(RADIATOR) static IP address and DNS for Cisco VPN
Denis Pavani
d.pavani at cineca.it
Wed Feb 11 08:10:18 CST 2004
Hi all.
Judy, I don't know if you use a new IOS release. In older releases (the
ones I have experience with) you can't give IP addresses to VPN clients.
Only Cisco 3000 VPN Concentrators support this feature.
Regards
Hugh Irvine wrote:
>
> Hello Judy -
>
> Thanks for sending the debug.
>
> It shows that the reply attributes are being correctly sent:
>
> *** Sending to 147.197.194.8 port 21645 ....
> Code: Access-Accept
> Identifier: 48
> Authentic:
> <232>~<139><138><236><138><3><207><218><127><162><242><237><196><189
>
>> <241>
>
> Attributes:
> Framed-IP-Address = 147.197.253.64
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Ascend-Link-Compression = Link-Comp-MS-Stac
> Ascend-Idle-Limit = 3600
> Ascend-Client-Assign-DNS = DNS-Assign-Yes
> Ascend-Client-Primary-DNS = 147.197.200.2
> Ascend-Client-Secondary-DNS = 147.197.200.44
> cisco-avpair = "ip:dns-servers=147.197.200.2 147.197.200.44"
> cisco-avpair = "ip:addr_pool=acepool"
>
> Therefore if the attributes are not being used I would suspect a NAS
> configuration issue.
>
> For a single IP address it is usual to send "Framed-IP-Address =
> ....", which you already appear to be doing.
>
> regards
>
> Hugh
>
>
> On 10 Feb 2004, at 23:10, Judy Angel wrote:
>
>> Included are the config and debug, the user section is in the
>> original mail.
>> I have specified cisco-avpair="ip:addr_pool=acepool"
>> what is the syntax for one ip address?
>>
>> many thanks
>>
>> Judy Angel
>> University of Hertfordshire
>>
>> # proxy.cfg
>> #
>> #
>> # Author: Mike McCauley (mikem at open.com.au)
>> # Copyright (C) 1997 Open System Consultants
>> # $Id: proxy.cfg,v 1.1 1999/01/28 05:13:52 mikem Exp $
>>
>> # Set this to the directory where your logfile and details file are
>> to go
>> Foreground
>> LogStdout
>> LogDir /logs/Rad
>>
>> # Set this to the database directory. It should contain these files:
>> # users The user database
>> # dictionary The dictionary for your NAS
>> DbDir .
>> Trace 4
>>
>> # This clause defines a single client to listen to
>> <Client hestia.herts.ac.uk>
>> Secret xxx
>> </Client>
>>
>> <Client gemini.herts.ac.uk>
>> Secret xxx
>> </Client>
>>
>> <Client helios.herts.ac.uk>
>> Secret xxx
>> </Client>
>>
>> <Client altair.herts.ac.uk>
>> Secret xxx
>> </Client>
>>
>> <Client ascend.herts.ac.uk>
>> Secret xxx
>> </Client>
>>
>> <Client ras.herts.ac.uk>
>> Secret xxx
>> </Client>
>>
>>
>> <Client 147.197.121.1>
>> Secret xxx
>> </Client>
>>
>> # For testing: this allows us to honour requests from radpwtst
>> # on the same host.
>> <Client localhost>
>> Secret mysecret
>> DupInterval 0
>> </Client>
>>
>> # define AuthBy clauses with Identifiers for later use
>>
>> <AuthBy FILE>
>> Identifier CheckUsers
>> Filename %D/users
>> </AuthBy>
>>
>> <AuthBy ACE>
>> Identifier CheckACE
>> ConfigDirectory /var/adm/hat/ace/data
>> </AuthBy>
>>
>> <AuthBy UNIX>
>> Identifier CheckSystem
>> </AuthBy>
>>
>> <Realm hestia>
>> RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy RADIUS>
>> Host hestia.herts.ac.uk
>> Secret mysecret
>> </AuthBy>
>> </Realm>
>>
>> <Realm gemini>
>> RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy RADIUS>
>> Host gemini.herts.ac.uk
>> Secret xxx
>> </AuthBy>
>> # Log accounting to the detail file in LogDir
>> AcctLogFileName %L/detail
>> </Realm>
>>
>> <Realm gemvpn>
>> RewriteUsername s/^([^:]+).*/$1/
>> <AuthBy RADIUS>
>> Host gemini.herts.ac.uk
>> Secret xxx
>> </AuthBy>
>> </Realm>
>>
>> <Realm altair>
>> RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy RADIUS>
>> Host altair.herts.ac.uk
>> Secret xxx
>> </AuthBy>
>> # Log accounting to the detail file in LogDir
>> AcctLogFileName %L/detail
>>
>> </Realm>
>>
>> <Realm staff>
>> RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy RADIUS>
>> Host altair.herts.ac.uk
>> Secret xxx
>> </AuthBy>
>> # Log accounting to the detail file in LogDir
>> AcctLogFileName %L/detail
>>
>> </Realm>
>>
>> <Realm>
>> AuthBy CheckUsers
>> # Log accounting to the detail file in LogDir
>> AcctLogFileName %L/detail
>> </Realm>
>>
>> # This clause handles all the other realms
>> <Realm DEFAULT>
>> AuthBy CheckUsers
>> # Log accounting to the detail file in LogDir
>> AcctLogFileName %L/detail
>> </Realm>
>>
>>
>> debug:
>>
>> *** Received from 147.197.194.8 port 21645 ....
