(RADIATOR) Re: Multiple IP pools (Cisco) for PPTP, IPSec accounting, VoIP AAA, etc qestions :-(
Hugh Irvine
hugh at open.com.au
Tue Feb 14 22:30:32 CST 2006
Hello Sergei -
I notice an error message in the log shown below:
> Mon Feb 13 13:57:04 2006: DEBUG: Handling with Radius::AuthFILE:
> Mon Feb 13 13:57:04 2006: DEBUG: Radius::AuthFILE looks for match
> with test
> Mon Feb 13 13:57:04 2006: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Feb 13 13:57:04 2006: DEBUG: Access accepted for test
> Mon Feb 13 13:57:04 2006: WARNING: No such attribute Assign-IP-pool
This may be part of the problem.
And what does a debug on the Cisco show - presumably there will be
some indication of what is occurring?
regards
Hugh
On 14 Feb 2006, at 19:38, Sergei Keler wrote:
> I hope this community helps me :-) I sent a cc to list too.
>
> See my answers below.
>
> Sergei Keler
> General DataComm
> IT-manager
> tel.: +7(812)325-1085
> fax: +7(812)325-1086
>
>
> On 14.02.2006, at 3:39, Hugh Irvine wrote:
>
>>
>> Hello Sergei -
>>
>> Unfortunately I do not have access to any Cisco equipment, but I
>> will do my best to answer your questions below.
>>
>> I suggest you also post your questions to the Radiator mailing
>> list, as there are undoubtedly better Cisco experts than me.
>>
>>
>> On 13 Feb 2006, at 23:25, Sergei Keler wrote:
>>
>>> Hi!
>>>
>>> Please give me solution how to using Radiator to do follows:
>>>
>>> 1. I have Cisco 2651XM.
>>> Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9_IVS-M),
>>> Version 12.3(11)T8, RELEASE SOFTWARE (fc3)
>>>
>>> In radius.conf I try
>>> cisco-avpair = "ip:addr-pool=lab-pool"
>>>
>>> But router stiil give addresses from gdc-vpdn pool shown in
>>> virtual template 1
>>> I need to force router to lease ip address from different pools
>>> depending on realm.
>>>
>>
>> I will need to see a trace 4 debug from Radiator and a Cisco
>> debug, both showing what is happening.
>
> Mon Feb 13 13:57:04 2006: DEBUG: Packet dump:
> *** Received from 192.168.0.254 port 1645 ....
>
> Packet length = 151
> 01 d1 00 97 10 f8 73 59 48 12 f5 2f 00 00 00 00
> 00 00 00 00 07 06 00 00 00 01 01 0a 74 65 73 74
> 40 6c 61 62 1a 10 00 00 01 37 0b 0a 10 f8 73 59
> 48 12 f5 2f 1a 3a 00 00 01 37 01 34 01 01 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 21 25 b2 2d 1d e7 0d 7b c9 b2
> 68 fd a2 0c 7f 15 5a 4c 9c 71 37 6e 2c ae 3d 06
> 00 00 00 05 05 06 00 00 00 8e 57 11 55 6e 69 71
> 2d 53 65 73 73 2d 49 44 31 34 32 06 06 00 00 00
> 02 04 06 c0 a8 00 fe
> Code: Access-Request
> Identifier: 209
> Authentic: <16><248>sYH<18><245>/<0><0><0><0><0><0><0><0>
> Attributes:
> Framed-Protocol = PPP
> User-Name = "test at lab"
