Cisco IOS XR Radius configuration (ASR 9000 series)

We have recently set up PPPoE Radius authentication on Cisco one of the most powerful BRASes ASR 9000, that runs IOS XR operation system. There are two steps of the configuration – the first one is to make PPPoE server work and request Radius server and the second part is advanced configuration with speed limitation definitions and COA configuration.

First part, basic configuration of IOS XR PPPoE Radius :

RADIUS CONFIGURATION,
radius server is reachable in VRF called DMZ :

aaa group server radius SPLYNX
vrf DMZ
server 172.16.0.20 auth-port 1812 acct-port 1813
key 7 014156547F5A070D321D1C5A395546
timeout 10
retransmit 5
source-interface XXXX (please define to be sure what IP will be used as NAS IP)!
aaa authorization network default group SPLYNX
aaa accounting network default start-stop group SPLYNX
aaa accounting service default group SPLYNX

aaa accounting subscriber default group SPLYNX
aaa authorization subscriber default group SPLYNX
aaa authentication subscriber default group SPLYNX

DYNAMIC TEMPLATE DEFINITION:
dynamic-template
type ppp SPLYNX_PPP_Chap
ppp authentication chap
keepalive 60 3
ppp ipcp dns 1.1.1.1 8.8.8.8
accounting aaa list default type session periodic-interval 5
ipv4 unnumbered Loopback10
!
type ppp dynamic-template
!
type service s1
ipv4 unnumbered Loopback10
!
!
interface Loopback 10
ipv4 address 192.168.50.1 255.255.255.0

PPPOE_ACCESS and the POLICY to apply Dynamic template:
subscriber
pta tcp mss-adjust 1430
!
pppoe bba-group SPLYNX_PPPOE
service selection disable
!
class-map type control subscriber match-any PPP
match protocol ppp
end-class-map
!
!
policy-map type control subscriber PPP_PM
event session-start match-first
class type control subscriber PPP do-until-failure
10 activate dynamic-template SPLYNX_PPP_Chap
!
!
event session-activate match-first
class type control subscriber PPP do-until-failure
10 authenticate aaa list default
!
!
end-policy-map

APPLYING ALL ON INTERFACE VLAN 200 under LCAP bundle :
interface Bundle-Ether1.200
ipv4 point-to-point
ipv4 unnumbered Loopback10
service-policy type control subscriber PPP_PM
pppoe enable bba-group SPLYNX_PPPOE
encapsulation dot1q 200
!

Second part of the configuration is related to COA/COD disconnection of the session when it’s initiated on Splynx and also to setting speed limits.

To achieve the PPPoE session disconnection from Splynx we should allow connection from Radius server to Cisco IOS XR device. The configuration for allowing incoming requests from Radius server is following :

aaa server radius dynamic-author
port 3799
client 172.16.0.20 vrf DMZ
server-key 7 1446405858517C

We usually use port 3799 for it and it also should be defined inside Splynx Config -> Radius -> NAS settings :

As you can see in the screenshot, there are also two rate limit attributes defined :
Cisco-AVPair = ip:sub-qos-policy-out={{ tariff_attributes.policy_ingress }}
Cisco-AVPair += ip:sub-qos-policy-in={{ tariff_attributes.policy_egress }}

These are the policy names that are setting the speed limitation for end user. To set up the speed limits we added additional fields to Splynx Internet plans and then used these values in the policy application to pppoe tunnel.

Below is an example of Splynx tariff plan with two additional fields and with the policy names specified :

When customer connects a pppoe session, the value of the fields tariff_attributes.policy_egress and tariff_attributes.policy_ingress are taken and applied – in this case POLICY_CUSTOMER_EGRESS_100Mbps and POLICY_CUSTOMER_INGRESS_100Mbps.

The policies should be defined inside IOS XR configuration this or similar way :

policy-map POLICY_CUSTOMER_EGRESS_100Mbps
class CUSTOMER_PREC_ALL
shape average 100000000 bps
queue-limit 1000000 bytes
!
class class-default
!
end-policy-map
!

policy-map POLICY_CUSTOMER_INGRESS_100Mbps
class class-default
police rate 100000000 bps
conform-action transmit
exceed-action drop
!
!
end-policy-map
!

Configuring SMS or Email notifications for monitoring of your devices

Your team should be always aware of the status of your network. In case any device goes down, the system will automatically notify the responsible admins via the portal, email, SMS, or each method combined.

