(RADIATOR) Cisco AVPAIR not working

Claudio Lapidus c_lapidus at hotmail.com
Wed Sep 4 22:20:26 CDT 2002


Hello Thony,

On the 5300 terminal, do:

debug radius
debug aaa authorization
terminal monitor

then make a test call and see what comes out. I think you'll see the router 
ignoring or flagging one of the attributes as erroneous.

BTW, your IOS version looks rather old. I wouldn't expect avpairs to do 
properly their job in anything older than 12.1. If you come to see something 
odd at the debug output, you may want to upgrade IOS to, say, 12.2.6 or 
better.

regards
cl.



>From: "Anthony Roque Adriano" <thony at inetworx.com.ph>
>To: <radiator at open.com.au>
>Subject: (RADIATOR) Cisco AVPAIR not working
>Date: Wed, 4 Sep 2002 10:31:51 +0800
>
>Hello,
>
>Am currently configuring RADIATOR to give a DNS entry instead of the RAS 
>giving it. The setup is working for the ASCEND RAS but for my CISCO 5300 
>its not.  Have gone through the mailing list and try all suggestion, but 
>still can't get it to work, can anyone point out what i'm doing wrong.
>
>Here's my config :
>
>  #LogStdout
>LogDir          /var/log/radius-log
>LogFile         %L/%Y-%m-%d-radiuslog
>DbDir           /usr/local/etc/raddb
>
>DictionaryFile  /usr/local/etc/raddb/dictionary.cisco
>DictionaryFile  /usr/local/etc/raddb/dictionary.ascend2
>DictionaryFile  /usr/local/etc/raddb/dictionary.livingston
>DictionaryFile  /usr/local/etc/raddb/dictionary
>
># Dont turn this up too high, since all log messages are logged
># to the RADMESSAGES table in the database. 3 will give you everything
># except debugging messages
>Trace 4
>
><AuthBy RADMIN>
>         Identifier Acceptmehere
>
>
>         # Change DBSource, DBUsername, DBAuth for your database
>         # See the reference manual. You will also have to
>         # change the one in <SessionDatabse SQL> below
>         # so its the same
>         DBSource        dbi:mysql:#####
>         DBUsername      ######
>         DBAuth          ######
>
>         # Only one session per user at a time
>         #DefaultSimultaneousUse 1
>
>         # Let the user in if they have any time left
>         # Set the Session-timeout to timeleft
>         AuthSelect select PASS_WORD,STATICADDRESS,\
>                 MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID \
>                 from RADUSERS where (USERNAME='%n' and VALIDFROM < %t )
>
>         AuthColumnDef   0,User-Password,check
>         AuthColumnDef   1,Filter-Id,reply
>         AuthColumnDef   2,Session-Timeout,reply
>         AuthColumnDef   3,Simultaneous-Use,check
>
>         # You can add to or change these if you want, but you
>         # will probably want to change the database schema first
>         AccountingTable RADUSAGE
>         AcctColumnDef   USERNAME,User-Name
>         AcctColumnDef   TIME_STAMP,Timestamp,integer
>         AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type,integer
>         AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>         AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>         AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>         AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>         AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>         AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
>         AcctColumnDef   ACCTTERMINATECAUSE,Ascend-Disconnect-Cause,integer
>         AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>         AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>         AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
>         AcctColumnDef   NASPORT,NAS-Port,integer
>         AcctColumnDef   DNIS,Called-Station-Id
>         AcctColumnDef   CALLERID,Calling-Station-Id
>
>         AcctColumnDef   NASPORT,NAS-Port,integer
>         AcctColumnDef   DNIS,Called-Station-Id
>         AcctColumnDef   CALLERID,Calling-Station-Id
>
>
>         # These are the classic things to add to each users
>         # reply to allow a PPP dialup session. It may be
>         # different for your NAS. This will add some
>         # reply items to everyone's reply
>         # Add Idle-Timeout of 15 mins
>         DefaultReply Service-Type = Framed-User, \
