reference
•Glossary
Prerequisites for Per VRF AAA
Before configuring the Per VRF AAA feature, you must enable AAA. (For information on completing this task, refer to the AAA chapters of the "Cisco IOS Security Configuration Guide", Release 12.4)
Restrictions for Per VRF AAA
•This feature is supported only for RADIUS servers.
•Operational parameters should be defined once per VRF rather than set per server group, because all functionalities must be consistent between the network access server (NAS) and the AAA servers.
•The ability to configure a customer template either locally or remotely is available only for Cisco IOS Release 12.2(15)T and later releases.
Information About Per VRF AAA
When you use the Per VRF AAA feature, AAA services can be based on VRF instances. This feature permits the Provider Edge (PE) or Virtual Home Gateway (VHG) to communicate directly with the customer's RADIUS server, which is associated with the customer's Virtual Private Network (VPN), without having to go through a RADIUS proxy. Thus, ISPs can scale their VPN offerings more efficiently because they no longer have to use RADIUS proxies and ISPs can also provide their customers with additional flexibility.
•How Per VRF AAA Works
•Benefits
•AAA Accounting Records
•New Vendor-Specific Attributes
How Per VRF AAA Works
To support AAA on a per customer basis, some AAA features must be made VRF aware. That is, ISPs must be able to define operational parameters—such as AAA server groups, method lists, system accounting, and protocol-specific parameters—and bind those parameters to a particular VRF instance. Defining and binding the operational parameters can be accomplished using one or more of the following methods:
•Virtual private dialup network (VPDN) virtual template or dialer interfaces that are configured for a specific customer
•Locally defined customer templates—Per VPN with customer definitions. The customer template is stored locally on the VHG. This method can be used to associate a remote user with a specific VPN based on the domain name or dialed number identification service (DNIS) and provide the VPN-specific configuration for virtual access interface and all operational parameters for the customer AAA server.
•Remotely defined customer templates—Per VPN with customer definitions that are stored on the service provider AAA server in a RADIUS profile. This method is used to associate a remote user with a specific VPN based on the domain name or DNIS and provide the VPN-specific configuration for the virtual access interface and all operational parameters for the AAA server of the customer.
Note The ability to configure locally or remotely defined customer templates is available only with Cisco IOS Release 12.2(15)T and later releases.
Benefits
Configuration Support
ISPs can partition AAA services on a per VRF basis. Thus, ISPs can allow their customers to control some of their own AAA services.
Server Group List Extension
The list of servers in server groups is extended to include the definitions of private servers in addition to references to the hosts in the global configuration, allowing access to both customer servers and global service provider servers simultaneously.
AAA Accounting Records
The Cisco implementation of AAA accounting provides "start" and "stop" record support for calls that have passed user authentication. Start and stop records are necessary for users employing accounting records to manage and monitor their networks.
New Vendor-Specific Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (VSA) attribute 26. Attribute 26 encapsulates VSAs, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the following format:
protocol : attribute sep value *
"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This format allows the full set of features available for TACACS+ authorization to be used also for RADIUS.
Table 1 summarizes the VSAs that are now supported with Per VRF AAA.
Table 1 VSAs supported with Per VRF AAA
VSA Name
|
Value Type
|
Description
|
Note Each VSA must have the prefix "template:" before the VSA name, unless a different prefix is explicitly stated.
|
account-delay
|
string
|
This VSA must be "on." The functionality of this VSA is equal to the aaa accounting delay-start command for the customer template.
|
account-send-stop
|
string
|
This VSA must be "on." The functionality of this VSA is equal to the aaa accounting send stop-record authentication command with the failure keyword.
|
account-send-success-remote
|
string
|
This VSA must be "on." The functionality of this VSA is equal to the aaa accounting send stop-record authentication command with the success keyword.
|
attr-44
|
string
|
This VSA must be "access-req." The functionality of this VSA is equal to the radius-server attribute 44 include-in-access-req command.
