(RADIATOR) cisco 3000 VPN external group attrs

Andrew D. Clark andrew.clark at ucsb.edu
Wed Feb 9 19:47:44 CST 2005


Ooops.  Turns out I imported my dictionary from an earlier radiator 
install.  3.11's dictionary has the attribute with the proper datatype. 
Thanks all!

--On Wednesday, February 09, 2005 11:58:00 AM -0800 "Andrew D. Clark" 
<andrew.clark at ucsb.edu> wrote:

> I had a case with Cisco, turns out the problem is the dictionary the
> comes with Radiator (I've got 3.11).  Packet sniffing and debug on
> the vpn showed Radiator sending out a badly formatted AVP for that
> value. It was using a string type, when it should've been an integer.
>
> [radius1:/usr/local/etc/raddb]$ diff dictionary.orig dictionary
> 3346c3346
> < VENDORATTR  3076  Altiga-IPSec-Split-Tunnel-Policy-G      55 string
> ---
>> VENDORATTR  3076  Altiga-IPSec-Split-Tunnel-Policy-G      55 integer
>
> Which is funny, because Cisco's avp ref for the VPN3000 says string...
>
> <http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/produ
> cts_tech_note09186a0080094e96.shtml>
>
> (you'll need a TAC account to view that - I can send a pdf of it if
> needed, Hugh)
>
> I'm not sure where problem is now (Cisco's docs?), but it works as
> integer, but not as string.
>
> --
> Andrew Clark
> Campus Network Programmer
> Office of Information Technology
> University of California, Santa Barbara
> andrew.clark at ucsb.edu (805) 893-5311
>
>
> --On Wednesday, February 09, 2005 08:30:41 AM +0300 Hugh Irvine
> <hugh at open.com.au> wrote:
>
>>
>> Hello Andrew -
>>
>> I think you will need to compare a debug from Radiator and a debug on
>> the Cisco to see if first of all Radiator is sending the right thing,
>> and second of all what the Cisco is trying to do with it. If the
>> Cisco is having a problem you will need to talk to Cisco about it.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 8 Feb 2005, at 22:55, Andrew D. Clark wrote:
>>
>>> I need to rephrase my question.  After more fiddling, I find that I
>>> should indeed use the network lists as they are named on the
>>> concentrator as reply attributes for group authentication using
>>> Radiator, and that works fine.  However, what isn't working is
>>> setting  the split-tunnelling policy.  The values in my dictionary
>>> are:
>>>
>>> VALUE Altiga-IPSec-Split-Tunnel-Policy-G     Tunnel-Everything
>>> 0 VALUE Altiga-IPSec-Split-Tunnel-Policy-G     Split-Tunnel-Net-List
>>> 1 VALUE Altiga-IPSec-Split-Tunnel-Policy-G     Local-Net-Bypass
>>> 2
>>>
>>> I've tried both numeric and named parameters, neither seems to do
>>> the  right thing.  Here's an example group defined in a flat file:
>>>
>>> some_group User-Password = "foo"
>>> PoolHint = 169.231.64.1,
>>> Idle-Timeout = 60,
>>> Class = "OU=some_group;"
>>> Altiga-IPSec-Authentication-G = RADIUS,
>>> Altiga-Tunneling-Protocols-G/U = IPSec,
>>> # valid HYBRID SA
>>> Altiga-IPSec-Sec-Association-G/U = ESP-AES256-HYBRID,
>>> # full tunneling with local net bypass (default in base group)
>>> Altiga-IPSec-Split-Tunnel-Policy-G = 2,
>>> Altiga-IPSec-Split-Tunnel-List-G = "VPN Client Local LAN (Default)"
>>>
>>> Local-Net-Bypass is my default policy in the VPN base group.  If I
>>> don't  set the Altiga-IPSec-Split-Tunnel-Policy-G reply attribute,
>>> it  works fine.  If I do, it doesn't.  Anyone bonk into this one
>>> before?
>>>
>>> --
>>> Andrew Clark
>>> Campus Network Programmer
>>> Office of Information Technology
>>> University of California, Santa Barbara
>>> andrew.clark at ucsb.edu (805) 893-5311
>>>
>>> --On Monday, February 07, 2005 05:22:29 PM -0800 "Andrew D. Clark"
>>> <andrew.clark at ucsb.edu> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I've got a Cisco 3060 VPN doing external group auth to radiator.
>>>> All is working fine (though I really with there was a good way to
>>>> distinguish VPN groups from users, but Cisco apparently isn't
>>>> making that easy - any suggestions?).  However, if I want to pass
>>>> up different split tunneling policies to the VPN, I have a problem
>>>> with specifying the particular network list to use.  The VPN has
>>>> some network lists defined on it, like the default "VPN Client
>>>> Local LAN (Default)" list, as well as one I added called "UCSB
>>>> Nets".  Do I reference them by those names on the VPN?
>>>>
>>>> I thought something like this might work:
>>>>
>>>> # full tunneling with local net bypass
>>>> Altiga-IPSec-Split-Tunnel-Policy-G = Local-Net-Bypass,
>>>> Altiga-IPSec-Split-Tunnel-List-G = "VPN Client Local LAN (Default)"
>>>>
>>>> but it doesn't.  Neither does something like:
>>>>
>>>> # split tunneling, campus space only
>>>> Altiga-IPSec-Split-Tunnel-Policy-G = Split-Tunnel-Net-List,
>>>> Altiga-IPSec-Split-Tunnel-List-G = "UCSB Nets"
>>>>
>>>> Doing a network list numerically like "0.0.0.0/0.0.0.0" (for local
>>>> LAN split tunneling, for instance) doesn't seem to work either.
>>>> Anyone out there have any wisdom to spare?
>>>>
>>>> --
>>>> Andrew Clark
>>>> Campus Network Programmer
>>>> Office of Information Technology
>>>> University of California, Santa Barbara
>>>> andrew.clark at ucsb.edu (805) 893-5311
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list