VirtualAccess Behavior with PPP

Question

A small ISP I provide service for has recently been consolidating their equipment. One of their small branches only has a handful (5 or so) of users receiving their internet through a router, a Cisco 3725, using PPP with a RADIUS server for AAA, and a VirtualAccess template.

Instead of keeping a server dedicated to providing RADIUS, I would like to retire it, and put usernames, passwords, and any other rules in the router's configuration. I've done this in a testing environment, and notice that it works, with one major difference:

In the original RADIUS setup, a completely new VirtualAccess (Vi1, Vi2, Vi3, etc) interface was created with each user.
In the local setup, a sub-interface of VirtualAccess1 (Vi1.1, Vi1.2, Vi1.3) is created for each user.

Is their any way to create a separate VirtualAccess interface for each user, but keep the authentication local?

Much of the configuration has been copied from our production environment, and such is heavily edited here:

version 12.3
service timestamps debug datetime year
service timestamps log datetime year
service password-encryption
!
hostname [removed]
!
boot-start-marker
boot-end-marker
!
logging buffered 131072 debugging
logging console alerts
enable password [removed]
!
aaa new-model
aaa session-mib disconnect
!
!         
!
aaa authentication ppp default none
aaa authentication ppp [isp]-auth local
aaa authorization network [isp]-auth local 
aaa accounting delay-start 
aaa accounting update periodic 1
!
aaa attribute list [username 1 removed]
 attribute type addr [ip 1 removed]
!
aaa attribute list [username 2 removed]
 attribute type addr [ip 2 removed]
!
aaa attribute list [username 3 removed]
 attribute type addr [ip 3 removed]
!
aaa session-id common
!
resource policy
!
no ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.255.254.1 10.255.254.50
ip dhcp excluded-address 10.255.252.1 10.255.252.50
!
ip dhcp pool [isp]-wasteland1
   network 10.255.254.0 255.255.254.0
   domain-name [isp].com
   dns-server 4.2.2.2 8.2.2.2 
   default-router 10.255.254.1 
!
ip dhcp pool [isp]-wasteland2
   network 10.255.252.0 255.255.254.0
   domain-name [isp].com
   dns-server 4.2.2.2 8.2.2.2 
   default-router 10.255.252.1 
!
!
ip domain name [removed]
ip name-server 4.2.2.2
virtual-profile if-needed
virtual-profile virtual-template 11
!
no ftp-server write-enable
async-bootp dns-server 4.2.2.2 8.2.2.2
!
!
!         
!
!
!
!
!
!
!
!
!
!
!
username [username] password [password]
username [username] password [password]
username [username] password [password]
... (5 more)
!
!
class-map match-all default-class
 match any 
!
!
[removed policy maps]
!
! 
crypto isakmp ccm
!
!
!
bba-group pppoe global
 virtual-template 11
!
!
interface Loopback0
 no ip address
!
interface FastEthernet0/0
 description [removed]
 ip address [ip address] [subnet] secondary
 ip address [ip address] [subnet]
 duplex auto
 speed auto
 service-policy input [removed]
 service-policy output [removed]
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 description [removed]
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0/1.217
 description [removed]
 encapsulation dot1Q 217
 ip address [ip address] [subnet]
 pppoe enable group global
!
interface FastEthernet0/1.218
 description [removed]
 encapsulation dot1Q 218
 ip address [ip address] [subnet] secondary
 ip address [ip address] [subnet]
 pppoe enable group global
!
interface FastEthernet0/1.219
 description [removed]
 encapsulation dot1Q 219
 ip address [ip address] [subnet]
 service-policy input [removed]
 service-policy output [removed]
!
interface FastEthernet0/1.220
 description ** UNUSED **
 encapsulation dot1Q 220
 shutdown
!
interface FastEthernet0/1.221
 description ** UNUSED **
 encapsulation dot1Q 221
 shutdown
!
!
interface Virtual-Template11 
 description PPPoE user
 ip unnumbered FastEthernet0/0
 peer default ip address pool [pool-name]
 ppp authentication pap [isp]-auth
 ppp authorization [isp]-auth
 ppp accounting [isp]-auth
 service-policy [removed]
 service-policy [removed]
!
ip local pool [pool-name] [xxx.xxx.xxx].130 [xxx.xxx.xxx].189
ip local pool [pool-name] [xxx.xxx.xxx].64 [xxx.xxx.xxx].126
no ip classless
ip route 0.0.0.0 0.0.0.0 [gateway]
!
!
ip http server
no ip http secure-server
!
logging trap debugging
logging facility local4
logging [logging ip]
access-list 101 permit ip any any
snmp-server community [isp]-public RO
snmp-server community [isp]-read-write RW
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 2
 [password removed]
 transport input telnet ssh
!
ntp clock-period 17180651
ntp server 204.2.134.164
ntp server 204.2.134.163
ntp server 77.66.37.130
!
end

A subinterface is still a separate interface. Is there a reason it HAS to be a non-subinterface? — mellowd, Oct 06 '13 at 07:48
Much of the config has been copied from our production environment, and such is heavily edited here: http://pastebin.com/ST7Yhn0Z. — renwique, Oct 06 '13 at 19:09
I need a non-subinterface for certain policy maps and monitoring purposes. Unless there's a way around this, I need separate interfaces. — renwique, Oct 06 '13 at 19:10
Are testing this on a different model router - modern routers (ASR's for exxample) use sub-int's and don't allow full VAI interfaces. — jwbensley, Mar 03 '15 at 10:52
Have you configured "aaa policy interface-config allow-subinterface" ? — jwbensley, May 06 '15 at 20:56

VirtualAccess Behavior with PPP

0 Answers0