|
ip-addr
|
string
|
This VSA specifies the IP address, followed by the mask that the router uses to indicate its own IP address and mask in negotiation with the client; for example, ip-addr=1.2.3.4 255.255.255.255
|
ip-unnumbered
|
string
|
This VSA specifies the name of an interface on the router. The functionality of this VSA is equal to the ip unnumbered command, which specifies an interface name such as "Loopback 0."
|
ip-vrf
|
string
|
This VSA specifies which VRF will be used for the packets of the end user. This VRF name should match the name that is used on the router via the ip vrf forwarding command.
|
peer-ip-pool
|
string
|
This VSA specifies the name of an IP address pool from which an address will be allocated for the peer. This pool should be configured using the ip local pool command or should be automatically downloadable via RADIUS.
|
ppp-acct-list
|
string
|
This VSA defines the accounting method list that is to be used for PPP sessions.
The VSA syntax is as follows: "ppp-acct-list=[start-stop | stop-only | none] group X [group Y] [broadcast]." It is equal to the aaa accounting network mylist command functionality.
The user must specify at least one of the following options: start-stop, stop-only, or none. If either start-stop or stop-only is specified, the user must specify at least one, but not more than four, group arguments. Each group name must consist of integers. The servers in the group should have already been identified in the access-accept via the VSA "rad-serv." After each group has been specified, the user can specify the broadcast option
|
ppp-authen-list
|
string
|
This VSA defines which authentication method list is to be used for PPP sessions and, if more than one method is specified, in what order the methods should be used.
The VSA syntax is as follows: "ppp-authen-list=[groupX | local | local-case | none | if-needed]," which is equal to the aaa authentication ppp mylist command functionality.
The user must specify at least one, but no more than four, authentication methods. If a server group is specified, the group name must be an integer. The servers in the group should have already been identified in the access-accept via the VSA "rad-serv."
|
ppp-authen-type
|
string
|
This VSA allows the end user to specify at least one of the following authentication types: pap, chap, eap, ms-chap, ms-chap-v2, any, or a combination of the available types that is separated by spaces.
The end user will be permitted to log in using only the methods that are specified in this VSA.
PPP will attempt these authentication methods in the order presented in the attribute.
|
ppp-author-list
|
string
|
This VSA defines the authorization method list that is to be used for PPP sessions. It indicates which methods will be used and in what order.
The VSA syntax is as follows: "ppp-author-list=[groupX] [local] [if-authenticated] [none]," which is equal to the aaa authorization network mylist command functionality.
The user must specify at least one, but no more than four, authorization methods. If a server group is specified, the group name must be an integer. The servers in the group should have already been identified in the access-accept via the VSA "rad-serv."
|
Note The RADIUS VSAs—rad-serv, rad-server-filter, rad-serv-source-if, and rad-serv-vrf—must have the prefix "aaa:" before the VSA name.
|
rad-serv
|
string
|
This VSA indicates the IP address, key, timeout, and retransmit number of a server, as well as the group of the server.
The VSA syntax is as follows: "rad-serv=a.b.c.d [key SomeKey] [auth-port X] [acct-port Y] [retransmit V] [timeout W]." Other than the IP address, all parameters are optional and can be issued in any order. If the optional parameters are not specified, their default values will be used.
The key cannot contain any spaces; for "retransmit V," "V" can range from 1-100; for "timeout W," the "W" can range from 1-1000.
|
rad-serv-filter
|
string
|
The VSA syntax is as follows: "rad-serv-filter=authorization | accounting-request | reply-accept | reject-filtername." The filtername must be defined via the radius-server attribute list filtername command.
|
rad-serv-source-if
|
string
|
This VSA specifies the name of the interface that is used for transmitting RADIUS packets. The specified interface must match the interface configured on the router.
|
rad-serv-vrf
|
string
|
This VSA specifies the name of the VRF that is used for transmitting RADIUS packets. The VRF name should match the name that was specified via the ip vrf forwarding command.
|
How to Configure Per VRF AAA
The following sections contain procedures for possible deployment scenarios for using the Per VRF AAA feature.
