Cisco VDSL config for ISP with RFC1483 bridging, DHCP and NAT

Telfort, a Dutch ISP, delivers VDSL connections using RFC1483 bridging. This is quite a different approach than the more common PPPoE setup. See below for an example.

First remove any ATM and Dialer interfaces you have defined, instead you use the Ethernet0 interface from the VDSL controller. Define a subinterface for the VLAN your ISP uses. In case of Telfort this is 34.

interface Ethernet0
no ip address
no shutdown
!
interface Ethernet0.34
encapsulation dot1Q 34
ip address dhcp
ip nat outside

On the subinterface you define that the IP address is requested through DHCP and with ip nat outside. Next apply the ip nat inside traffic on your internal interface, define your NAT rule and matching access list and you’re good to go. The default ip route is acquired via DHCP automatically.

interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0.34 overload
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Cisco router configuration for a Tele2 VDSL connection

I got myself a Cisco 887V-W to replace the Comtrend modem that Tele2 ships with their 50 Mbit VDSL connection, once called Fiber Speed. Thanks goes out to Glazenbakje for a basic VDSL config that I could tweak to get it to work with Tele2.

I’d advise to upgrade to IOS 15.1T as it holds a newer ADSL firmware that does a better job calculating the attainable rate. If you connect your router and execute the sh controllers vdsl 0 command you’ll see something like this that indicates you have a VDSL carrier signal:

Modem Status: TC Sync (Showtime!)
DSL Config Mode: AUTO
Trained Mode: G.993.2 (VDSL2) Profile 17a
TC Mode: PTM
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running
Trellis: ON  ON
Line Attenuation:  0.0 dB  0.0 dB
Signal Attenuation:  0.0 dB  0.0 dB
Noise Margin:  6.2 dB  5.8 dB
Attainable Rate: 44884 kbits/s 5535 kbits/s
Actual Power: 14.2 dBm  1.4 dBm

And now for the basic config lines to get this going:

interface Ethernet0
no ip address
!
interface Ethernet0.32
encapsulation dot1Q 32
pppoe-client dial-pool-number 10
!
interface Vlan1
ip address 10.1.1.34 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!

interface Dialer 10
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
ip route-cache policy
dialer pool 10
dialer string 555
dialer-group 10
ppp authentication chap callin
ppp chap hostname <username>@3p.versatel.nl
ppp chap password 0 <your decoded password>
no cdp enable
!
ip nat inside source list 101 interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 10 protocol ip permit

Notes of interest: The VLAN ID that Tele2 uses for their internet connection is 32. They have different ID’s for i.e. the management connection to the modem but you don’t need those. They use CHAP for their PPPoE identification and I needed to use a dialer string with a random number to trigger the dial out.

In case you have any questions feel free to leave a comment and I’ll try to answer to the best of my ability.

Default IP address and enable password of a Cisco 887V-W ISR router

This will probably be the case for other Cisco routers as well but for reasons unknown Cisco has decided to set an enable password on this router. The usual guessing (cisco, Cisco etc) didn’t work out so I had to break out the console cable and recover it as it didn’t seem to be documented anywhere.

It it c. Yes that’s just that one letter. The ip address was 10.1.1.34.

Tele2 Fiberspeed VDSL with a Cisco modem

I have ordered Fiberspeed from Tele2, an affordable 50/5 VDSL connection. The modem is in but I’d like to hook it up to a Cisco router. I’ve ordered a 887VW that should do the job and used this hint to gain access to the setup of the Comtrend modem that Tele2 ships. The setup backup file reveals your PPPoE username and password although I suspect that they’re the same for everyone (username Comtrend, password Q29xxxxxxxxx). If this is indeed the case I’ll post them here later.

Update: Those settings indeed apply to every new modem shipped to a customer. However once connected it will download a new connection profile with your own PPPoE username and password in it which you’ll need to setup your Cisco router (or any other router for that matter). As of today the Tele2 Comtrend modem is still vulnerable to the hack listed in the link above so you should have no problem extracting the username and password. The username ends in @3p.versatel.nl and the password is encoded with base64 that you can safely decode here. Once you have this information it’s time to setup your Cisco router, I posted the required config lines here.

