(RADIATOR) Cisco/Altiga - Cannot obtain an IP address for remote peer
Hugh Irvine
hugh at open.com.au
Mon Mar 11 17:54:40 CST 2002
Hello Bob -
I think you are correct - it sounds like the tunnel setup is not happening
because there is no IP address specified for the remote end of the tunnel.
You should check the Cisco web site for some examples of VPN tunnel
configuration via radius.
There is also an example in the "users" file in the top level of the Radiator
distribution.
regards
Hugh
On Mon, 11 Mar 2002 19:09, Bob Shafer wrote:
> We're using Radiator to authenticate a Cisco VPN 3000. I would like to
> assign an IP address to the client on the basis of the user.
>
> The user file looks like this:
>
> DU_Users_Test Password="XXX"
> Class="OU=DU_Users_Test;",
> Altiga-IPSec-Authentication-G="RADIUS",
> Altiga-Tunneling-Protocols-G/U="IPSec"
>
> aneuman Password = "YYY"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 130.253.105.2,
> Framed-IP-Netmask = 255.255.255.0,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Class = DU_Users_Test
>
> When attempting to connect as that user the connection hangs, attempting
> to negotiate security settings and the server reports: "Cannot obtain an
> IP address for remote peer"
>
> I've attached a trace 4 debug at the end of this message.
>
> I suspect the problem is something about the VPN server, and not radius,
> but I'm hoping someone will be able to help me out, anyway.
>
> Bob Shafer
> University of Denver
> _________________________________
>
> Mon Mar 11 00:50:01 2002: DEBUG: Packet dump:
> *** Received from 130.253.254.10 port 1066 ....
> Code: Access-Request
> Identifier: 71
> Authentic: ;<176><185>(<242><197>3<15><218><127><206><3><7>y<226><23>
> Attributes:
> User-Name = "DU_Users_Test"
> User-Password =
> NAS-Port = 0
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Tunnel-Client-Endpoint = "24.226.200.126"
> Altiga-Auth-Server-Type = 1
> NAS-IP-Address = 130.253.254.10
> NAS-Port-Type = Virtual
>
> Mon Mar 11 00:50:01 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Mar 11 00:50:01 2002: DEBUG: Deleting session for DU_Users_Test,
> 130.253.254.10, 0
> Mon Mar 11 00:50:01 2002: DEBUG: Handling with Radius::AuthDBFILE:
> Mon Mar 11 00:50:01 2002: DEBUG: Radius::AuthDBFILE looks for match with
> DU_Users_Test
> Mon Mar 11 00:50:01 2002: DEBUG: Handling with Radius::AuthDBFILE:
> Mon Mar 11 00:50:01 2002: DEBUG: Radius::AuthDBFILE looks for match with
> DU_Users_Test
> Mon Mar 11 00:50:01 2002: DEBUG: Handling with Radius::AuthFILE:
> Mon Mar 11 00:50:01 2002: DEBUG: Radius::AuthFILE looks for match with
> DU_Users_Test
> Mon Mar 11 00:50:01 2002: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Mar 11 00:50:01 2002: DEBUG: Access accepted for DU_Users_Test
> Mon Mar 11 00:50:01 2002: DEBUG: Packet dump:
> *** Sending to 130.253.254.10 port 1066 ....
> Code: Access-Accept
> Identifier: 71
> Authentic: ;<176><185>(<242><197>3<15><218><127><206><3><7>y<226><23>
> Attributes:
> Class = "OU=DU_Users_Test;"
> Altiga-IPSec-Authentication-G = RADIUS
> Altiga-Tunneling-Protocols-G/U = IPSec
>
> Mon Mar 11 00:50:15 2002: DEBUG: Packet dump:
> *** Received from 130.253.254.10 port 1066 ....
> Code: Access-Request
> Identifier: 72
> Authentic: Z<2><214><239><146><255>|<29>~<19>^4fp/<169>
> Attributes:
> User-Name = "aneuman"
> User-Password =
> NAS-Port = 1256
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Tunnel-Client-Endpoint = "24.226.200.126"
> NAS-IP-Address = 130.253.254.10
> NAS-Port-Type = Virtual
>
> Mon Mar 11 00:50:15 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Mar 11 00:50:15 2002: DEBUG: Deleting session for aneuman,
> 130.253.254.10, 1256
> Mon Mar 11 00:50:15 2002: DEBUG: Handling with Radius::AuthDBFILE:
> Mon Mar 11 00:50:15 2002: DEBUG: Radius::AuthDBFILE looks for match with
> aneuman
> Mon Mar 11 00:50:15 2002: DEBUG: Handling with Radius::AuthDBFILE:
> Mon Mar 11 00:50:15 2002: DEBUG: Radius::AuthDBFILE looks for match with
> aneuman
> Mon Mar 11 00:50:15 2002: DEBUG: Handling with Radius::AuthFILE:
> Mon Mar 11 00:50:15 2002: DEBUG: Radius::AuthFILE looks for match with
> aneuman
> Mon Mar 11 00:50:15 2002: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Mar 11 00:50:15 2002: DEBUG: Access accepted for aneuman
> Mon Mar 11 00:50:15 2002: DEBUG: Packet dump:
> *** Sending to 130.253.254.10 port 1066 ....
