(RADIATOR) static IP address and DNS for Cisco VPN

DUFOUR Geoffrey Geoffrey.DUFOUR at staff.win.be
Wed Feb 11 10:29:38 CST 2004


Hi,

Cisco Easy VPN Server : as far as I remember the Framed-IP-Address RADIUS Attribute is supported from IOS 12.3(4)T (on 7200 series router in our case).

Regards.

Geoffrey

-----Message d'origine-----
De : owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] De la part de Denis Pavani
Envoyé : mercredi 11 février 2004 15:10
À : Hugh Irvine
Cc : Judy Angel; radiator at open.com.au
Objet : Re: (RADIATOR) static IP address and DNS for Cisco VPN

Hi all.
Judy, I don't know if you use a new IOS release. In older releases (the 
ones I have experience with) you can't give IP addresses to VPN clients.
Only Cisco 3000 VPN Concentrators support this feature.

Regards

Hugh Irvine wrote:

>
> Hello Judy -
>
> Thanks for sending the debug.
>
> It shows that the reply attributes are being correctly sent:
>
> *** Sending to 147.197.194.8 port 21645 ....
> Code:       Access-Accept
> Identifier: 48
> Authentic: 
> <232>~<139><138><236><138><3><207><218><127><162><242><237><196><189
>
>> <241>
>
> Attributes:
>        Framed-IP-Address = 147.197.253.64
>        Service-Type = Framed-User
>        Framed-Protocol = PPP
>        Framed-IP-Netmask = 255.255.255.255
>        Ascend-Link-Compression = Link-Comp-MS-Stac
>        Ascend-Idle-Limit = 3600
>        Ascend-Client-Assign-DNS = DNS-Assign-Yes
>        Ascend-Client-Primary-DNS = 147.197.200.2
>        Ascend-Client-Secondary-DNS = 147.197.200.44
>        cisco-avpair = "ip:dns-servers=147.197.200.2 147.197.200.44"
>        cisco-avpair = "ip:addr_pool=acepool"
>
> Therefore if the attributes are not being used I would suspect a NAS 
> configuration issue.
>
> For a single IP address it is usual to send "Framed-IP-Address = 
> ....", which you already appear to be doing.
>
> regards
>
> Hugh
>
>
> On 10 Feb 2004, at 23:10, Judy Angel wrote:
>
>> Included are the config and debug, the user section is in the 
>> original mail.
>> I have specified cisco-avpair="ip:addr_pool=acepool"
>> what is the syntax for one ip address?
>>
>> many thanks
>>
>> Judy Angel
>> University of Hertfordshire
>>
>> # proxy.cfg
>> #
>> #
>> # Author: Mike McCauley (mikem at open.com.au)
>> # Copyright (C) 1997 Open System Consultants
>> # $Id: proxy.cfg,v 1.1 1999/01/28 05:13:52 mikem Exp $
>>
>> # Set this to the directory where your logfile and details file are 
>> to go
>> Foreground
>> LogStdout
>> LogDir /logs/Rad
>>
>> # Set this to the database directory. It should contain these files:
>> # users           The user database
>> # dictionary      The dictionary for your NAS
>> DbDir .
>> Trace 4
>>
>> # This clause defines a single client to listen to
>> <Client hestia.herts.ac.uk>
>>     Secret   xxx
>> </Client>
>>
>> <Client gemini.herts.ac.uk>
>>        Secret  xxx
>> </Client>
>>
>> <Client helios.herts.ac.uk>
>>     Secret   xxx
>> </Client>
>>
>> <Client altair.herts.ac.uk>
>>     Secret xxx
>> </Client>
>>
>> <Client ascend.herts.ac.uk>
>>     Secret xxx
>> </Client>
>>
>> <Client ras.herts.ac.uk>
>>     Secret xxx
>> </Client>
>>
>>
>> <Client 147.197.121.1>