Using the Radius server in Mac OS X Server 10.6 for Cisco IOS WebVPN user and group authentication

One of my customers was looking for a simple WebVPN Cisco solution to replace his older EasyVPN. Goals were to increase security (by defining user groups and IP access lists) and ease deployment for external parties that needed to log onto the VPN. This posed the following problems:

– The Cisco router that was used (a 1921) only supports local users, in order to apply different group policies there had to be group authentication as well.
– Mac OS X 10.6 uses a Radius server only to authenticate users on Airport basestations. Authorization for other devices is not enabled by default and groups are not pushed to other devices.

So… let’s get started! For this to work you’ll need to have your Cisco router connected to your Mac OS X server in some way. I won’t go into the basics of setting up your router, your WebVPN or your Mac OS X server here, there are plenty of tutorials on that on the web already.

First of all we’ll have have to alter the configuration of the excellent FreeRADIUS server that Apple ships with Mac OS X Server 10.6. This is easier than it seems. Stop the RADIUS server in the Server Admin utility and browse to the /etc/raddb/ directory. We’ll make changes to 2 files here.

In users.conf we’ll have to instruct the RADIUS server to accept incoming connections form the Cisco router. This is done by adding the following lines just above the “client localhost {” part:

client 192.168.9.1/32 {
secret = somesecretyoucameupwith
shortname = vpn
nastype = cisco
}

The shortname is the hostname of the router, the IP address is the IP address of the router. Save the file (you’ll need administrator access to do this) but don’t start the RADIUS server just yet. We have to edit the users file (in the same directory) as well in order to push group information to the router.

In the users file you can specify the return values that should be pushed back to the router upon a successfull authentication. I looked into the possibility to make the RADIUS server push the default user group to the router but deemed that it was far too difficult to make it work. Instead I opted to make separate entries for all my users and specify their policy group explicitly. At the bottom of the users file you can add entries like this:

user1          Cleartext-Password := “password”
Service-Type = NAS-Prompt-User,
cisco-avpair = “webvpn:user-vpn-group=management”

When user1 tries to login to the WebVPN the RADIUS server will (upon a successfull authentication) push the webvpn:user-vpn-group attribute to the router. This attribute (in this case the group name management) will select the correct policy for the user. Now the RADIUS part is done, start the RADIUS server and see if it runs. If it doesn’t start you probably made a typo somewhere, see below on how to debug it.

Now it’s time to implement RADIUS authentication in the router. First we’ll add the radius server to the config:

radius-server host 192.168.9.12 auth-port 1812 acct-port 1813 key 7 <somesecretyoucameupwith>

The secret needs to be the same as the secret you entered in the clients file.

These are the AAA settings that I used, I first want the router to check for a local account so I can always access it in case the RADIUS server stops working. After that the router will query the RADIUS server to look for valid accounts.

aaa authentication login default local group radius
aaa authorization exec default local
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius cache radius local
aaa accounting auth-proxy default start-stop group radius

From here it’s easy, you can create different policy groups in your webvpn context. In this case I would create a policy group called management for user1 that will allow him to reach certain hosts and see a specific URL list.

policy group management
url-list “URLs”
functions svc-enabled
svc address-pool “sslvpn-pool”
svc keep-client-installed
svc split include 192.168.43.0 255.255.255.0
svc split include 192.168.9.0 255.255.255.0
svc dns-server primary 8.8.8.8
svc dns-server secondary 8.8.4.4

Also add the following line to your webvpn context to make sure the RADIUS server is queried for valid accounts:

aaa authentication auto

Now your Cisco will pass on logins to the RADIUS server and receive the correct attribute to select the right group policy for the WebVPN. Nice!

Notes:

– In order for this to work the users specified have to both exist in the OpenDirectory and the users file.
– I have used port 1812 and 1813. In older RADIUS implementations port in the 1600 range were used. The Cisco configuration professional still suggests these ports but they don’t work with FreeRADIUS.
– I included the DNS servers as there is a bug with the current version of the AnyConnect client where DNS requests are not correctly forwarded in case of a split tunnel (CSCtf20226).
– If this doesn’t work first launch the RADIUS server in debug mode on Mac OS X server to see if the authentication runs well. This can be done by starting a terminal session and launching radiusd -X as root.
– Secondly use the radius debug feature of the Cisco router to see if the authentication packets that are returned contain the avpair attribute. If the attribute is not included the router will assign the default policy. In my case I removed the default policy as it poses a security risk.

A big thanks for the folks on the FreeRADIUS mailinglist for their assistance!