•Configuring Per VRF AAA (required)
•Configuring Per VRF AAA Using Local Customer Templates (optional)
•Configuring Per VRF AAA Using Remote Customer Templates (optional)
•Verifying VRF Routing Configurations (optional)
•Troubleshooting Per VRF AAA Configurations (optional)
Configuring Per VRF AAA
This section contains the following procedures.
•Configuring AAA
•Configuring Server Groups
•Configuring Authentication, Authorization, and Accounting for Per VRF AAA
•Configuring RADIUS-Specific Commands for Per VRF AAA
•Configuring Interface-Specific Commands for Per VRF AAA
Configuring AAA
To enable AAA you need to complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa new-model
Example:
Router(config)# aaa new-model
|
Enables AAA globally.
|
Configuring Server Groups
To configure server groups you need to complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa group server radius groupname
5. server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]
6. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa new-model
Example:
Router(config)# aaa new-model
|
Enables AAA globally.
|
Step 4
|
aaa group server radius groupname
Example:
Router(config)# aaa group server radius
v2.44.com
|
Groups different RADIUS server hosts into distinct lists and distinct methods. Enters server-group configuration mode.
|
Step 5
|
server-private ip-address [auth-port
port-number | acct-port port-number]
[non-standard] [timeout seconds] [retransmit
retries] [key string]
Example:
Router(config-sg-radius)# server-private
10.10.130.2 auth-port 1600 key ww
|
Configures the IP address of the private RADIUS server for the group server.
Note If private server parameters are not specified, global configurations will be used. If global configurations are not specified, default values will be used.
|
Step 6
|
exit
Example:
Router(config-sg-radius)# exit
|
Exits from server-group configuration mode; returns to global configuration mode.
|
Configuring Authentication, Authorization, and Accounting for Per VRF AAA
To configure authentication, authorization, and accounting for Per VRF AAA, you need to complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication ppp {default | list-name} method1 [method2...]
5. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]
6. aaa accounting system default [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
7. aaa accounting delay-start [vrf vrf-name]
8. aaa accounting send stop-record authentication {failure | success {remote-server}} [vrf vrf-name]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa new-model
Example:
Router(config)# aaa new-model
|
Enables AAA globally.
|
Step 4
|
aaa authentication ppp {default | list-name}
method1 [method2...]
Example:
Router(config)# aaa authentication ppp
method_list_v2.44.com group v2.44.com
|
Specifies one or more AAA authentication methods for use on serial interfaces that are running PPP.
|
Step 5
|
aaa authorization {network | exec | commands
level | reverse-access | configuration}
{default | list-name} method1 [method2...]
Example:
Router(config)# aaa authorization network
method_list_v2.44.com group v2.44.com
|
Sets parameters that restrict user access to a network.
|
Step 6
|
aaa accounting system default [vrf vrf-name]
{start-stop | stop-only | none} [broadcast]
group groupname
Example:
Router(config)# aaa accounting system default
vrf v2.44.com start-stop group v2.44.com
|
Enables AAA accounting of requested services for billing or security purposes when you use RADIUS.
|
Step 7
|
aaa accounting delay-start [vrf vrf-name]
Example:
Router(config)# aaa acounting delay-start vrf
v2.44.com
|
Displays generation of the start accounting records until the user IP address is established.
|
Step 8
|
aaa accounting send stop-record authentication
{failure | success {remote-server}} [vrf
vrf-name]
Example:
Router(config)# aaa accounting send stop-record
authentication failure vrf v2.44.com
|
Generates accounting stop records.
When using the failure keyword a "stop" record will be sent for calls that are rejected during authentication.
When using the success keyword a "stop" record will be sent for calls that meet one of the following criteria:
•Calls that are authenticated by a remote AAA server when the call is terminated.
•Calls that are not authenticated by a remote AAA server and the start record has been sent.
•Calls that are successfully established and then terminated with the "stop-only" aaa accounting configuration.