>>     Secret xxx
>> </Client>
>>
>> # For testing: this allows us to honour requests from radpwtst
>> # on the same host.
>> <Client localhost>
>>     Secret mysecret
>>     DupInterval 0
>> </Client>
>>
>> # define AuthBy clauses with Identifiers for later use
>>
>> <AuthBy FILE>
>>     Identifier CheckUsers
>>     Filename %D/users
>> </AuthBy>
>>
>> <AuthBy ACE>
>>     Identifier CheckACE
>>        ConfigDirectory /var/adm/hat/ace/data
>> </AuthBy>
>>
>> <AuthBy UNIX>
>>     Identifier CheckSystem
>> </AuthBy>
>>
>> <Realm hestia>
>>     RewriteUsername    s/^([^@]+).*/$1/
>>     <AuthBy RADIUS>
>>         Host hestia.herts.ac.uk
>>         Secret mysecret
>>     </AuthBy>
>> </Realm>
>>
>> <Realm gemini>
>>     RewriteUsername    s/^([^@]+).*/$1/
>>     <AuthBy RADIUS>
>>         Host gemini.herts.ac.uk
>>         Secret xxx
>>     </AuthBy>
>>        # Log accounting to the detail file in LogDir
>>        AcctLogFileName %L/detail
>> </Realm>
>>
>> <Realm gemvpn>
>>     RewriteUsername    s/^([^:]+).*/$1/
>>     <AuthBy RADIUS>
>>         Host gemini.herts.ac.uk
>>         Secret xxx
>>     </AuthBy>
>> </Realm>
>>
>> <Realm altair>
>>     RewriteUsername s/^([^@]+).*/$1/
>>     <AuthBy RADIUS>
>>         Host altair.herts.ac.uk
>>         Secret xxx
>>     </AuthBy>
>>        # Log accounting to the detail file in LogDir
>>        AcctLogFileName %L/detail
>>
>> </Realm>
>>
>> <Realm staff>
>>     RewriteUsername s/^([^@]+).*/$1/
>>     <AuthBy RADIUS>
>>         Host altair.herts.ac.uk
>>         Secret xxx
>>     </AuthBy>
>>        # Log accounting to the detail file in LogDir
>>        AcctLogFileName %L/detail
>>
>> </Realm>
>>
>> <Realm>
>>     AuthBy CheckUsers
>>     # Log accounting to the detail file in LogDir
>>        AcctLogFileName %L/detail
>> </Realm>
>>
>> # This clause handles all the other realms
>> <Realm DEFAULT>
>>     AuthBy CheckUsers
>>     # Log accounting to the detail file in LogDir
>>     AcctLogFileName    %L/detail
>> </Realm>
>>
>>
>> debug:
>>
>> *** Received from 147.197.194.8 port 21645 ....
>> Code:       Access-Request
>> Identifier: 48
>> Authentic: 
>> <232>~<139><138><236><138><3><207><218><127><162><242><237><196><189
>>
>>> <241>
>>
>> Attributes:
>>        NAS-IP-Address = 147.197.194.8
>>        NAS-Port-Type = Async
>>        User-Name = "acesid"
>>        Calling-Station-Id = "80.40.51.76"
>>        User-Password = 
>> "?<176>`<234><186>*8<222><20><229><130><144><177>S<161>$
>> "
>>
>> Tue Feb 10 11:50:24 2004: DEBUG: Handling request with Handler 'Realm='
>> Tue Feb 10 11:50:24 2004: DEBUG:  Deleting session for acesid, 
>> 147.197.194.8,
>> Tue Feb 10 11:50:24 2004: DEBUG: Handling with Radius::AuthFILE: 
>> CheckUsers
>> Tue Feb 10 11:50:24 2004: DEBUG: Radius::AuthFILE looks for match 
>> with acesid
>> Tue Feb 10 11:50:24 2004: DEBUG: Handling with Radius::AuthACE: CheckACE
>> Tue Feb 10 11:50:24 2004: DEBUG: Radius::AuthACE looks for match with 
>> acesid
>> Tue Feb 10 11:50:25 2004: DEBUG: Radius::AuthACE ACCEPT:
>> Tue Feb 10 11:50:25 2004: DEBUG: Radius::AuthFILE ACCEPT:
>> Tue Feb 10 11:50:25 2004: DEBUG: Access accepted for acesid