This article describes how to easily configure monitoring notifications in Splynx. It also includes a pre-configured SMS template that lists offline devices with a direct link to this device in the admin portal.

Remember to have EMAIL and SMS communication configured before setting up any notifications.

Configuring notifications for monitoring is done under Config > Networking > Monitoring:

Networking settings

All notifications for monitoring can be configured by groups and you can create each group as required. Groups are assigned to devices and admins that you wish to send notifications to.

Each monitoring group can have a different configuration for notifications. These are the parameters available for configuring:

Networking settings

Please note all templates used by the system are configurable in HTML code, so you can customize each template to your preferences and/or requirements. Within the configuration of each template, you will find useful Placeholders that will pull information from the system and populate it according to the devices/customer/element you are interacting with.

These are some of the placeholders available in monitoring:

Monitoring template configuration

So you can customize different templates for different notifications, e.g, one for when a device goes down and one for when a device comes back up. Splynx support is always available to assist with any customization of templates.

Once these settings have been configured, simply enable notifications for any of your devices at Networking > Hardware > Edit device

Monitoring device notifications

It’s that simple!

Your administrators will then be notified of any device configured for monitoring with notifications enabled.

Monitoring SMS template:

Hello <strong><em>{{ recipient.name }},</em></strong>

<b>{{ App.t('networking','Monitoring information') }}</b>

{% if devices.error|length &gt; 0 %}
<b>{{ App.t('networking', 'Devices DOWN:') }}</b>
{% for device in devices.error %}
<a href="{{ App.createUrl(company_info.splynx_url, '/admin/networking/monitoring/view', {'id': device.id}) }}">{{ device.title }}
-{{ device.ip }}</a> {{ device.date }}
{% endfor %}

{% endif %}
{% if devices.ok|length &gt; 0 %}
The following devices went back online:
<b>{{ App.t('networking', 'Devices UP:') }}</b>
{% for device in devices.ok %}
<a href="{{ App.createUrl(company_info.splynx_url, '/admin/networking/monitoring/view', {'id': device.id}) }}">{{ device.title }}
-{{ device.ip }}</a> {{ device.date }}
{% endfor %}
{% endif %}

Should you have any questions regarding monitoring SMS notifications in Splynx feel free to contact us!

Splynx integration with vBNG netElastic

In this article, we’ll display how to properly configure virtual Broadband Network Gateway (vBNG) solution from netElastic along with its integration with Splynx ISP Framework . We’ll demonstrate how the Splynx Radius server can be used for complete AAA (Authentication, Authorization & Accounting) coverage of your customers.

So, let’s get started.

All the configuration below is done on freshly installed instances of vBNG Router, vBNG Manager, and Splynx that are up and running. In this guide, we’ll be creating a test user with certain parameters using our Splynx solution and then connect him over PPPoE session to the Internet through vBNG device.

The lab setup shows how to configure vBNG to work with PPPoE access with Radius authentication, authorization, and accounting.

Lab that displays how to configure vBNG to work with PPPoE with RADIUS

The process of configuring PPPoE connections on the vBNG with Radius authentication, authorization and accounting involves:

  • Configuring access interface
  • Creating a PPPoE template
  • Creating a VGI interface
  • Creating Radius Authentication group
  • Creating Radius Accounting group
  • Creating AAA Authentication template
  • Creating AAA Authorization template
  • Creating AAA Accounting template
  • Creating an IPPool
  • Creating a domain
  • Creating and configuring VCI

 

We’ll start with the interfaces first. As seen on the screenshot below, our vBNG is installed on a server with two 10Gb NICs:

  • The 10gei-1/1/0 interface will be used as an access interface (incoming for customer’s links), which is UNI (User-Network Interface) on the diagram.
  • The second physical interface, 10gei-1/1/1, will be used as a network interface (outgoing to Internet), and that’s NNI (Network-to-Network Interface) accordingly.

We assigned the following IP address 192.168.10.10 to 10gei-1/1/1, so the interface setup looks the following way:

Please note there is also a NAT-related parameter here, we’ll be discussing it further in this guide.

Next, moving on to RADIUS Authentication group creation, which is used for authorization as well. We created ‘demo_group’ with the following parameters:

Our Radius Server is at the 192.168.10.3 IP address as per the diagram, uses default port 1812 and the key above. Please change these values as per your own setup. If configured properly, you should be able to test the connection to Radius server in vBNG Manager GUI.

Now I create RADIUS Accounting group ‘acc_grp’ with the following configuration. It’s similar to the Authentication group above, except it uses port 1813.