>                 Framed-Protocol = PPP, \
>                 Framed-IP-Netmask = 255.255.255.255, \
>                 Framed-Routing = None, \
>                 Framed-MTU = 1500, \
>                 Framed-Compression = Van-Jacobson-TCP-IP, \
>                 Idle-Timeout = 900, \
>                 cisco-avpair= "ip:dns-servers=xxx.xxx.xxx.xxx", \
>                 Ascend-Client-Primary-DNS = xxx.xxx.xxx.xxx,\
>                 Ascend-Client-Secondary-DNS = xxx.xxx.xxx.xxx,\
>                 Ascend-Client-Assign-DNS = DNS-Assign-Yes
>
>
></AuthBy>
>
>
>
><Handler Realm=myrealm>
>         AuthBy Acceptmehere
>
>  # Show rejection reason to users
>         RejectHasReason
>
>
>By the way, im using Cisco 5300,
>
>Cisco Internetwork Operating System Software
>IOS (tm) 5300 Software (C5300-IS-M), Version 12.0(7)T,  RELEASE SOFTWARE 
>(fc2)
>Copyright (c) 1986-1999 by cisco Systems, Inc.
>Compiled Wed 08-Dec-99 20:25 by phanguye
>Image text-base: 0x600088F8, data-base: 0x60C6A000
>
>
>And here is my RADIUS log file
>
>Tue Sep  3 15:13:37 2002: DEBUG: Packet dump:
>*** Received from xxx.xxx.xxx.xxx port 33554 ....
>Code:       Access-Request
>Identifier: 174
>Authentic:  E<147><203><5><162><145>t<149>E3<180>T<194><20><223><18>
>Attributes:
>         NAS-IP-Address = xxx.xxx.xxx.xxx
>         NAS-Port = 228
>         NAS-Port-Type = Virtual
>         User-Name = "user at myrealm"
>         Called-Station-Id = "xxxxxxxx"
>         Calling-Station-Id = "xxxxxxxx"
>         User-Password = "<212> 
><144><164>7<176><206><113><182><255><165><164><141><145><181><149>"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>
>Tue Sep  3 15:13:37 2002: DEBUG: Check if Handler Realm=myrealm should be 
>used to handle this request
>Tue Sep  3 15:13:37 2002: DEBUG: Handling request with Handler 
>'Realm=myrealm'
>Tue Sep  3 15:13:37 2002: DEBUG:  Deleting session for user at myrealm, 
>xxx.xxx.xxx.xxx, 228
>Tue Sep  3 15:13:37 2002: DEBUG: do query is: delete from RADONLINE where 
>NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=0228
>
>Tue Sep  3 15:13:37 2002: DEBUG: do query is: insert into RADMESSAGES 
>(TIME_STAMP, TYPE, MESSAGE) values (1031037217, 4, 'Handling with 
>Radius::AuthRADMIN')
>
>Tue Sep  3 15:13:37 2002: DEBUG: do query is: insert into RADMESSAGES 
>(TIME_STAMP, TYPE, MESSAGE) values (1031037217, 4, 'Handling with 
>Radius::AuthRADMIN: Acceptmehere')
>
>Tue Sep  3 15:13:37 2002: DEBUG: Query is: select 
>PASS_WORD,STATICADDRESS,MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID from 
>RADUSERS where (USERNAME='user at myrealm' and VALIDFROM < 1031037217)
>
>Tue Sep  3 15:13:37 2002: DEBUG: Query is: select ATTR_ID, VENDOR_ID, 
>IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='user at myrealm' order by 
>ITEM_TYPE
>
>Tue Sep  3 15:13:37 2002: DEBUG: do query is: insert into RADMESSAGES 
>(TIME_STAMP, TYPE, MESSAGE) values (1031037217, 4, 'Radius::AuthRADMIN 
>looks for match with user at myrealm')
>
>Tue Sep  3 15:13:37 2002: DEBUG: do query is: insert into RADMESSAGES 
>(TIME_STAMP, TYPE, MESSAGE) values (1031037217, 4, 'Radius::AuthRADMIN 
>ACCEPT: ')
>
>Tue Sep  3 15:13:37 2002: DEBUG: do query is: update RADUSERS set 
>BADLOGINS=0 where USERNAME='user at myrealm'
>
>Tue Sep  3 15:13:37 2002: DEBUG: Access accepted for user at myrealm
>Tue Sep  3 15:13:37 2002: DEBUG: Packet dump:
>*** Sending to xxx.xxx.xxx.xxx port 33554 ....
>Code:       Access-Accept
>Identifier: 174
>Authentic:  E<147><203><5><162><145>t<149>E3<180>T<194><20><223><18>
>Attributes:
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Framed-IP-Netmask = 255.255.255.255
>         Framed-Routing = None
>         Framed-MTU = 1500
>         Framed-Compression = Van-Jacobson-TCP-IP
>         Idle-Timeout = 900
>         cisco-avpair = "ip:dns-servers=203.176.74.147 203.176.74.147"
>         Ascend-Client-Primary-DNS = xxx.xxx.xxx.xxx
>         Ascend-Client-Secondary-DNS = xxx.xxx.xxx.xxx
>         Ascend-Client-Assign-DNS = DNS-Assign-Yes
>
>
>Accounting request follows and user got connected..
>
>Also,  is there a way to overwrite what user has specified on their DNS 
>settings for MS windows.
>
>Thanks,
>thony




_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list