>> Tue Feb 10 11:50:25 2004: DEBUG: Packet dump:
>> *** Sending to 147.197.194.8 port 21645 ....
>> Code:       Access-Accept
>> Identifier: 48
>> Authentic: 
>> <232>~<139><138><236><138><3><207><218><127><162><242><237><196><189
>>
>>> <241>
>>
>> Attributes:
>>        Framed-IP-Address = 147.197.253.64
>>        Service-Type = Framed-User
>>        Framed-Protocol = PPP
>>        Framed-IP-Netmask = 255.255.255.255
>>        Ascend-Link-Compression = Link-Comp-MS-Stac
>>        Ascend-Idle-Limit = 3600
>>        Ascend-Client-Assign-DNS = DNS-Assign-Yes
>>        Ascend-Client-Primary-DNS = 147.197.200.2
>>        Ascend-Client-Secondary-DNS = 147.197.200.44
>>        cisco-avpair = "ip:dns-servers=147.197.200.2 147.197.200.44"
>>        cisco-avpair = "ip:addr_pool=acepool"
>>
>> Tue Feb 10 11:51:23 2004: DEBUG: Packet dump:
>> *** Received from 147.197.254.10 port 1645 ....
>>
>>
>>
>>
>> --On 10 February 2004 08:14 +1100 Hugh Irvine <hugh at open.com.au> wrote:
>>
>>>
>>> Hello Judy -
>>>
>>> Could you also please send me a copy of your configuration file (no
>>> secrets) together with a trace 4 debug from Radiator showing what is
>>> happening with this user?
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 10 Feb 2004, at 00:52, Judy Angel wrote:
>>>
>>>> apology for the lack of signature.
>>>>
>>>> Many thanks
>>>> Judy Angel
>>>> University of Hertfordshire
>>>>
>>>> --On 09 February 2004 12:40 +0000 Judy Angel <J.Angel at herts.ac.uk>
>>>> wrote:
>>>>
>>>>> I have radius for dialup and Ace  authentication and all works 
>>>>> fine. I
>>>>> also have VPN configured on a Cisco router and authentication is ok,
>>>>> from
>>>>> a cisco vpn client. However I would like the static ip address and 
>>>>> dns
>>>>> set in the users file to be transferred to the vpn client.
>>>>>
>>>>> I have tried to add cisco-avpair but the client does not see that. I
>>>>> can
>>>>> see no error in the radius log file.
>>>>>
>>>>> Any suggestion please.
>>>>>
>>>>> users file:
>>>>> acesid  Auth-Type = CheckACE
>>>>>         Service-Type = Framed-User,
>>>>>         AddToReply      Framed-Protocol = PPP,
>>>>>         Framed-IP-Netmask = 255.255.255.255,
>>>>>         Ascend-Link-Compression = Link-Comp-MS-Stac,
>>>>>         Ascend-Idle-Limit = 3600,
>>>>>         Framed-IP-Address = xxx.xxx.xxx.64,
>>>>>         Ascend-Client-Assign-DNS = DNS-Assign-Yes,
>>>>>         Ascend-Client-Primary-DNS = xxx.xxx.xxx.2,
>>>>>         Ascend-Client-Secondary-DNS = xxx.xxx.xxx.44,
>>>>>         cisco-avpair="ip:dns-servers=xxx.xxx.xxx.2 xxx.xxx.xxx.44"
>>>>>
>>>>>
>>>>> ===
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>>
>>>> ===
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>

-- 
************************************************************************
Denis Pavani

CINECA    -    Comunicazioni e Sistemi Distribuiti
NOC - Network Operations Center

phone:+39 0516171953 / fax:+39 0516132198
http://www.cineca.it
************************************************************************
 "Siamo pagati per adattarci, improvvisare e raggiungere lo scopo"
  -- Gunny Highway 


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list