> MS-CHAP-Challenge = "<16><248>sYH<18><245>/"
> MS-CHAP-Response =
> "<1><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><
> 0><0><0><0><0><0><0><0><0>!%<178>-<29><231><13>
> {<201><178>h<253><162><12><127><2
> 1>ZL<156>q7n,<174>"
> NAS-Port-Type = Virtual
> NAS-Port = 142
> NAS-Port-Id = "Uniq-Sess-ID142"
> Service-Type = Framed-User
> NAS-IP-Address = 192.168.0.254
>
> Mon Feb 13 13:57:04 2006: DEBUG: Rewrote user name to test at lab
> Mon Feb 13 13:57:04 2006: DEBUG: Handling request with Handler
> 'Realm=lab'
> Mon Feb 13 13:57:04 2006: DEBUG: Rewrote user name to test
> Mon Feb 13 13:57:04 2006: DEBUG: Rewrote user name to test
> Mon Feb 13 13:57:04 2006: DEBUG: Deleting session for test at lab,
> 192.168.0.254,
> 142
> Mon Feb 13 13:57:04 2006: DEBUG: Handling with Radius::AuthFILE:
> Mon Feb 13 13:57:04 2006: DEBUG: Radius::AuthFILE looks for match
> with test
> Mon Feb 13 13:57:04 2006: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Feb 13 13:57:04 2006: DEBUG: Access accepted for test
> Mon Feb 13 13:57:04 2006: WARNING: No such attribute Assign-IP-pool
> Mon Feb 13 13:57:04 2006: DEBUG: Packet dump:
> *** Sending to 192.168.0.254 port 1645 ....
>
> Packet length = 261
> 02 d1 01 05 8a b1 b8 24 14 a5 f5 d1 0a b8 47 34
> 26 0c 3a 2d 1a 28 00 00 01 37 0c 22 60 2e 4f a7
> 29 09 8c d0 14 6e 06 78 89 e2 98 c0 41 50 9e a0
> c9 91 b1 ae 3d fd 71 12 ef da e8 64 06 06 00 00
> 00 02 07 06 00 00 00 01 09 06 ff ff ff ff 0a 06
> 00 00 00 00 0c 06 00 00 05 dc 1a 1d 00 00 00 09
> 01 17 69 70 3a 61 64 64 72 2d 70 6f 6f 6c 3d 6c
> 61 62 2d 70 6f 6f 6c 1a 1e 00 00 00 09 01 18 76
> 70 64 6e 3a 76 70 64 6e 2d 76 74 65 6d 70 6c 61
> 74 65 3d 31 33 1a 22 00 00 00 09 01 1c 76 70 64
> 6e 3a 76 70 64 6e 2d 67 72 6f 75 70 3d 76 70 6e
> 2d 67 77 2d 6c 61 62 1a 24 00 00 00 09 01 1e 69
> 70 3a 64 6e 73 2d 73 65 72 76 65 72 73 3d 32 31
> 37 2e 31 39 35 2e 37 38 2e 33 37 50 12 d7 fe 64
> 51 b7 ca a3 06 85 90 98 06 96 89 54 1e 1a 0c 00
> 00 01 37 07 06 00 00 00 01 1a 0c 00 00 01 37 08
> 06 00 00 00 06
> Code: Access-Accept
> Identifier: 209
> Authentic: <16><248>sYH<18><245>/<0><0><0><0><0><0><0><0>
> Attributes:
> MS-CHAP-MPPE-Keys = "`.O<167>)
> <9><140><208><20>n<6>x<137><226><152><192>
> AP<158><160><201><145><177><174>=<253>q<18><239><218><232>d"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> cisco-avpair = "ip:addr-pool=lab-pool"
> cisco-avpair = "ip:dns-servers=217.195.78.37"
> Message-Authenticator = 0000000000000000
> MS-MPPE-Encryption-Policy = Encryption-Allowed
> MS-MPPE-Encryption-Types = Encryption-Any
> Mon Feb 13 13:57:04 2006: DEBUG: Packet dump:
> *** Received from 192.168.0.254 port 1646 ....