We also need to enable Radius accounting under Radius configuration.

The next step is to create an Authentication template. For Radius authentication, we need to specify the authentication type to use Radius. Here is our configuration.

Radius authorization means vBNG will take authorization properties such as user’s IP address, QoS plan, ACL rules, etc. from the attributes carried in the Radius accept reply message instead of using locally configured properties. To achieve this, we need to create an authorization template from which to specify Radius authorization.

Similarly, we create an Accounting template.

Now we need to configure an IP pool from which PPPoE access subscribers’ IP addresses will be assigned via DHCP. netElastic’s vBNG provides flexible IP pool configurations that can span multiple disjoint segments. In this example, we will configure one IP segment 192.168.100.1/24 with the gateway IP 192.168.100.1 Since we’ll be managing the IP allocation on Splynx itself, we have to reserve the IP range on vBNG, so it honors the IPs assignments obtained via Radius.

Next, creating a VGI interface. Subscribers need to have an access gateway configuration on the vBNG to have network access. netElastic’s vBNG implements the concept of Virtual Gateway Interface (VGI) to configure subscriber’s access gateway. The VGI interface IP address shall match the gateway address in the IP pool configuration as described above.

We have created authentication, authorization & accounting templates, an IP pool, and a VGI interface. Now we need to create a domain to tie all these together and bind the domain to PPPoE access to achieve the desired access behavior. A user access domain defines user access behavior. Multiple domains can be defined for the same access method to define different behaviors. User’s access domains can be switched during operations (through Radius COA or command line) to alter access behaviors.

The same information is displayed in the vBNG Manager web interface.

Then, we create a PPPoE template. The parameters ppp-authentication, ac-name, default-domain should be configured according to your own setup.

Finally, we need to create a VCI configuration to tie the PPPoE template and the domain to the access interface so the access behavior for traffic coming to the interface will be subject to what we have defined in the PPPoE template and domain template.

In our test case, to grant users access to the Internet we need to enable NAT on both the network interface (NAT outside) and the access side user gateway (NAT inside).

Here is the sample NAT configuration for our case.

Also, we need to enable NAT in the authorization template.

 

Congrats! We have just completed the setup on the vBNG side and now it’s time to perform some additional configuration on the Splynx side.

First of all, let’s add our vBNG to Splynx, so they can communicate properly. Go to Config > Networking > NAS types and add a new one.

Go to Networking > Routers > Add and add our vBNG with the configuration according to our diagram.

For our test instance, we created a demo user with an assigned Internet tariff plan.

We want him to obtain an IP address from Radius, so assigned a static one for testing purposes.

Let’s say we also want him to have a certain rate limit on the internet service, for instance, 20mbit/10mbit. We’ll show you how to configure it properly on both sides, vBNG and Splynx accordingly.

In Splynx we have to edit the internet plan by adding an additional field, which will be sent by Radius to vBNG QoS engine in order to define the policy applied to customers.

To make this functionality work, let’s create additional tweaks to the Radius configuration. Go to Config > Networking > Radius, under NAS Config section choose netElastic for NAS type from the drop-down menu and click on Load button.

Under netElastic Configuration scroll down to Rate-Limit attributes and enter as follows:

Here, NetElastic-Qos-Profile-Name is the parameter that tells the vBNG’s internal QoS engine which policy to apply, so essentially, we are sending from our Radius NetElastic-Qos-Profile-Name=goldPlan as per the configuration described earlier.

The QoS configuration on the vBNG side involves the following steps:

  1. Create class_map to define the flows for which QoS behaviors are intended to be applied on. class_map can be defined either directly by listing flow characteristics or by referencing defined ACL lists.
  2. Create intended behaviors for the class_map rules defined. The behaviors supported by vBNG are car, cbq, remark, etc.
  3. Create policies to create class_map and behavior pairs and setup the relative priority among them. Each policy can have up to 8 class_map/behavior pairs.
  4. QoS policies can be directly applied to interfaces.
  5. If QoS policies need to be applied to subscribers, user QoS profiles need to be created where both the upstream and downstream policies can be specified. The defined user QoS profile is then referenced in the authorization template of the user’s access domain. All users accessing through this domain are subject to the QoS policies defined in the user QoS profile.

Here is our configuration for the test instance.

The same configuration referenced in vBNG Manager

 

The QoS profile is attached to the authorization template as follows:

That’s about it.

