CPE,LAC, LNS and BRAS with CISCO ISE

Let's install a small ISP :) For this, I will use the Eve-ng emulator and Cisco 7206VXR. ISPs use BRAS for authenticating CPE devices. BRAS means Broadband Remote Access Server. Brass is an essential part of the broadband topology to control subscriber access. Also, BRAS is called BNG(Broadband Network Gateway).

There are some BNG's functions;

•Authentication, Authorization, and Accounting of subscriber sessions

•Address assignment

•Security

•Policy management

•Quality of Service(QoS).

I will just make CPE is authenticated and assign address over Mpls at this topology. I create a vrf to take CPE to different domains. We need an L2 tunnel to transport PPPoE packets to BNG over Mpls.

What type of tunnel do we need? Sure we need L2TP. L2TP does not provide any encryption and confidentiality of content by itself. It provides a tunnel for Layer2 but it may be encrypted. The tunnel may be passed over a layer 3 encryption protocol such as IPSEC.

LAC and LNS are components of the broadband topology. L2TP tunnel is created between LAC and LNS.

LAC receives packets from a remote client and forwards them to an L2TP network server (LNS) on a remote network.

LNS is the termination point that comes from PPP packets from the remote client. For more detailed information you can look at this link.

https://www.cisco.com/c/en/us/support/docs/dial-access/virtual-private-dialup-network-vpdn/20980-vpdn-20980.html

My goal is to use Cisco ISE as Bras radius for basic configuration. This post gives you a perspective on the service provider CPE structure.

Lab equipment;

EVE-ng emulator

P : 7206VXR

PE : 7206VXR

LAC : 7206VXR

LNS : 7206VXR

ISE : 2.6.0.156

CPE : I86BI_LINUX-ADVENTERPRISEK9-M

Also, You can find the full config and Eve-ng topology file at the bottom of the post.

LAC-A configuration;

hostname LAC-A

ip cef

vpdn enable

vpdn-group LAC
 request-dialin
  protocol l2tp
  domain networktcpip.com
 initiate-to ip 10.10.10.10
 source-ip 10.20.20.253
 local name LAC
 l2tp tunnel password 0 networktcpip

bba-group pppoe networktcpip
 virtual-template 1

interface Loopback0
 ip address 4.4.4.4 255.255.255.255


interface Ethernet1/0
 ip address 10.20.20.253 255.255.255.0
 ip ospf 2 area 0
 duplex full

interface Ethernet1/1
 no ip address
 duplex full
 pppoe enable group networktcpip
!

interface Virtual-Template1
 description pppoe networktcpip
 no ip address
 ip mtu 1400
 ip tcp adjust-mss 1320
 no peer default ip address
 ppp mtu adaptive
 ppp authentication chap

router ospf 2

end

LNS Configuration;

hostname BRAS-LNS

aaa new-model

aaa authentication ppp default group radius
aaa authorization network default group radius
aaa authorization subscriber-service default local group radius
aaa accounting delay-start
aaa accounting update periodic 10
aaa accounting network default
 action-type start-stop
 group radius

aaa nas port extended

aaa server radius dynamic-author
 client 10.10.10.100 server-key cisco123
 auth-type any

aaa session-id unique

ip domain name elma.com
ip name-server 10.10.10.200
ip cef
no ipv6 cef

vpdn enable

vpdn-group 1
 accept-dialin
  protocol l2tp
  virtual-template 1
 terminate-from hostname LAC
 local name LNS
 l2tp tunnel password 0 networktcpip


policy-map Unlimited
policy-map 1024
 class class-default
  police 1024000
policy-map 128
 class class-default
  police 128000
policy-map 64
 class class-default
  police 64000
policy-map 2048
 class class-default
  police 2048000
policy-map 8192
 class class-default
  police 8192000

interface Loopback0
 ip address 5.5.5.5 255.255.255.255

interface FastEthernet0/0
 ip address 10.10.10.10 255.255.255.0
 ip ospf 2 area 0
 duplex full

interface FastEthernet1/0
 ip address 192.168.28.141 255.255.255.0
 duplex full

interface Virtual-Template1
 ip unnumbered Loopback0
 ip mtu 1400
 ip tcp adjust-mss 1320
 peer default ip address pool default
 ppp mtu adaptive
 ppp authentication chap

router ospf 2

ip local pool default 192.168.28.240 192.168.28.245
ip local pool default2 192.168.28.230 192.168.28.235
ip nat inside source list 1 interface FastEthernet1/0 overload
ip forward-protocol nd

no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.28.2

access-list 1 permit 10.1.1.0 0.0.0.255

radius server default
 address ipv4 10.10.10.100 auth-port 1812 acct-port 1813
 key cisco123

end

CPE-A configuration;

hostname CPE-A


ip dhcp pool CLIENT
 network 10.200.56.0 255.255.255.0
 default-router 10.200.56.254
 dns-server 8.8.8.8

ip cef

interface Ethernet0/0
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 1

interface Ethernet0/1
 ip address 10.200.56.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in

interface Dialer0
 ip address negotiated
 ip mtu 1400
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1320
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname cpe-a@networktcpip.com
 ppp chap password 0 *********


no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0

access-list 1 permit 10.200.56.0 0.0.0.255


end

ISE Configuration;

Let's come to the most important part of this post :) First We will create username and password for CPE at ISE internal database.

Work Center>Device Administration>Identities>Add

CPE uses the PPP chap authentication type. If you wish you can change the authentication type to pap.

Now, we have to write a policy for authentication and authorization.

ISE default policy does not includes include chap authentication. We should create another allowed protocol rule.

Policy rule:

Policy>Policy Sets>click +

1. I created a rule called Bras.

2. Then click the condition. I added some conditions in Bras policy.

Frame-Protocol:ppp

NAS-Port-Type:Virtual

you can make it more specific if you want. That's enough for my sample.

3. Select PPPOE as Allowed Protocol which is created before.

4. Click > Add authorization rule.

Authorization Rules:

Authorization condition rule;

I want to assign a bandwidth limitation policy to user1: "cpe-a@networktcpip.com" for this I have to create an Authorization profile.

After creating an authorization profile. I have completed Bras Policy.

Troubleshooting:

We see the tunnel on LAC and LNS

LNS;

LAC;

CPE;

The IP address is assigned to Dialer0 from the pool

Check debug log on BRAS-LNS and see the assigned IP and policy map.

The assigned IP;

The assigned policy map;

Check the ISE log;

SpeedTest on Linux client result;

As you can see, The CPE is properly working.

Thanks for Reading.