>
> Packet length = 144
> 04 4f 00 90 56 46 c4 ef c1 f9 70 8a 6a d1 ff 2e
> 4c a2 09 29 2c 0a 30 30 30 30 30 39 39 43 41 06
> 00 00 00 01 43 0f 32 31 37 2e 31 39 35 2e 37 38
> 2e 34 36 42 0f 31 39 32 2e 31 36 38 2e 30 2e 31
> 32 39 52 03 31 07 06 00 00 00 01 01 0a 74 65 73
> 74 40 6c 61 62 2d 06 00 00 00 01 28 06 00 00 00
> 01 3d 06 00 00 00 05 05 06 00 00 00 8e 57 11 55
> 6e 69 71 2d 53 65 73 73 2d 49 44 31 34 32 06 06
> 00 00 00 02 04 06 c0 a8 00 fe 29 06 00 00 00 00
> Code: Accounting-Request
> Identifier: 79
> Authentic: VF<196><239><193><249>p<138>j<209><255>.L<162><9>)
> Attributes:
> Acct-Session-Id = "0000099C"
> Tunnel-Medium-Type = 0:IP
> Tunnel-Server-Endpoint = 217.195.78.46
> Tunnel-Client-Endpoint = 192.168.0.129
> Tunnel-Assignment-ID = 1
> Framed-Protocol = PPP
> User-Name = "test at lab"
> Acct-Authentic = RADIUS
> Acct-Status-Type = Start
> NAS-Port-Type = Virtual
> NAS-Port = 142
> NAS-Port-Id = "Uniq-Sess-ID142"
> Service-Type = Framed-User
> NAS-IP-Address = 192.168.0.254
> Acct-Delay-Time = 0
> Mon Feb 13 13:57:04 2006: DEBUG: Rewrote user name to test at lab
> Mon Feb 13 13:57:04 2006: DEBUG: Handling request with Handler
> 'Realm=lab'
> Mon Feb 13 13:57:04 2006: DEBUG: Rewrote user name to test
> Mon Feb 13 13:57:04 2006: DEBUG: Rewrote user name to test
> Mon Feb 13 13:57:04 2006: DEBUG: Adding session for test at lab,
> 192.168.0.254, 14
> 2
> Mon Feb 13 13:57:04 2006: DEBUG: Handling with Radius::AuthFILE:
> Mon Feb 13 13:57:04 2006: DEBUG: Accounting accepted
> Mon Feb 13 13:57:04 2006: DEBUG: Packet dump:
> *** Sending to 192.168.0.254 port 1646 ....
>
> Packet length = 20
> 05 4f 00 14 de 19 c7 05 89 71 e4 d0 79 d0 36 55
> 5f 31 0f 30
> Code: Accounting-Response
> Identifier: 79
> Authentic: VF<196><239><193><249>p<138>j<209><255>.L<162><9>)
> Attributes:
>
> Mon Feb 13 13:57:45 2006: DEBUG: Packet dump:
> *** Received from 192.168.0.254 port 1646 ....