If everything is configured properly, you should be able to see the various accounting information related to our test user in the Splynx dashboard.


Should you have questions regarding netElastic vBNG integration with Splynx feel free to contact us! If you decide to try Splynx in action, just click the button below!

Get Free Trial

Juniper Radius server configuration, updated

This is an updated version of Radius server configuration with Juniper using variables for speed limitations.

1. Number one settings and few general comments
The first and most important step before any configuration is made, use the command
set system dynamic-profile-options versioning
If this is not set, then new profiles will not be used, because JunOS will say that old settings are still active.

general comments to the configuration are :
a. Don’t use the same name for definition of different profiles – we should have one for access(Radius), one is for PPPoE template, one is for speed limits and one for applying an interface and one more if QinQ is used. This will help to split configuration in parts and have order in it.
b. Don’t use the same Download and Upload speeds, sometimes Juniper ignores speed limits with no reason. (So for example if you have 10M/10M plan, set 10M download and 9.99M upload)

2. Radius server definition in access profile RAD
set access profile RAD authentication-order radius
set access profile RAD domain-name-server 8.8.4.4
set access profile RAD domain-name-server 8.8.8.8
set access profile RAD radius authentication-server 172.16.0.35
set access profile RAD radius accounting-server 172.16.0.35
set access profile RAD radius options nas-identifier JUN
set access profile RAD radius options accounting-session-id-format decimal
set access profile RAD radius-server 172.16.0.35 secret
set access profile RAD radius-server 172.16.0.35 timeout 5
set access profile RAD accounting order radius
set access profile RAD accounting immediate-update
set access profile RAD accounting coa-immediate-update
set access profile RAD accounting update-interval 10
set access profile RAD accounting statistics volume-time

3. Dynamic PPPOE for setting up the pppoe virtual interface template
set dynamic-profiles PPPoE routing-instances "$junos-routing-instance" interface "$junos-interface-name"
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" no-traps
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" ppp-options chap
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" pppoe-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" pppoe-options server
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" keepalives interval 30
set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"

4. Speed limitation profile that differs from PPPOE and is called svc-inet-profile, please don’t mix the names !
set dynamic-profiles svc-inet-profile variables var-bw-upload
set dynamic-profiles svc-inet-profile variables var-bw-download
set dynamic-profiles svc-inet-profile variables var-ff-in-upload equals "'INET-' ## $var-bw-upload ## '-CLIENT-UPLOAD'"
set dynamic-profiles svc-inet-profile variables var-ff-in-upload uid
set dynamic-profiles svc-inet-profile variables var-ff-out-download equals "'INET-' ## $var-bw-download ## '-CLIENT-DOWNLOAD'"
set dynamic-profiles svc-inet-profile variables var-ff-out-download uid
set dynamic-profiles svc-inet-profile variables var-plr-upload equals "'plr-' ## $var-bw-upload"
set dynamic-profiles svc-inet-profile variables var-plr-upload uid
set dynamic-profiles svc-inet-profile variables var-plr-download equals "'plr-' ## $var-bw-download"
set dynamic-profiles svc-inet-profile variables var-plr-download uid
set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter input "$var-ff-out-download"
set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter input precedence 100
set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter output "$var-ff-in-upload"
set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter output precedence 100
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" interface-specific
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then policer "$var-plr-upload"
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then service-accounting
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then service-filter-hit
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then accept
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term service from service-filter-hit
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term service then accept
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" interface-specific
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then policer "$var-plr-download"
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then service-accounting
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then service-filter-hit
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then accept
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term service from service-filter-hit
set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term service then accept
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" logical-interface-policer
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" if-exceeding bandwidth-limit "$var-bw-download"
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" if-exceeding burst-size-limit 1m
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" then discard
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" logical-interface-policer
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" if-exceeding bandwidth-limit "$var-bw-upload"
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" if-exceeding burst-size-limit 1m
set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" then discard

5. VLAN profile that is used then to set up PPPoE server on the VLAN interface
set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" vlan-id "$junos-vlan-id"
set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0
set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" family pppoe access-concentrator JUN
set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" family pppoe dynamic-profile PPPoE

6. and then this is how to apply PPPOE to the VLAN physically

ae0 {
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile VLAN {
accept pppoe;
ranges {
any;
}
}
}
remove-when-no-subscribers;
}

7. Radius attribute should be this one with selection of Speed Limitation profile :
ERX-Service-Activate:1 = SERVICE({{ rx_rate_limit/1024/1000}}M,{{ tx_rate_limit/1024/1000}}M)

Please note that “M” was added to send the data from Splynx to Juniper in Megabits. Juniper accepts the speeds such as 1M, 2M, 20M and similar, so please be sure that the variable in the attribute will return you desired number.

