(RADIATOR) FramedGroup/FramedGroupBaseAddress
Stuart Kendrick
skendric at fhcrc.org
Sun Nov 12 20:41:18 CST 2006
hi hugh,
ok, i want to specify a pool of addresses which a NAS will assign to
users belonging to a certain group. i'm using the FramedGroup /
FramedGroupBaseAddress feature. when i try doing this, i can log in
fine ... but i don't receive an address i'm expecting. and in the
logfile, i see
"WARNING: Empty string attribute Framed-IP-Address will be ignored"
along with an IP address which i find hard to believe ... check out that
last octet
Framed-IP-Address = 10.1.40.440
have any tips for me? any thoughts on where that "10.1.40.440" address
comes from? and what the "Empty string attribute ..." message means?
--sk
here are snippets from my radius.cfg:
[...]
# VPN Servers
<Client foozle.company.com>
Secret secret
Identifier vpn-servers
# This is the base address for FramedGroup 0
FramedGroupBaseAddress 10.1.14.250
</Client>
[...]
##### VPN Servers #####
<Handler Client-Identifier=vpn-servers>
AuthByPolicy ContinueUntilAccept
RejectHasReason
# Handle Software Consulting Services (SCS) access,
# limit them to one session at a time. specify the
# addresses they receive
<AuthBy LSA>
Domain COMPANY
Group SCS
FramedGroup 0
AddToReply Altiga-Simultaneous-Logins-G/U = 1
</AuthBy>
# Handle Software VPN users
<AuthBy LSA>
Domain COMPANY
Group SWVPNUSERS
</AuthBy>
# Log it
AuthLog vpn-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
[...]
however, when i log in, i don't get an address anywhere near 10.1.14.250
... instead, i receive 10.1.14.41. and the next time i log in,
10.1.14.42 ... these addresses are ones i might receive if i remove the
FramedGroup 0 line ... they land inside a pool which the NAS owns
with tracelevel set to 4, here's what i see:
[...]
Sun Nov 12 18:23:24 2006: DEBUG: Finished reading configuration file
'C:\Program Files\Radiator\radius.cfg'
Sun Nov 12 18:23:24 2006: DEBUG: Reading dictionary file 'C:/Program
Files/Radiator/dictionary'
Sun Nov 12 18:23:25 2006: DEBUG: Creating authentication port 0.0.0.0:1645
Sun Nov 12 18:23:25 2006: DEBUG: Creating accounting port 0.0.0.0:1646
Sun Nov 12 18:23:25 2006: NOTICE: Server started: Radiator 3.15 on Doozy
Sun Nov 12 18:23:25 2006: DEBUG: Packet dump:
[...]
*** Received from 10.1.14.8 port 1057 ....
Code: Access-Request
Identifier: 201
Authentic: [...]
Attributes:
User-Name = "skendric"
User-Password = "[...]"
NAS-Port = 6820
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "10.1.12.28"
Calling-Station-Id = "24.42.39.142"
Tunnel-Client-Endpoint = 24.42.39.141
NAS-IP-Address = 10.1.14.8
NAS-Port-Type = Virtual
Sun Nov 12 18:12:32 2006: DEBUG: Handling request with Handler
'Client-Identifier=vpn-servers'
Sun Nov 12 18:12:32 2006: DEBUG: Deleting session for skendric,
10.1.4.8, 6820
Sun Nov 12 18:12:32 2006: DEBUG: Handling with Radius::AuthLSA:
Sun Nov 12 18:12:32 2006: DEBUG: Radius::AuthLSA looks for match with
skendric [skendric]
Sun Nov 12 18:12:32 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric
[skendric]
Sun Nov 12 18:12:32 2006: DEBUG: FramedGroup 0 address is being assigned
Sun Nov 12 18:12:32 2006: DEBUG: AuthBy LSA result: ACCEPT,
Sun Nov 12 18:12:32 2006: DEBUG: Access accepted for skendric
Sun Nov 12 18:12:34 2006: WARNING: Empty string attribute
Framed-IP-Address will be ignored
Sun Nov 12 18:12:34 2006: DEBUG: Packet dump:
*** Sending to 140.107.14.8 port 1057 ....
Code: Access-Accept
Identifier: 201
Authentic: [...]
Attributes:
Framed-IP-Address = 10.1.40.440
Altiga-Simultaneous-Logins-G/U = 1
Notes:
-i thought about doing this from the NAS side ... but it will only
restrict users to a given pool if it does the authenticating ... and
since i want Radiator to do the authenticating ... i figure i want
Radiator to hand out the IP addresses, also
-Radiator 3.15, perl-5.6.1, Windows 2003, Cisco VPN Concentrator 3030
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list