> Packet length = 186
> 04 50 00 ba b6 2f eb 30 34 f2 60 b8 3c f0 e2 f0
> 95 52 b1 2c 2c 0a 30 30 30 30 30 39 39 43 41 06
> 00 00 00 01 43 0f 32 31 37 2e 31 39 35 2e 37 38
> 2e 34 36 42 0f 31 39 32 2e 31 36 38 2e 30 2e 31
> 32 39 52 03 31 07 06 00 00 00 01 08 06 c0 a8 00
> 5f 01 0a 74 65 73 74 40 6c 61 62 2d 06 00 00 00
> 01 2e 06 00 00 00 29 2a 06 00 00 65 82 2b 06 00
> 0b f8 5b 2f 06 00 00 01 b3 30 06 00 00 02 9b 31
> 06 00 00 00 01 28 06 00 00 00 02 3d 06 00 00 00
> 05 05 06 00 00 00 8e 57 11 55 6e 69 71 2d 53 65
> 73 73 2d 49 44 31 34 32 06 06 00 00 00 02 04 06
> c0 a8 00 fe 29 06 00 00 00 00
> Code: Accounting-Request
> Identifier: 80
> Authentic: <182>/<235>04<242>`<184><<240><226><240><149>R<177>,
> Attributes:
> Acct-Session-Id = "0000099C"
> Tunnel-Medium-Type = 0:IP
> Tunnel-Server-Endpoint = 217.195.78.46
> Tunnel-Client-Endpoint = 192.168.0.129
> Tunnel-Assignment-ID = 1
> Framed-Protocol = PPP
> Framed-IP-Address = 192.168.0.95
> User-Name = "test at lab"
> Acct-Authentic = RADIUS
> Acct-Session-Time = 41
> Acct-Input-Octets = 25986
> Acct-Output-Octets = 784475
> Acct-Input-Packets = 435
> Acct-Output-Packets = 667
> Acct-Terminate-Cause = User-Request
> Acct-Status-Type = Stop
> NAS-Port-Type = Virtual
> NAS-Port = 142
> NAS-Port-Id = "Uniq-Sess-ID142"
> Service-Type = Framed-User
> NAS-IP-Address = 192.168.0.254
> Acct-Delay-Time = 0
>
> Mon Feb 13 13:57:45 2006: DEBUG: Rewrote user name to test at lab
> Mon Feb 13 13:57:45 2006: DEBUG: Handling request with Handler
> 'Realm=lab'
> Mon Feb 13 13:57:45 2006: DEBUG: Rewrote user name to test
> Mon Feb 13 13:57:45 2006: DEBUG: Rewrote user name to test
> Mon Feb 13 13:57:45 2006: DEBUG: Deleting session for test at lab,
> 192.168.0.254,
> 142
> Mon Feb 13 13:57:45 2006: DEBUG: Handling with Radius::AuthFILE:
> Mon Feb 13 13:57:45 2006: DEBUG: Accounting accepted
> Mon Feb 13 13:57:45 2006: DEBUG: Packet dump:
> *** Sending to 192.168.0.254 port 1646 ....
>
> Packet length = 20
> 05 50 00 14 61 53 d1 7f 41 8b d0 99 b9 1a a5 bc
> a6 66 2a 39
> Code: Accounting-Response
> Identifier: 80
> Authentic: <182>/<235>04<242>`<184><<240><226><240><149>R<177>,
> Attributes:
>
>>
>>
>>> Sounds bad, I use also IPSec on same cisco router. After
>>> configuring this one it cant work with PPTP encryption and
>>> multiple pools. Where to dig? What to do?
>>>
>>
>> Check the Cisco web site and your Cisco support engineer (I don't
>> know the answer).
>
> They seeking for woodoo :-(
>
>>
>>> 2. I use IPSec on same 2651XM. How to get accounting for IPSec
>>> tunnels? I see opening event only. No closing, no accounting. How
>>> to do it with radiator?
>>>
>>
>> This is certainly a NAS configuration issue - Radiator simply
>> records the radius accounting requests it receives.
>
> Yes. But I hope anybody in mailing list can halp me.
>
>>
>>> 3. Now i'm implementing VoIP with Cisco 5350 voice gateway and
>>> same 2651XM gatekeeper. How to force AAA for gatekeeper with
>>> radiator?
>>>
>>
>> This is also a NAS configuration issue - Radiator acting as a
>> radius server cannot force a NAS to do anything.
>>
>>> Full 2651XM config attached and partially radiator.conf too...
>>>
>>
>> As mentioned, you should post to the mailing list and check the
>> Cisco web site.
>>
>> regards
>>
>> Hugh
>>
>>
>>> Sergei Keler
>>> General DataComm
>>> IT-manager
>>> tel.: +7(812)325-1085
>>> fax: +7(812)325-1086
>>>
>>>
>>> ====
>>>
>>>
>>> !
>>> ! Last configuration change at 14:03:06 MSK Mon Feb 13 2006 by
>>> skiller at admin
>>> ! NVRAM config last updated at 14:19:53 MSK Mon Feb 13 2006 by
>>> skiller at admin
>>> !