IPv6 CPE and Home routers support

The configuration of PPPoE servers and introduction to IPv6 is described in two articles, please read them if you want to configure the ISP part first – https://splynx.com/5665/splynx-ipv6-support/ and https://splynx.com/5684/mikrotik-ipv6-configuration/

In this article are shown examples of configuration of 3 different CPEs from 3 different vendors. We have selected IPv6 routers that are used in networks of Splynx customers. Models of the home routers IPv6 are : TP Link 450, Nucom 8800AC and Mikrotik any RouterOS based router.
Below is a typical scheme of CPE or Home router connection to the ISP with PPPoE and IPv6 enabled

Let’s take a look on the setup. There are two interfaces configured – one is WAN that connects to uplink and second is a LAN interface, that usually works as a bridge, that units all physical LAN interfaces – Ethernet and WiFi.

1. WAN connection
The uplink interface is configured with PPPoE client. PPPoE client connects to PPPoE server and communication between Home router and ISP router works on IPv6 Link Local addresses. It’s also possible to assign a public IPv6 address to Home router, we don’t use it in our configs to not make it too complicated. Public IPv6 on router will be available on LAN interface and this IP can be used to access the router.

When PPPoE Client connection is established, our home router receives IPv6 LAN prefix, that is called Delegated IPv6 prefix. Home router should configure IPv6 address on it’s LAN interface, that will work as gefault gateway for all our devices.
When IPv6 on LAN is configured, our router should start announcing IPv6 to the LAN network (similar what DHCP does in IPv4 world). In LAN environment is almost always used IPv6 Stateless auto configuration that is called SLAAC and is based on IPv6 Neighbor Discovery protocol (ND).

In picture above, router has established a pppoe connection and received a /64 IPv6 pool 2a0f:f041:1000:1::/64. This pool will be used for LAN devices and all devices will create own IPv6 addresses from that pool.

As you remember, while IPv4 is a 32 bit IP address, that is split into 4 octets, IPv6 address is 128 bits and is split into 8 parts, each contains 16 bits of information. 16 bit parts that contain only zeros can be merged with :: symbols. It means that the network, 2a0f:f041:1000:1::/64 that is allocated to router is equal to 2a0f:f041:1000:1:0:0:0:0:/64, but we cut last 4 zero parts and make view of IP network shorter.

2. LAN connection.
In our example, home router uses first IP from received /64 pool. It means that automatically it assigns IP ::1 to it’s LAN interface. This setup is available in Mikrotik routers, other routers will generate automatically IP on their LAN interfaces. So, in case of Mikrotik IP 2a0f:f041:1000:1::1 is used on LAN interface and this IP will become a default gateway for all home devices.
Home devices with IPv6 support have SLAAC enable on their Internet interfaces, get the IPv6 ND information and create own IPv6 address.The following example shows configuration on Mikrotik RouterOS. Window on left side shows PPPoE client interface configuration – we say that it’s needed to get a prefix from PPPoE server. The received prefix is called LAN and is stored in IPv6 pools. Second window shows that IPv6 address is configured on LAN Interface from the prefix LAN, and EUI64 will be used to create IPv6 LAN address. Important is flag “Advertise”, that enables SLAAC and ND on interface, so end devices will be able to get IPv6.

If we want to use IP 2a0f:f041:1000:1::1 on LAN interface instead of ugly generated IP, then just disable EUI64, and setup IP as on example below

Now, Mikrotik CPE/Home router is configured and devices will get access to IPv6 internet.

Let’s check configuration of TP Link. Configuration is much simpler, comparing to Mikrotik. We must be sure that Firmware supports Ipv6, many older TP link devices don’t have ability to work with IPv6. But the devices that support IPv6 are confiured similar way as Mikrotik – enable IPv6 on PPPoE interface, and it will create IPv6 address on LAN with SLAAC enabled.

Nucom 8800AC Fiber ONT router has also similar one step configuration, PPPoE with IPv6 enabled and then IPv6 is configured on LAN and SLAAC enabled to connect end user devices.

And the configuration of NUCOM is shown below

 


Should you have any questions regarding IPv6 and CPE management in Splynx feel free to contact us! If you decide to try Splynx in action, just click the button below!

 

Free Demo