Note The success and remote-server keywords are available in Cisco IOS Release 12.4(2)T and later releases.
|
Configuring RADIUS-Specific Commands for Per VRF AAA
To configure RADIUS-specific commands for Per VRF AAA you need to complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip radius source-interface subinterface-name [vrf vrf-name]
4. radius-server attribute 44 include-in-access-req [vrf vrf-name]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip radius source-interface subinterface-name
[vrf vrf-name]
Example:
Router(config)# ip radius source-interface
loopback55
|
Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets and enables the specification on a per-VRF basis.
|
Step 4
|
radius-server attribute 44
include-in-access-req [vrf vrf-name]
Example:
Router(config)# radius-server attribute 44
include-in-access-req vrf v2.44.com
|
Sends RADIUS attribute 44 in access request packets before user authentication and enables the specification on a per-VRF basis.
|
Configuring Interface-Specific Commands for Per VRF AAA
To configure interface-specific commands for Per VRF AAA, you need to complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number [name-tag]
4. ip vrf forwarding vrf-name
5. ppp authentication {protocol1 [protocol2...]} listname
6. ppp authorization list-name
7. ppp accounting default
8. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface type number [name-tag]
Example:
Router(config)# interface loopback11
|
Configures an interface type and enters interface configuration mode.
|
Step 4
|
ip vrf forwarding vrf-name
Example:
Router(config-if)# ip vrf forwarding v2.44.com
|
Associates a VRF with an interface.
|
Step 5
|
ppp authentication {protocol1 [protocol2...]}
listname
Example:
Router(config-if)# ppp authentication chap
callin V2_44_com
|
Enables Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) or both and specifies the order in which CHAP and PAP authentication are selected on the interface.
|
Step 6
|
ppp authorization list-name
Example:
Router(config-if)# ppp authorization V2_44_com
|
Enables AAA authorization on the selected interface.
|
Step 7
|
ppp accounting default
Example:
Router(config-if)# ppp accounting default
|
Enables AAA accounting services on the selected interface.
|
Step 8
|
exit
Example:
Router(config)# exit
|
Exits interface configuration mode.
|
Configuring Per VRF AAA Using Local Customer Templates
This section contains the following procedures:
•Configuring AAA
•Configuring Server Groups
•Configuring Authentication, Authorization, and Accounting for Per VRF AAA
•Configuring Authorization for Per VRF AAA with Local Customer Templates
•Configuring Local Customer Templates
Configuring AAA
Perform the tasks as outlined in the "Configuring Per VRF AAA" section.
Configuring Server Groups
Perform the tasks as outlined in the "Configuring Server Groups" section.
Configuring Authentication, Authorization, and Accounting for Per VRF AAA
Perform the tasks as outlined in the "Configuring Authentication, Authorization, and Accounting for Per VRF AAA" section.
Configuring Authorization for Per VRF AAA with Local Customer Templates
To configure authorization for Per VRF AAA with local templates, you need to complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authorization template
4. aaa authorization network default local
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa authorization template
Example:
Router(config)# aaa authorization template
|
Enables the use of local or remote templates.
|
Step 4
|
aaa authorization network default local
Example:
Router(config)# aaa authorization network
default local
|
Specifies local as the default method for authorization.
|
Configuring Local Customer Templates
To configure local customer templates, you need to complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. vpdn search-order domain
4. template name [default | exit | multilink | no | peer | ppp]
5. peer default ip address pool pool-name
6. ppp authentication {protocol1 [protocol2...]} [if-needed] [list-name | default] [callin] [one-time]
7. ppp authorization [default | list-name]
8. aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
9. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
vpdn search-order domain
Example:
Router (config)# vpdn search-order domain
|
Looks up the profiles based on domain.
|
Step 4
|
template name [default | exit | multilink | no
| peer | ppp]
Example:
Router (config)# template v2.44.com
|
Creates a customer profile template and assigns a unique name that relates to the customer that will be receiving it.
Enters template configuration mode.