>>> version 12.3
>>> service timestamps debug datetime msec
>>> service timestamps log datetime localtime show-timezone
>>> service password-encryption
>>> !
>>> hostname gdc-gwgk
>>> !
>>> boot-start-marker
>>> boot-end-marker
>>> !
>>> logging buffered 8192 debugging
>>> enable secret 5 xxxx
>>> !
>>> clock timezone MSK 3
>>> clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
>>> no network-clock-participate slot 1
>>> no network-clock-participate wic 0
>>> ip subnet-zero
>>> !
>>> !
>>> ip dhcp excluded-address 192.168.0.1 192.168.0.100
>>> ip dhcp excluded-address 192.168.0.231 192.168.0.254
>>> ip dhcp excluded-address 192.168.14.201 192.168.14.254
>>> ip dhcp ping packets 5
>>> !
>>> ip dhcp pool gdc-office
>>> network 192.168.0.0 255.255.255.0
>>> domain-name gdc.ru
>>> default-router 192.168.0.254
>>> dns-server 192.168.0.1 192.168.0.3
>>> netbios-name-server 192.168.0.3
>>> lease infinite
>>> !
>>> !
>>> ip cef
>>> ip tftp source-interface FastEthernet0/1.30
>>> ip domain list office.gdc.spb.ru
>>> ip domain list gdc.ru
>>> ip domain name gdc.ru
>>> ip name-server 192.168.0.1
>>> ip name-server 192.168.0.3
>>> ip name-server 217.195.78.37
>>> ip ips po max-events 100
>>> ip ssh source-interface FastEthernet0/1.20
>>> ip address-pool local
>>> vpdn enable
>>> vpdn history failure table-size 50
>>> !
>>> vpdn-group 1
>>> ! Default PPTP VPDN group
>>> accept-dialin
>>> protocol pptp
>>> virtual-template 1
>>> local name vpn-gw
>>> !
>>> aaa new-model
>>> !
>>> !
>>> aaa authentication login default local group radius
>>> aaa authentication login DEFINITY none
>>> aaa authentication login DYNVPN-AUTHEN group radius local
>>> aaa authentication ppp default group radius
>>> aaa authentication ppp VPDN group radius
>>> aaa authentication ppp DIAL-UP if-needed group radius
>>> aaa authorization exec default group radius if-authenticated
>>> aaa authorization network default local if-authenticated
>>> aaa authorization network VPDN group radius
>>> aaa authorization network DEFINITY none
>>> aaa authorization network DYNVPN-AUTHOR local
>>> aaa authorization reverse-access DEFINITY none
>>> aaa accounting network default start-stop group radius
>>> aaa accounting network VPDN start-stop group radius
>>> aaa accounting network DIAL-UP start-stop group radius
>>> aaa session-id common
>>> no ftp-server write-enable
>>> !
>>> !
>>> voice call carrier capacity active
>>> !
>>> voice service voip
>>> h323
>>> !
>>> !
>>> crypto isakmp policy 10
>>> encr 3des
>>> hash md5
>>> authentication pre-share
>>> group 2
>>> !
>>> crypto isakmp policy 20
>>> encr 3des
>>> hash md5
>>> authentication pre-share
>>> group 5
>>> no crypto isakmp ccm
>>> !
>>> crypto isakmp client configuration group INTRANET
>>> key xxx
>>> dns 192.168.0.1 192.168.0.3
>>> domain gdc.ru
>>> pool DYNVPN-POOL
>>> acl 101
>>> include-local-lan
>>> pfs
>>> !
>>> !
>>> crypto ipsec transform-set DYNAMIC esp-3des esp-sha-hmac
>>> !
>>> crypto dynamic-map DYNVPN-MAP 1
>>> set transform-set DYNAMIC
>>> reverse-route
>>> !
