(RADIATOR) cisco 3000 VPN external group attrs

Hugh Irvine hugh at open.com.au
Tue Feb 8 23:30:41 CST 2005


Hello Andrew -

I think you will need to compare a debug from Radiator and a debug on 
the Cisco to see if first of all Radiator is sending the right thing, 
and second of all what the Cisco is trying to do with it. If the Cisco 
is having a problem you will need to talk to Cisco about it.

regards

Hugh


On 8 Feb 2005, at 22:55, Andrew D. Clark wrote:

> I need to rephrase my question.  After more fiddling, I find that I 
> should indeed use the network lists as they are named on the 
> concentrator as reply attributes for group authentication using 
> Radiator, and that works fine.  However, what isn't working is setting 
> the split-tunnelling policy.  The values in my dictionary are:
>
> VALUE Altiga-IPSec-Split-Tunnel-Policy-G     Tunnel-Everything       0
> VALUE Altiga-IPSec-Split-Tunnel-Policy-G     Split-Tunnel-Net-List   1
> VALUE Altiga-IPSec-Split-Tunnel-Policy-G     Local-Net-Bypass        2
>
> I've tried both numeric and named parameters, neither seems to do the 
> right thing.  Here's an example group defined in a flat file:
>
> some_group User-Password = "foo"
> PoolHint = 169.231.64.1,
> Idle-Timeout = 60,
> Class = "OU=some_group;"
> Altiga-IPSec-Authentication-G = RADIUS,
> Altiga-Tunneling-Protocols-G/U = IPSec,
> # valid HYBRID SA
> Altiga-IPSec-Sec-Association-G/U = ESP-AES256-HYBRID,
> # full tunneling with local net bypass (default in base group)
> Altiga-IPSec-Split-Tunnel-Policy-G = 2,
> Altiga-IPSec-Split-Tunnel-List-G = "VPN Client Local LAN (Default)"
>
> Local-Net-Bypass is my default policy in the VPN base group.  If I 
> don't  set the Altiga-IPSec-Split-Tunnel-Policy-G reply attribute, it 
> works fine.  If I do, it doesn't.  Anyone bonk into this one before?
>
> --
> Andrew Clark
> Campus Network Programmer
> Office of Information Technology
> University of California, Santa Barbara
> andrew.clark at ucsb.edu (805) 893-5311
>
> --On Monday, February 07, 2005 05:22:29 PM -0800 "Andrew D. Clark" 
> <andrew.clark at ucsb.edu> wrote:
>
>> Hi all,
>>
>> I've got a Cisco 3060 VPN doing external group auth to radiator.  All
>> is working fine (though I really with there was a good way to
>> distinguish VPN groups from users, but Cisco apparently isn't making
>> that easy - any suggestions?).  However, if I want to pass up
>> different split tunneling policies to the VPN, I have a problem with
>> specifying the particular network list to use.  The VPN has some
>> network lists defined on it, like the default "VPN Client Local LAN
>> (Default)" list, as well as one I added called "UCSB Nets".  Do I
>> reference them by those names on the VPN?
>>
>> I thought something like this might work:
>>
>> # full tunneling with local net bypass
>> Altiga-IPSec-Split-Tunnel-Policy-G = Local-Net-Bypass,
>> Altiga-IPSec-Split-Tunnel-List-G = "VPN Client Local LAN (Default)"
>>
>> but it doesn't.  Neither does something like:
>>
>> # split tunneling, campus space only
>> Altiga-IPSec-Split-Tunnel-Policy-G = Split-Tunnel-Net-List,
>> Altiga-IPSec-Split-Tunnel-List-G = "UCSB Nets"
>>
>> Doing a network list numerically like "0.0.0.0/0.0.0.0" (for local
>> LAN split tunneling, for instance) doesn't seem to work either.
>> Anyone out there have any wisdom to spare?
>>
>> --
>> Andrew Clark
>> Campus Network Programmer
>> Office of Information Technology
>> University of California, Santa Barbara
>> andrew.clark at ucsb.edu (805) 893-5311
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list