Yuk! You are a masochist! Very nice of you to lab up for George. We need about 100 of you on this DL.
Thanks! Regards, Jay McMickle- CCIE #35355 Sent from iJay On May 10, 2012, at 7:09 AM, Adam Booth <[email protected]> wrote: > I was bored and wanted to get my hands a little dirty with radius > again so I decided to try labbing this up using PPPoE with a single > virtual-template, you need to pre-configure the keys for the spokes on > the PPPoE Server and RADIUS (through authorization) tells the server > what key should be attached to the virtual-access interface.. > > > Configurations: > > hostname R1 > aaa new-model > aaa authentication login default none > aaa authentication enable default none > aaa authentication ppp default group radius > aaa authorization network default group radius > ! > key chain R1-R2 > key 1 > key-string cisco > key chain R1-R3 > key 1 > key-string ccie > ! > bba-group pppoe global > virtual-template 1 > ! > interface FastEthernet0/0 > description To Ethernet Switch > no ip address > duplex auto > speed auto > pppoe enable group global > ! > interface Virtual-Template1 > ip address 1.0.0.1 255.255.255.0 > ip authentication mode eigrp 123 md5 > peer default ip address pool PPPoE > ppp authentication chap > ! > router eigrp 123 > network 1.0.0.0 0.0.0.255 > no auto-summary > ! > ip local pool PPPoE 1.0.0.2 1.0.0.254 > ! > radius-server host 192.168.100.253 auth-port 1812 acct-port 1813 key cisco > > > > hostname R2 > key chain R1-R2 > key 1 > key-string cisco > ! > interface FastEthernet0/0 > description To Ethernet Switch > no ip address > duplex auto > speed auto > pppoe enable > pppoe-client dial-pool-number 1 > ! > interface Dialer1 > ip address negotiated > ip authentication mode eigrp 123 md5 > ip authentication key-chain eigrp 123 R1-R2 > encapsulation ppp > dialer pool 1 > dialer idle-timeout 0 > dialer persistent > ppp chap hostname R2 > ppp chap password 0 R2 > ! > router eigrp 123 > network 1.0.0.0 0.0.0.255 > no auto-summary > ! > > > hostname R3 > key chain R1-R3 > key 1 > key-string ccie > ! > interface FastEthernet0/0 > description To Ethernet Switch > no ip address > duplex auto > speed auto > pppoe enable > pppoe-client dial-pool-number 1 > ! > interface Dialer1 > ip address negotiated > ip authentication mode eigrp 123 md5 > ip authentication key-chain eigrp 123 R1-R3 > encapsulation ppp > dialer pool 1 > dialer idle-timeout 0 > dialer persistent > ppp chap hostname R3 > ppp chap password 0 R3 > ! > router eigrp 123 > network 1.0.0.0 0.0.0.255 > no auto-summary > ! > > > radius-server:~# cat /etc/freeradius/users > R2 Cleartext-Password := "R2" > Service-Type = Framed-User, > Framed-Protocol = PPP, > cisco-avpair = "lcp:interface-config=ip authentication > key-chain eigrp 123 R1-R2" > > R3 Cleartext-Password := "R3" > Service-Type = Framed-User, > Framed-Protocol = PPP, > cisco-avpair = "lcp:interface-config=ip authentication > key-chain eigrp 123 R1-R3" > > > Verification: > > R1#sh pppoe session all > Total PPPoE sessions 2 > > > session id: 19 > local MAC address: c200.0740.0000, remote MAC address: c201.0740.0000 > virtual access interface: Vi3, outgoing interface: Fa0/0 > 424 packets sent, 425 received > 25488 bytes sent, 25558 received > > session id: 20 > local MAC address: c200.0740.0000, remote MAC address: c202.0740.0000 > virtual access interface: Vi4, outgoing interface: Fa0/0 > 274 packets sent, 274 received > 16475 bytes sent, 16626 received > > R1#sh ip route | b Gate > Gateway of last resort is not set > > 1.0.0.0/8 is variably subnetted, 3 subnets, 2 masks > C 1.0.0.0/24 is directly connected, Virtual-Access3 > is directly connected, Virtual-Access4 > C 1.0.0.3/32 is directly connected, Virtual-Access4 > C 1.0.0.2/32 is directly connected, Virtual-Access3 > C 192.168.100.0/24 is directly connected, FastEthernet1/0 > > R1#sh ip eigrp interfaces detail | i ^V|Authentication > Vt1 0 0/0 0 0/1 0 0 > Authentication mode is md5, key-chain is not set > Vi3 1 0/0 28 0/1 129 0 > Authentication mode is md5, key-chain is "R1-R2" > Vi4 1 0/0 37 0/1 209 0 > Authentication mode is md5, key-chain is "R1-R3" > > R2#sh ip route | b Gate > Gateway of last resort is not set > > 1.0.0.0/32 is subnetted, 3 subnets > C 1.0.0.1 is directly connected, Dialer1 > D 1.0.0.3 [90/48786176] via 1.0.0.1, 00:13:23 > C 