(RADIATOR) static IP address and DNS for Cisco VPN

Hugh Irvine hugh at open.com.au
Tue Feb 10 16:12:28 CST 2004


Hello Judy -

Thanks for sending the debug.

It shows that the reply attributes are being correctly sent:

*** Sending to 147.197.194.8 port 21645 ....
Code:       Access-Accept
Identifier: 48
Authentic: 
<232>~<139><138><236><138><3><207><218><127><162><242><237><196><189
> <241>
Attributes:
        Framed-IP-Address = 147.197.253.64
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Ascend-Link-Compression = Link-Comp-MS-Stac
        Ascend-Idle-Limit = 3600
        Ascend-Client-Assign-DNS = DNS-Assign-Yes
        Ascend-Client-Primary-DNS = 147.197.200.2
        Ascend-Client-Secondary-DNS = 147.197.200.44
        cisco-avpair = "ip:dns-servers=147.197.200.2 147.197.200.44"
        cisco-avpair = "ip:addr_pool=acepool"

Therefore if the attributes are not being used I would suspect a NAS 
configuration issue.

For a single IP address it is usual to send "Framed-IP-Address = ....", 
which you already appear to be doing.

regards

Hugh


On 10 Feb 2004, at 23:10, Judy Angel wrote:

> Included are the config and debug, the user section is in the original 
> mail.
> I have specified cisco-avpair="ip:addr_pool=acepool"
> what is the syntax for one ip address?
>
> many thanks
>
> Judy Angel
> University of Hertfordshire
>
> # proxy.cfg
> #
> #
> # Author: Mike McCauley (mikem at open.com.au)
> # Copyright (C) 1997 Open System Consultants
> # $Id: proxy.cfg,v 1.1 1999/01/28 05:13:52 mikem Exp $
>
> # Set this to the directory where your logfile and details file are to 
> go
> Foreground
> LogStdout
> LogDir /logs/Rad
>
> # Set this to the database directory. It should contain these files:
> # users           The user database
> # dictionary      The dictionary for your NAS
> DbDir .
> Trace 4
>
> # This clause defines a single client to listen to
> <Client hestia.herts.ac.uk>
> 	Secret   xxx
> </Client>
>
> <Client gemini.herts.ac.uk>
>        Secret  xxx
> </Client>
>
> <Client helios.herts.ac.uk>
> 	Secret   xxx
> </Client>
>
> <Client altair.herts.ac.uk>
> 	Secret xxx
> </Client>
>
> <Client ascend.herts.ac.uk>
> 	Secret xxx
> </Client>
>
> <Client ras.herts.ac.uk>
> 	Secret xxx
> </Client>
>
>
> <Client 147.197.121.1>
> 	Secret xxx
> </Client>
>
> # For testing: this allows us to honour requests from radpwtst
> # on the same host.
> <Client localhost>
> 	Secret mysecret
> 	DupInterval 0
> </Client>
>
> # define AuthBy clauses with Identifiers for later use
>
> <AuthBy FILE>
> 	Identifier CheckUsers
> 	Filename %D/users
> </AuthBy>
>
> <AuthBy ACE>
> 	Identifier CheckACE
>        ConfigDirectory /var/adm/hat/ace/data
> </AuthBy>
>
> <AuthBy UNIX>
> 	Identifier CheckSystem
> </AuthBy>
>
> <Realm hestia>
> 	RewriteUsername	s/^([^@]+).*/$1/
> 	<AuthBy RADIUS>
> 		Host hestia.herts.ac.uk
> 		Secret mysecret
> 	</AuthBy>
> </Realm>
>
> <Realm gemini>
> 	RewriteUsername	s/^([^@]+).*/$1/
> 	<AuthBy RADIUS>
> 		Host gemini.herts.ac.uk
> 		Secret xxx
> 	</AuthBy>
>        # Log accounting to the detail file in LogDir
>        AcctLogFileName %L/detail
> </Realm>
>
> <Realm gemvpn>
> 	RewriteUsername	s/^([^:]+).*/$1/
> 	<AuthBy RADIUS>
> 		Host gemini.herts.ac.uk
> 		Secret xxx
> 	</AuthBy>
> </Realm>
>
> <Realm altair>
> 	RewriteUsername s/^([^@]+).*/$1/
> 	<AuthBy RADIUS>
> 		Host altair.herts.ac.uk
> 		Secret xxx
> 	</AuthBy>
>        # Log accounting to the detail file in LogDir
>        AcctLogFileName %L/detail
>
> </Realm>
>
> <Realm staff>
> 	RewriteUsername s/^([^@]+).*/$1/
> 	<AuthBy RADIUS>
> 		Host altair.herts.ac.uk
> 		Secret xxx
> 	</AuthBy>
>        # Log accounting to the detail file in LogDir
>        AcctLogFileName %L/detail
>
> </Realm>
>
> <Realm>
> 	AuthBy CheckUsers
> 	# Log accounting to the detail file in LogDir
>        AcctLogFileName %L/detail
> </Realm>