Note Steps 5, 6, and 7 are optional. Enter multilink, peer, and ppp keywords appropriate to customer application requirements.
|
Step 5
|
peer default ip address pool pool-name
Example:
Router(config-template)# peer default ip
address pool v2_44_com_pool
|
(Optional) Specifies that the customer profile to which this template is attached will use a local IP address pool with the specified name.
|
Step 6
|
ppp authentication {protocol1 [protocol2...]}
[if-needed] [list-name | default] [callin]
[one-time]
Example:
Router(config-template)# ppp authentication
chap
|
(Optional) Sets the PPP link authentication method.
|
Step 7
|
ppp authorization [default | list-name]
Example:
Router(config-template)# ppp authorization
v2_44_com
|
(Optional) Sets the PPP link authorization method.
|
Step 8
|
aaa accounting {auth-proxy | system | network |
exec | connection | commands level} {default |
list-name} [vrf vrf-name] {start-stop |
stop-only | none} [broadcast] group groupname
Example:
Router(config-template)# aaa accounting
v2_44_com
|
(Optional) Enables AAA operational parameters for the specified customer profile.
|
Step 9
|
exit
Example:
Router(config-template)# exit
|
Exits from template configuration mode; returns to global configuration mode.
|
Configuring Per VRF AAA Using Remote Customer Templates
This section contains the following procedures:
•Configuring AAA
•Configuring Server Groups
•Configuring Authentication for Per VRF AAA with Remote Customer Profiles
•Configuring Authorization for Per VRF AAA with Remote Customer Profiles
•Configuring the RADIUS Profile on the SP RADIUS Server
Configuring AAA
Perform the tasks as outlined in the "Configuring Per VRF AAA" section.
Configuring Server Groups
Perform the tasks as outlined in the "Configuring Server Groups" section.
Configuring Authentication for Per VRF AAA with Remote Customer Profiles
To configure authentication for Per VRF AAA with remote customer profiles, you need to perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authentication ppp {default | list-name} method1 [method2...]
4. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [[method1 [method2...]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa authentication ppp {default | list-name}
method1 [method2...]
Example:
Router(config)# ppp authentication ppp default
group radius
|
Specifies one or more authentication, authorization, and accounting (AAA) authentication methods for use on serial interfaces that are running PPP.
|
Step 4
|
aaa authorization {network | exec | commands
level | reverse-access | configuration}
{default | list-name} [[method1 [method2...]
Example:
Router(config)# aaa authorization network
default group sp
|
Sets parameters that restrict user access to a network.
|
Configuring Authorization for Per VRF AAA with Remote Customer Profiles
To configuring authorization for Per VRF AAA with remote customer profiles, you need to perform the following step.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authorization template
4. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [[method1 [method2...]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa authorization template
Example:
Router(config)# aaa authorization template
|
Enables use of local or remote templates.
|
Step 4
|
aaa authorization {network | exec | commands
level | reverse-access | configuration}
{default | list-name} [[method1 [method2...]
Example:
Router(config)# aaa authorization network
default sp
|
Specifies the server group that is named as the default method for authorization.
|
Configuring the RADIUS Profile on the SP RADIUS Server
Configure the RADIUS profile on the SP RADIUS server. See the "Per VRF AAA Using a Remote RADIUS Customer Template: Example" for an example of how to update the RADIUS profile.
Verifying VRF Routing Configurations
To verify VRF routing configurations, you need to complete the following steps:
SUMMARY STEPS
1. enable
2. configure terminal
3. show ip route vrf vrf-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
show ip route vrf vrf-name
Example:
Router(config)# show ip route vrf northvrf
|
Displays the IP routing table associated with a VRF.
|
Troubleshooting Per VRF AAA Configurations
To troubleshoot the Per VRF AAA feature, use at least one of the following commands in EXEC mode:
Command
|
Purpose
|
Router# debug aaa accounting
|
Displays information on accountable events as they occur.
|
Router# debug aaa authentication
|
Displays information on AAA authentication.
|
Router# debug aaa authorization
|
Displays information on AAA authorization.
|
Router# debug ppp negotiation
|
Displays information on traffic and exchanges in an internetwork implementing PPP.
|
Router# debug radius
|
Displays information associated with RADIUS.