>>> !
>>> crypto map GDC-VPN client authentication list DYNVPN-AUTHEN
>>> crypto map GDC-VPN isakmp authorization list DYNVPN-AUTHOR
>>> crypto map GDC-VPN client configuration address respond
>>> crypto map GDC-VPN 500 ipsec-isakmp dynamic DYNVPN-MAP
>>> !
>>> !
>>> !
>>> !
>>> interface FastEthernet0/0
>>> ip address xxxx 255.255.255.252
>>> ip nat outside
>>> ip virtual-reassembly
>>> speed 100
>>> full-duplex
>>> no cdp enable
>>> crypto map GDC-VPN
>>> !
>>> interface Serial0/0
>>> no ip address
>>> encapsulation frame-relay IETF
>>> shutdown
>>> frame-relay lmi-type ansi
>>> !
>>> interface FastEthernet0/1
>>> no ip address
>>> speed 100
>>> full-duplex
>>> ntp broadcast
>>> no cdp enable
>>> !
>>> interface FastEthernet0/1.20
>>> encapsulation dot1Q 20
>>> ip address xxxx 255.255.255.240
>>> ip nat outside
>>> ip virtual-reassembly
>>> no cdp enable
>>> h323-gateway voip interface
>>> !
>>> interface FastEthernet0/1.30
>>> description LANs gateway
>>> encapsulation dot1Q 30
>>> ip address 10.0.0.1 255.255.255.0 secondary
>>> ip address 192.168.252.254 255.255.255.0 secondary
>>> ip address 192.168.0.254 255.255.255.0
>>> ip access-group 103 in
>>> ip nat inside
>>> ip virtual-reassembly
>>> no cdp enable
>>> !
>>> interface FastEthernet0/1.50
>>> description Art Communication's link
>>> encapsulation dot1Q 50
>>> ip address 10.64.0.14 255.255.255.240
>>> ip nat inside
>>> ip virtual-reassembly
>>> no cdp enable
>>> !
>>> interface FastEthernet0/1.60
>>> description Lab
>>> encapsulation dot1Q 60
>>> ip address 192.168.13.254 255.255.255.0
>>> ip nat inside
>>> ip virtual-reassembly
>>> no cdp enable
>>> !
>>> interface Virtual-Template1
>>> ip unnumbered FastEthernet0/0
>>> ip nat inside
>>> ip virtual-reassembly
>>> no ip route-cache cef
>>> ip mroute-cache
>>> peer default ip address pool gdc-vpdn lab-pool
>>> no keepalive
>>> ppp encrypt mppe 40
>>> ppp authentication ms-chap VPDN
>>> !
>>> interface Group-Async1
>>> no ip address
>>> ip nat inside
>>> ip virtual-reassembly
>>> encapsulation ppp
>>> async dynamic address
>>> async mode interactive
>>> peer default ip address pool gdc-dialup
>>> ppp authentication pap DIAL-UP
>>> group-range 33 48
>>> !
>>> router ospf 1
>>> log-adjacency-changes
>>> redistribute connected subnets
>>> redistribute static subnets
>>> network 192.168.0.0 0.0.0.255 area 0
>>> network 217.195.78.32 0.0.0.15 area 0
>>> default-information originate
>>> !
>>> ip local pool gdc-dialup 192.168.2.1 192.168.2.16
>>> ip local pool gdc-vpdn 192.168.0.51 192.168.0.99
>>> ip local pool ee-pool 192.168.14.1 192.168.14.200
>>> ip local pool lu4-pool 10.0.0.215 10.0.0.219
>>> ip local pool DYNVPN-POOL 192.168.254.1 192.168.254.199
>>> ip local pool lab-pool 192.168.13.225 192.168.13.234
>>> ip local pool test254 192.168.254.200 192.168.254.209
>>> ip classless
>>> ip route 0.0.0.0 0.0.0.0 xxxx
>>> ip route 10.64.0.16 255.255.255.240 10.64.0.1
>>> ip route 192.168.254.0 255.255.255.0 Null0 250
>>> !