>> Code: Access-Request
>> Identifier: 48
>> Authentic:
>> <232>~<139><138><236><138><3><207><218><127><162><242><237><196><189
>>
>>> <241>
>>
>> Attributes:
>> NAS-IP-Address = 147.197.194.8
>> NAS-Port-Type = Async
>> User-Name = "acesid"
>> Calling-Station-Id = "80.40.51.76"
>> User-Password =
>> "?<176>`<234><186>*8<222><20><229><130><144><177>S<161>$
>> "
>>
>> Tue Feb 10 11:50:24 2004: DEBUG: Handling request with Handler 'Realm='
>> Tue Feb 10 11:50:24 2004: DEBUG: Deleting session for acesid,
>> 147.197.194.8,
>> Tue Feb 10 11:50:24 2004: DEBUG: Handling with Radius::AuthFILE:
>> CheckUsers
>> Tue Feb 10 11:50:24 2004: DEBUG: Radius::AuthFILE looks for match
>> with acesid
>> Tue Feb 10 11:50:24 2004: DEBUG: Handling with Radius::AuthACE: CheckACE
>> Tue Feb 10 11:50:24 2004: DEBUG: Radius::AuthACE looks for match with
>> acesid
>> Tue Feb 10 11:50:25 2004: DEBUG: Radius::AuthACE ACCEPT:
>> Tue Feb 10 11:50:25 2004: DEBUG: Radius::AuthFILE ACCEPT:
>> Tue Feb 10 11:50:25 2004: DEBUG: Access accepted for acesid
>> Tue Feb 10 11:50:25 2004: DEBUG: Packet dump:
>> *** Sending to 147.197.194.8 port 21645 ....
>> Code: Access-Accept
>> Identifier: 48
>> Authentic:
>> <232>~<139><138><236><138><3><207><218><127><162><242><237><196><189
>>
>>> <241>
>>
>> Attributes:
>> Framed-IP-Address = 147.197.253.64
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> Framed-IP-Netmask = 255.255.255.255
>> Ascend-Link-Compression = Link-Comp-MS-Stac
>> Ascend-Idle-Limit = 3600
>> Ascend-Client-Assign-DNS = DNS-Assign-Yes
>> Ascend-Client-Primary-DNS = 147.197.200.2
>> Ascend-Client-Secondary-DNS = 147.197.200.44
>> cisco-avpair = "ip:dns-servers=147.197.200.2 147.197.200.44"
>> cisco-avpair = "ip:addr_pool=acepool"
>>
>> Tue Feb 10 11:51:23 2004: DEBUG: Packet dump:
>> *** Received from 147.197.254.10 port 1645 ....
>>
>>
>>
>>
>> --On 10 February 2004 08:14 +1100 Hugh Irvine <hugh at open.com.au> wrote:
>>
>>>
>>> Hello Judy -
>>>
>>> Could you also please send me a copy of your configuration file (no
>>> secrets) together with a trace 4 debug from Radiator showing what is
>>> happening with this user?
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 10 Feb 2004, at 00:52, Judy Angel wrote:
>>>
>>>> apology for the lack of signature.
>>>>
>>>> Many thanks
>>>> Judy Angel
>>>> University of Hertfordshire
>>>>
>>>> --On 09 February 2004 12:40 +0000 Judy Angel <J.Angel at herts.ac.uk>
>>>> wrote:
>>>>
>>>>> I have radius for dialup and Ace authentication and all works
>>>>> fine. I
>>>>> also have VPN configured on a Cisco router and authentication is ok,
>>>>> from
>>>>> a cisco vpn client. However I would like the static ip address and
>>>>> dns
>>>>> set in the users file to be transferred to the vpn client.
>>>>>
>>>>> I have tried to add cisco-avpair but the client does not see that. I
>>>>> can
>>>>> see no error in the radius log file.
>>>>>
>>>>> Any suggestion please.
>>>>>
>>>>> users file:
>>>>> acesid Auth-Type = CheckACE
>>>>> Service-Type = Framed-User,
>>>>> AddToReply Framed-Protocol = PPP,
>>>>> Framed-IP-Netmask = 255.255.255.255,
>>>>> Ascend-Link-Compression = Link-Comp-MS-Stac,
>>>>> Ascend-Idle-Limit = 3600,
>>>>> Framed-IP-Address = xxx.xxx.xxx.64,
>>>>> Ascend-Client-Assign-DNS = DNS-Assign-Yes,
>>>>> Ascend-Client-Primary-DNS = xxx.xxx.xxx.2,
>>>>> Ascend-Client-Secondary-DNS = xxx.xxx.xxx.44,
>>>>> cisco-avpair="ip:dns-servers=xxx.xxx.xxx.2 xxx.xxx.xxx.44"
>>>>>
>>>>>
>>>>> ===
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>>
>>>> ===
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
--
************************************************************************
Denis Pavani
CINECA - Comunicazioni e Sistemi Distribuiti
NOC - Network Operations Center
phone:+39 0516171953 / fax:+39 0516132198
http://www.cineca.it
************************************************************************
"Siamo pagati per adattarci, improvvisare e raggiungere lo scopo"
-- Gunny Highway
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list