(RADIATOR) cisco 3000 VPN external group attrs
Andrew D. Clark
andrew.clark at ucsb.edu
Wed Feb 9 13:58:00 CST 2005
I had a case with Cisco, turns out the problem is the dictionary the
comes with Radiator (I've got 3.11). Packet sniffing and debug on the
vpn showed Radiator sending out a badly formatted AVP for that value.
It was using a string type, when it should've been an integer.
[radius1:/usr/local/etc/raddb]$ diff dictionary.orig dictionary
3346c3346
< VENDORATTR 3076 Altiga-IPSec-Split-Tunnel-Policy-G 55 string
---
> VENDORATTR 3076 Altiga-IPSec-Split-Tunnel-Policy-G 55 integer
Which is funny, because Cisco's avp ref for the VPN3000 says string...
<http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a0080094e96.shtml>
(you'll need a TAC account to view that - I can send a pdf of it if
needed, Hugh)
I'm not sure where problem is now (Cisco's docs?), but it works as
integer, but not as string.
--
Andrew Clark
Campus Network Programmer
Office of Information Technology
University of California, Santa Barbara
andrew.clark at ucsb.edu (805) 893-5311
--On Wednesday, February 09, 2005 08:30:41 AM +0300 Hugh Irvine
<hugh at open.com.au> wrote:
>
> Hello Andrew -
>
> I think you will need to compare a debug from Radiator and a debug on
> the Cisco to see if first of all Radiator is sending the right thing,
> and second of all what the Cisco is trying to do with it. If the
> Cisco is having a problem you will need to talk to Cisco about it.
>
> regards
>
> Hugh
>
>
> On 8 Feb 2005, at 22:55, Andrew D. Clark wrote:
>
>> I need to rephrase my question. After more fiddling, I find that I
>> should indeed use the network lists as they are named on the
>> concentrator as reply attributes for group authentication using
>> Radiator, and that works fine. However, what isn't working is
>> setting the split-tunnelling policy. The values in my dictionary
>> are:
>>
>> VALUE Altiga-IPSec-Split-Tunnel-Policy-G Tunnel-Everything
>> 0 VALUE Altiga-IPSec-Split-Tunnel-Policy-G Split-Tunnel-Net-List
>> 1 VALUE Altiga-IPSec-Split-Tunnel-Policy-G Local-Net-Bypass
>> 2
>>
>> I've tried both numeric and named parameters, neither seems to do
>> the right thing. Here's an example group defined in a flat file:
>>
>> some_group User-Password = "foo"
>> PoolHint = 169.231.64.1,
>> Idle-Timeout = 60,
>> Class = "OU=some_group;"
>> Altiga-IPSec-Authentication-G = RADIUS,
>> Altiga-Tunneling-Protocols-G/U = IPSec,
>> # valid HYBRID SA
>> Altiga-IPSec-Sec-Association-G/U = ESP-AES256-HYBRID,
>> # full tunneling with local net bypass (default in base group)
>> Altiga-IPSec-Split-Tunnel-Policy-G = 2,
>> Altiga-IPSec-Split-Tunnel-List-G = "VPN Client Local LAN (Default)"
>>
>> Local-Net-Bypass is my default policy in the VPN base group. If I
>> don't set the Altiga-IPSec-Split-Tunnel-Policy-G reply attribute,
>> it works fine. If I do, it doesn't. Anyone bonk into this one
>> before?
>>
>> --
>> Andrew Clark
>> Campus Network Programmer
>> Office of Information Technology
>> University of California, Santa Barbara
>> andrew.clark at ucsb.edu (805) 893-5311
>>
>> --On Monday, February 07, 2005 05:22:29 PM -0800 "Andrew D. Clark"
>> <andrew.clark at ucsb.edu> wrote:
>>
>>> Hi all,
>>>
>>> I've got a Cisco 3060 VPN doing external group auth to radiator.
>>> All is working fine (though I really with there was a good way to
>>> distinguish VPN groups from users, but Cisco apparently isn't making
>>> that easy - any suggestions?). However, if I want to pass up
>>> different split tunneling policies to the VPN, I have a problem with
>>> specifying the particular network list to use. The VPN has some
>>> network lists defined on it, like the default "VPN Client Local LAN
>>> (Default)" list, as well as one I added called "UCSB Nets". Do I
>>> reference them by those names on the VPN?
>>>
>>> I thought something like this might work:
>>>
>>> # full tunneling with local net bypass
>>> Altiga-IPSec-Split-Tunnel-Policy-G = Local-Net-Bypass,
>>> Altiga-IPSec-Split-Tunnel-List-G = "VPN Client Local LAN (Default)"
>>>
>>> but it doesn't. Neither does something like:
>>>
>>> # split tunneling, campus space only
>>> Altiga-IPSec-Split-Tunnel-Policy-G = Split-Tunnel-Net-List,
>>> Altiga-IPSec-Split-Tunnel-List-G = "UCSB Nets"
>>>
>>> Doing a network list numerically like "0.0.0.0/0.0.0.0" (for local
>>> LAN split tunneling, for instance) doesn't seem to work either.
>>> Anyone out there have any wisdom to spare?
>>>
>>> --
>>> Andrew Clark
>>> Campus Network Programmer
>>> Office of Information Technology
>>> University of California, Santa Barbara
>>> andrew.clark at ucsb.edu (805) 893-5311
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list