>>> !
>>> no ip http server
>>> no ip http secure-server
>>> ip nat inside source list nat-acl interface FastEthernet0/0 overload
>>> !
>>> ip access-list extended block-dialup
>>> permit tcp 192.168.2.0 0.0.0.255 host 192.168.0.1 eq domain
>>> permit udp 192.168.2.0 0.0.0.255 host 192.168.0.1 eq domain
>>> permit tcp 192.168.2.0 0.0.0.255 host 192.168.0.1 eq 22
>>> permit ip any any
>>> ip access-list extended check-forwards
>>> permit tcp host 213.241.50.106 host 217.195.78.40
>>> permit tcp any host 217.195.78.40 established
>>> deny tcp any host 217.195.78.40
>>> permit tcp host 212.176.240.151 host 217.195.78.39
>>> permit tcp host 81.3.141.50 host 217.195.78.39
>>> permit tcp any host 217.195.78.39 established
>>> permit tcp host 213.59.86.74 host 217.195.78.39
>>> deny tcp any host 217.195.78.39
>>> permit ip any any
>>> ip access-list extended nat-acl
>>> deny ip 192.168.13.0 0.0.0.255 192.168.0.0 0.0.0.255
>>> deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
>>> deny ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255
>>> deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
>>> deny ip 192.168.0.0 0.0.0.255 10.64.0.0 0.0.0.15
>>> deny ip 10.64.0.0 0.0.0.15 192.168.0.0 0.0.0.255
>>> deny ip 192.168.0.0 0.0.0.255 192.168.13.0 0.0.0.255
>>> deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
>>> deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
>>> deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
>>> deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
>>> permit tcp any host 192.168.0.1 eq smtp
>>> permit tcp any host 217.195.78.37 eq smtp
>>> permit tcp any host 194.67.23.114 eq smtp
>>> deny tcp any any eq smtp
>>> permit ip 192.168.0.0 0.0.0.255 any
>>> permit ip 192.168.2.0 0.0.0.255 any
>>> permit ip 192.168.13.0 0.0.0.255 any
>>> permit ip 10.64.0.16 0.0.0.15 any
>>> !
>>> logging trap debugging
>>> logging 192.168.0.1
>>> access-list 101 permit ip 192.168.0.0 0.0.0.255 any
>>> access-list 101 permit ip 192.168.254.0 0.0.0.255 any
>>> access-list 102 permit ip 192.168.254.0 0.0.0.255 any
>>> access-list 102 permit ip any 192.168.254.0 0.0.0.255
>>> access-list 103 permit tcp any 192.168.0.0 0.0.255.255 eq www
>>> access-list 103 deny tcp any any eq www
>>> access-list 103 permit ip any any
>>> snmp-server community public RO 97
>>> snmp-server enable traps tty
>>> no cdp run
>>> !
>>> !
>>> radius-server configure-nas
>>> radius-server host 192.168.0.1 auth-port 1645 acct-port 1646 key
>>> 7 xxx
>>> !
>>> control-plane
>>> !
>>> !
>>> !
>>> !
>>> !
>>> dial-peer cor custom
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> gatekeeper
>>> zone local gk.gdc.ru gdc.ru xxxx
>>> zone prefix gk.gdc.ru 1.. gw-priority 5 vgw5350.gdc.ru
>>> zone prefix gk.gdc.ru 6.. gw-priority 5 vgw5350.gdc.ru
>>> zone prefix gk.gdc.ru ....... gw-priority 5 vgw5350.gdc.ru
>>> gw-type-prefix xxxx default-technology
>>> no shutdown
>>> !
>>> !
>>> !
>>> end
>>>
>>> ======
>>>
>>> # radius.cfg
>>> #
>>> # Example Radiator configuration file.