> Code: Access-Accept
> Identifier: 72
> Authentic: Z<2><214><239><146><255>|<29>~<19>^4fp/<169>
> Attributes:
> Framed-IP-Address = 130.253.105.2
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.0
> Framed-Routing = None
> Framed-MTU = 1500
> Class = "DU_Users_Test"
>
> Mon Mar 11 00:50:16 2002: DEBUG: Packet dump:
> *** Received from 130.253.254.10 port 1066 ....
> Code: Access-Request
> Identifier: 73
> Authentic: <10>?w<149><9>b<190>cF`<246><240><203>w<1>;
> Attributes:
> User-Name = "DU_Users_Test"
> User-Password =
> NAS-IP-Address = 130.253.254.10
> NAS-Port-Type = Virtual
>
> Mon Mar 11 00:50:16 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Mar 11 00:50:16 2002: DEBUG: Deleting session for DU_Users_Test,
> 130.253.254.10,
> Mon Mar 11 00:50:16 2002: DEBUG: Handling with Radius::AuthDBFILE:
> Mon Mar 11 00:50:16 2002: DEBUG: Radius::AuthDBFILE looks for match with
> DU_Users_Test
> Mon Mar 11 00:50:16 2002: DEBUG: Handling with Radius::AuthDBFILE:
> Mon Mar 11 00:50:16 2002: DEBUG: Radius::AuthDBFILE looks for match with
> DU_Users_Test
> Mon Mar 11 00:50:16 2002: DEBUG: Handling with Radius::AuthFILE:
> Mon Mar 11 00:50:16 2002: DEBUG: Radius::AuthFILE looks for match with
> DU_Users_Test
> Mon Mar 11 00:50:16 2002: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Mar 11 00:50:16 2002: DEBUG: Access accepted for DU_Users_Test
> Mon Mar 11 00:50:16 2002: DEBUG: Packet dump:
> *** Sending to 130.253.254.10 port 1066 ....
> Code: Access-Accept
> Identifier: 73
> Authentic: <10>?w<149><9>b<190>cF`<246><240><203>w<1>;
> Attributes:
> Class = "OU=DU_Users_Test;"
> Altiga-IPSec-Authentication-G = RADIUS
> Altiga-Tunneling-Protocols-G/U = IPSec
>
> Mon Mar 11 00:50:16 2002: DEBUG: Packet dump:
> *** Received from 130.253.254.10 port 1066 ....
> Code: Access-Request
> Identifier: 74
> Authentic: <250>3@#<186>G<174>M<138><253>s<177><26><153><254><254>
> Attributes:
> User-Name = "DU_Users_Test"
> User-Password =
> NAS-IP-Address = 130.253.254.10
> NAS-Port-Type = Virtual
>
> Mon Mar 11 00:50:16 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Mar 11 00:50:16 2002: DEBUG: Deleting session for DU_Users_Test,
> 130.253.254.10,
> Mon Mar 11 00:50:16 2002: DEBUG: Handling with Radius::AuthDBFILE:
> Mon Mar 11 00:50:16 2002: DEBUG: Radius::AuthDBFILE looks for match with
> DU_Users_Test
> Mon Mar 11 00:50:16 2002: DEBUG: Handling with Radius::AuthDBFILE:
> Mon Mar 11 00:50:16 2002: DEBUG: Radius::AuthDBFILE looks for match with
> DU_Users_Test
> Mon Mar 11 00:50:16 2002: DEBUG: Handling with Radius::AuthFILE:
> Mon Mar 11 00:50:16 2002: DEBUG: Radius::AuthFILE looks for match with
> DU_Users_Test
> Mon Mar 11 00:50:16 2002: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Mar 11 00:50:16 2002: DEBUG: Access accepted for DU_Users_Test
> Mon Mar 11 00:50:16 2002: DEBUG: Packet dump:
> *** Sending to 130.253.254.10 port 1066 ....
> Code: Access-Accept
> Identifier: 74
> Authentic: <250>3@#<186>G<174>M<138><253>s<177><26><153><254><254>
> Attributes:
> Class = "OU=DU_Users_Test;"
> Altiga-IPSec-Authentication-G = RADIUS
> Altiga-Tunneling-Protocols-G/U = IPSec
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list