1.0.0.2 is directly connected, Dialer1 > R2#sh ip eigrp interfaces detail > IP-EIGRP interfaces for process 123 > > Xmit Queue Mean Pacing Time Multicast Pending > Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes > Di1 1 0/0 11 11/434 50 0 > Hello interval is 5 sec > Next xmit serial <none> > Un/reliable mcasts: 0/3 Un/reliable ucasts: 3/2 > Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 > Retransmissions sent: 0 Out-of-sequence rcvd: 0 > Authentication mode is md5, key-chain is "R1-R2" > Use multicast > R2#show key chain R1-R2 > Key-chain R1-R2: > key 1 -- text "cisco" > accept lifetime (always valid) - (always valid) [valid now] > send lifetime (always valid) - (always valid) [valid now] > > R3#sh ip route | b Gate > Gateway of last resort is not set > > 1.0.0.0/8 is variably subnetted, 4 subnets, 2 masks > C 1.0.0.1/32 is directly connected, Dialer1 > D 1.0.0.0/24 [90/48786176] via 1.0.0.1, 00:14:45 > C 1.0.0.3/32 is directly connected, Dialer1 > D 1.0.0.2/32 [90/48786176] via 1.0.0.1, 00:14:45 > R3#show ip eigrp interfaces detail > IP-EIGRP interfaces for process 123 > > Xmit Queue Mean Pacing Time Multicast Pending > Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes > Di1 1 0/0 19 11/434 68 0 > Hello interval is 5 sec > Next xmit serial <none> > Un/reliable mcasts: 0/2 Un/reliable ucasts: 1/3 > Mcast exceptions: 1 CR packets: 1 ACKs suppressed: 0 > Retransmissions sent: 0 Out-of-sequence rcvd: 0 > Authentication mode is md5, key-chain is "R1-R3" > Use multicast > R3#show key chain R1-R3 > Key-chain R1-R3: > key 1 -- text "ccie" > accept lifetime (always valid) - (always valid) [valid now] > send lifetime (always valid) - (always valid) [valid now] > > R3#ping 1.0.0.1 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 1.0.0.1, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/28 ms > R3#ping 1.0.0.2 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 1.0.0.2, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/16 ms > R3#trace 1.0.0.2 > > Type escape sequence to abort. > Tracing the route to 1.0.0.2 > > 1 1.0.0.1 4 msec 16 msec 4 msec > 2 1.0.0.2 12 msec 8 msec * > > > > > > > > > > > > > On Wed, May 9, 2012 at 8:08 AM, Jay McMickle <[email protected]> wrote: >> You must use a diaper for the virtual-template and PPPoE. >> >> Regards, >> Jay McMickle- CCIE #35355 >> Sent from iJay >> >> On May 7, 2012, at 7:31 PM, George Leslie <[email protected]> >> wrote: >> >>> >>> >>> >>> >>> Hello all,Jay McM and I had an offline chat about my previous posting, >>> which was trying to do the EIGRP authentication on a hub and spoke network, >>> where the hubs use different authentication keys from each other. I was >>> playing around with frame hub and spoke. To recap, I previously found that >>> the hub, despite having the two different keys in its key chain, both of >>> which had valid lifetimes, refused to send using key 2. It would only send >>> with key 1 despite correctly authentication spoke 2 which was using key 2. >>> Therefore, hub authenticated spoke, but not vice versa. On frame, you could >>> use PPPoFr, and use different virtual templates on each DLCI, and therefore >>> have different key chains on each. What I actually did was use point to >>> point tunnels over the frame, which worked a treat. In what my old physics >>> teacher used to call, "a thought experiment", I was thinking about what you >>> could do, just on a bog standard Ethernet segment. The tunnel approach >>> would still work. H >> ow >>> ever, with PPPoE, the server virtual template is tied to the physical, via >>> the bba-group. Therefore the key chain would be applied to all clients >>> that use the virtual template, which presents the same problem as on the >>> frame network. My question: is there any way that you can configure a PPPoE >>> virtual template on the hub that is somehow tied to each individual client? >>> For example, is there a mechanism to tie the virtual template to the PPP >>> chap username? Bit of chicken and egg here, as you need the virtual >>> template to know to authenticate by chap, but need chap to know the virtual >>> template to apply.....My head hurts. Regards, George. >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >>> http://onlinestudylist.com/mailman/listinfo/ccie_rs >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