>>> # This very simple file will allow you to get started with
>>> # a simple system. You can then add and change features.
>>> # We suggest you start simple, prove to yourself that it
>>> # works and then develop a more complicated configuration as
>>> required.
>>> #
>>> # This example will authenticate from a standard users file in
>>> # DbDir/users and log accounting to LogDir/detail.
>>> #
>>> # It will accept requests from any client and try to handle request
>>> # for any realm.
>>> #
>>> # You should consider this file to be a starting point only
>>> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
>>>
>>> #Foreground
>>> #LogStdout
>>> LogDir /var/log/radius
>>> DbDir /etc/radiator
>>>
>>> BindAddress 192.168.0.1,217.195.78.37
>>>
>>> # Use a low trace level in production systems. Increase
>>> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>>>
>>> Trace 5
>>> #Trace 2
>>> #Trace 1
>>> LogFile %L/debug
>>>
>>> # You will probably want to add other Clients to suit your site,
>>> # one for each NAS you want to work with
>>> <Client DEFAULT>
>>> Secret xxxxx
>>> DupInterval 0
>>> NasType Cisco
>>> # PacketTrace
>>> </Client>
>>>
>>> RewriteUsername s/^(\$enab15\$)$/enable\@admin/
>>>
>>>
>>> <Realm vpn>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> RewriteUsername s/.*?\\([^@]+)/$1/
>>> <AuthBy LDAP2>
>>> Host xxxx
>>> UsernameAttr uid
>>> PasswordAttr xxxx
>>> AuthDN xxxx
>>> AuthPassword xxxx
>>> BaseDN gdc
>>> #
>>> AutoMPPEKeys
>>> AddToReply Service-Type = Framed-User,\
>>> Framed-Protocol = PPP,\
>>> Framed-IP-Netmask = 255.255.255.255,\
>>> Framed-Routing = None,\
>>> Framed-MTU = 1500,\
>>> cisco-avpair = "ip:addr-pool=gdc-vpdn",\
>>> Message-Authenticator = 0000000000000000,\
>>> MS-MPPE-Encryption-Policy = Encryption-
>>> Allowed,\
>>> MS-MPPE-Encryption-Types = Encryption-Any
>>> </AuthBy>
>>> AcctLogFileName %L/detail.vpdn
>>> AcctLogFileFormat %{Timestamp} %{Acct-Session-Id} %{User-Name} %
>>> {Acct-Status-Type} %{Tunnel-Client-Endpoint} %{Acct-Session-Time}
>>> %{Acct-Input-Octets} %{Acct-Output-Octets} %{Acct-Terminate-Cause}
>>> </Realm>
>>>
>>> <Realm lab>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> RewriteUsername s/.*?\\([^@]+)/$1/
>>> <AuthBy FILE>
>>> Filename %D/users.lab
>>> AutoMPPEKeys
>>> AddToReply Service-Type = Framed-User,\
>>> Framed-Protocol = PPP,\
>>> Framed-IP-Netmask = 255.255.255.255,\
>>> Framed-Routing = None,\
>>> Framed-MTU = 1500,\
>>> cisco-avpair = "ip:addr-pool=lab-pool",\
>>> cisco-avpair = "ip:dns-servers=217.195.78.37",\
>>> Message-Authenticator = 0000000000000000,\
>>> MS-MPPE-Encryption-Policy = Encryption-
>>> Allowed,\
>>> MS-MPPE-Encryption-Types = Encryption-Any
>>> </AuthBy>
>>> AcctLogFileName %L/detail.lab
>>> AcctLogFileFormat %{Timestamp} %{Acct-Session-Id} %{User-Name} %
>>> {Acct-Status-Type} %{Tunnel-Client-Endpoint} %{Acct-Session-Time}
>>> %{Acct-Input-Octets} %{Acct-Output-Octets} %{Acct-Terminate-Cause}
>>> </Realm>
>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/
>> archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list