>
> # This clause handles all the other realms
> <Realm DEFAULT>
> 	AuthBy CheckUsers
> 	# Log accounting to the detail file in LogDir
> 	AcctLogFileName	%L/detail
> </Realm>
>
>
> debug:
>
> *** Received from 147.197.194.8 port 21645 ....
> Code:       Access-Request
> Identifier: 48
> Authentic: 
> <232>~<139><138><236><138><3><207><218><127><162><242><237><196><189
>> <241>
> Attributes:
>        NAS-IP-Address = 147.197.194.8
>        NAS-Port-Type = Async
>        User-Name = "acesid"
>        Calling-Station-Id = "80.40.51.76"
>        User-Password = 
> "?<176>`<234><186>*8<222><20><229><130><144><177>S<161>$
> "
>
> Tue Feb 10 11:50:24 2004: DEBUG: Handling request with Handler 'Realm='
> Tue Feb 10 11:50:24 2004: DEBUG:  Deleting session for acesid, 
> 147.197.194.8,
> Tue Feb 10 11:50:24 2004: DEBUG: Handling with Radius::AuthFILE: 
> CheckUsers
> Tue Feb 10 11:50:24 2004: DEBUG: Radius::AuthFILE looks for match with 
> acesid
> Tue Feb 10 11:50:24 2004: DEBUG: Handling with Radius::AuthACE: 
> CheckACE
> Tue Feb 10 11:50:24 2004: DEBUG: Radius::AuthACE looks for match with 
> acesid
> Tue Feb 10 11:50:25 2004: DEBUG: Radius::AuthACE ACCEPT:
> Tue Feb 10 11:50:25 2004: DEBUG: Radius::AuthFILE ACCEPT:
> Tue Feb 10 11:50:25 2004: DEBUG: Access accepted for acesid
> Tue Feb 10 11:50:25 2004: DEBUG: Packet dump:
> *** Sending to 147.197.194.8 port 21645 ....
> Code:       Access-Accept
> Identifier: 48
> Authentic: 
> <232>~<139><138><236><138><3><207><218><127><162><242><237><196><189
>> <241>
> Attributes:
>        Framed-IP-Address = 147.197.253.64
>        Service-Type = Framed-User
>        Framed-Protocol = PPP
>        Framed-IP-Netmask = 255.255.255.255
>        Ascend-Link-Compression = Link-Comp-MS-Stac
>        Ascend-Idle-Limit = 3600
>        Ascend-Client-Assign-DNS = DNS-Assign-Yes
>        Ascend-Client-Primary-DNS = 147.197.200.2
>        Ascend-Client-Secondary-DNS = 147.197.200.44
>        cisco-avpair = "ip:dns-servers=147.197.200.2 147.197.200.44"
>        cisco-avpair = "ip:addr_pool=acepool"
>
> Tue Feb 10 11:51:23 2004: DEBUG: Packet dump:
> *** Received from 147.197.254.10 port 1645 ....
>
>
>
>
> --On 10 February 2004 08:14 +1100 Hugh Irvine <hugh at open.com.au> wrote:
>
>>
>> Hello Judy -
>>
>> Could you also please send me a copy of your configuration file (no
>> secrets) together with a trace 4 debug from Radiator showing what is
>> happening with this user?
>>
>> regards
>>
>> Hugh
>>
>>
>> On 10 Feb 2004, at 00:52, Judy Angel wrote:
>>
>>> apology for the lack of signature.
>>>
>>> Many thanks
>>> Judy Angel
>>> University of Hertfordshire
>>>
>>> --On 09 February 2004 12:40 +0000 Judy Angel <J.Angel at herts.ac.uk>
>>> wrote:
>>>
>>>> I have radius for dialup and Ace  authentication and all works 
>>>> fine. I
>>>> also have VPN configured on a Cisco router and authentication is ok,
>>>> from
>>>> a cisco vpn client. However I would like the static ip address and 
>>>> dns
>>>> set in the users file to be transferred to the vpn client.
>>>>
>>>> I have tried to add cisco-avpair but the client does not see that. I
>>>> can
>>>> see no error in the radius log file.
>>>>
>>>> Any suggestion please.
>>>>
>>>> users file:
>>>> acesid  Auth-Type = CheckACE
>>>>         Service-Type = Framed-User,
>>>>         AddToReply      Framed-Protocol = PPP,
>>>>         Framed-IP-Netmask = 255.255.255.255,
>>>>         Ascend-Link-Compression = Link-Comp-MS-Stac,
>>>>         Ascend-Idle-Limit = 3600,
>>>>         Framed-IP-Address = xxx.xxx.xxx.64,
>>>>         Ascend-Client-Assign-DNS = DNS-Assign-Yes,
>>>>         Ascend-Client-Primary-DNS = xxx.xxx.xxx.2,
>>>>         Ascend-Client-Secondary-DNS = xxx.xxx.xxx.44,
>>>>         cisco-avpair="ip:dns-servers=xxx.xxx.xxx.2 xxx.xxx.xxx.44"
>>>>
>>>>
>>>> ===
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list