|
Router# debug vpdn event
|
Displays Layer 2 Transport Protocol (L2TP) errors and events that are a part of normal tunnel establishment or shutdown for VPNs.
|
Router# debug vpdn error
|
Displays debug traces for VPN.
|
Configuration Examples for Per VRF AAA
This section provides the following configuration examples:
•Per VRF Configuration: Examples
•Customer Template: Examples
•AAA Accounting Stop Records: Examples
Per VRF Configuration: Examples
This section provides the following configuration examples:
•Per VRF AAA: Example
•Per VRF AAA Using a Locally Defined Customer Template: Example
•Per VRF AAA Using a Remote RADIUS Customer Template: Example
Per VRF AAA: Example
The following example shows how to configure the Per VRF AAA feature using a AAA server group with associated private servers:
aaa authentication ppp method_list_v1.55.com group v1.55.com
aaa authorization network method_list_v1.55.com group v1.55.com
aaa accounting network method_list_v1.55.com start-stop group v1.55.com
aaa accounting system default vrf v1.55.com start-stop group v1.55.com
aaa accounting delay-start vrf v1.55.com
aaa accounting send stop-record authentication failure vrf v1.55.com
aaa group server radius v1.55.com
server-private 10.10.132.4 auth-port 1645 acct-port 1646 key ww
ip vrf forwarding v1.55.com
ip radius source-interface loopback55
radius-server attribute 44 include-in-access-req vrf v1.55.com
Per VRF AAA Using a Locally Defined Customer Template: Example
The following example shows how to configure the Per VRF AAA feature using a locally defined customer template with a AAA server group that has associated private servers:
aaa authentication ppp method_list_v1.55.com group v1.55.com
aaa authorization network method_list_v1.55.com group v1.55.com
aaa authorization network default local
aaa authorization template
aaa accounting network method_list_v1.55.com start-stop group v1.55.com
aaa accounting system default vrf v1.55.com start-stop group v1.55.com
aaa group server radius V1_55_com
server-private 10.10.132.4 auth-port 1645 acct-port 1646 key ww
ip vrf forwarding V1.55.com
peer default ip address pool V1_55_com_pool
ppp authentication chap callin V1_55_com
ppp authorization V1_55_com
aaa accounting delay-start
aaa accounting send stop-record authentication failure
radius-server attribute 44 include-in-access-req
ip vrf forwarding v1.55.com
ip radius source-interface Loopback55
Per VRF AAA Using a Remote RADIUS Customer Template: Example
The following examples shows how to configure the Per VRF AAA feature using a remotely defined customer template on the SP RADIUS server with a AAA server group that has associated private servers:
aaa authentication ppp default group radius
aaa authorization template
aaa authorization network default group sp
aaa group server radius sp
radius-server host 10.3.3.3 auth-port 1645 acct-port 1646 key sp_key
The following RADIUS server profile is configured on the SP RADIUS server:
cisco-avpair = "aaa:rad-serv#1=10.10.132.4 key ww"
cisco-avpair = "aaa:rad-serv-vrf#1=V1.55.com"
cisco-avpair = "aaa:rad-serv-source-if#1=Loopback 55"
cisco-avpair = "template:ppp-authen-list=group 1"
cisco-avpair = "template:ppp-author-list=group 1"
cisco-avpair = "template:ppp-acct-list= start-stop group 1"
cisco-avpair = "template:account-delay=on"
cisco-avpair = "template:account-send-stop=on"
cisco-avpair = "template:rad-attr44=access-req"
cisco-avpair = "template:peer-ip-pool=V1.55-pool"
cisco-avpair = "template:ip-vrf=V1.55.com"
cisco-avpair = "template:ip-unnumbered=Loopback 55"
Customer Template: Examples
This section provides the following configuration examples:
•Locally Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting: Example
•Remotely Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting: Example
Locally Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting: Example
The following example shows how to create a locally configured template for a single customer, configuring additional features including RADIUS attribute screening and broadcast accounting:
aaa authentication ppp default local group radius
