(RADIATOR) FramedGroup/FramedGroupBaseAddress

Stuart Kendrick skendric at fhcrc.org
Sun Nov 12 20:41:18 CST 2006


hi hugh,

ok, i want to specify a pool of addresses which a NAS will assign to 
users belonging to a certain group.  i'm using the FramedGroup / 
FramedGroupBaseAddress feature.  when i try doing this, i can log in 
fine ... but i don't receive an address i'm expecting.  and in the 
logfile, i see

"WARNING: Empty string attribute Framed-IP-Address will be ignored"

along with an IP address which i find hard to believe ... check out that 
last octet
	Framed-IP-Address = 10.1.40.440

have any tips for me?  any thoughts on where that "10.1.40.440" address 
comes from?  and what the "Empty string attribute ..." message means?

--sk


here are snippets from my radius.cfg:

[...]
# VPN Servers
<Client foozle.company.com>
	Secret secret
	Identifier vpn-servers
	# This is the base address for FramedGroup 0
	FramedGroupBaseAddress 10.1.14.250
</Client>
[...]
##### VPN Servers #####
<Handler Client-Identifier=vpn-servers>
	AuthByPolicy	ContinueUntilAccept
	RejectHasReason

	# Handle Software Consulting Services (SCS) access,
	# limit them to one session at a time. specify the
	# addresses they receive
	<AuthBy LSA>
		Domain COMPANY
		Group SCS
		FramedGroup 0
		AddToReply Altiga-Simultaneous-Logins-G/U = 1
	</AuthBy>
	
	# Handle Software VPN users
	<AuthBy LSA>
		Domain COMPANY
		Group SWVPNUSERS
	</AuthBy>	

	# Log it
	AuthLog			vpn-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
</Handler>
[...]


however, when i log in, i don't get an address anywhere near 10.1.14.250 
... instead, i receive 10.1.14.41.  and the next time i log in, 
10.1.14.42 ... these addresses are ones i might receive if i remove the 
FramedGroup 0 line ... they land inside a pool which the NAS owns

with tracelevel set to 4, here's what i see:

[...]
Sun Nov 12 18:23:24 2006: DEBUG: Finished reading configuration file 
'C:\Program Files\Radiator\radius.cfg'
Sun Nov 12 18:23:24 2006: DEBUG: Reading dictionary file 'C:/Program 
Files/Radiator/dictionary'
Sun Nov 12 18:23:25 2006: DEBUG: Creating authentication port 0.0.0.0:1645
Sun Nov 12 18:23:25 2006: DEBUG: Creating accounting port 0.0.0.0:1646
Sun Nov 12 18:23:25 2006: NOTICE: Server started: Radiator 3.15 on Doozy
Sun Nov 12 18:23:25 2006: DEBUG: Packet dump:

[...]
*** Received from 10.1.14.8 port 1057 ....
Code:       Access-Request
Identifier: 201
Authentic:  [...]
Attributes:
	User-Name = "skendric"
	User-Password = "[...]"
	NAS-Port = 6820
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Called-Station-Id = "10.1.12.28"
	Calling-Station-Id = "24.42.39.142"
	Tunnel-Client-Endpoint = 24.42.39.141
	NAS-IP-Address = 10.1.14.8
	NAS-Port-Type = Virtual

Sun Nov 12 18:12:32 2006: DEBUG: Handling request with Handler 
'Client-Identifier=vpn-servers'
Sun Nov 12 18:12:32 2006: DEBUG:  Deleting session for skendric, 
10.1.4.8, 6820
Sun Nov 12 18:12:32 2006: DEBUG: Handling with Radius::AuthLSA:
Sun Nov 12 18:12:32 2006: DEBUG: Radius::AuthLSA looks for match with 
skendric [skendric]
Sun Nov 12 18:12:32 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric 
[skendric]
Sun Nov 12 18:12:32 2006: DEBUG: FramedGroup 0 address is being assigned
Sun Nov 12 18:12:32 2006: DEBUG: AuthBy LSA result: ACCEPT,
Sun Nov 12 18:12:32 2006: DEBUG: Access accepted for skendric
Sun Nov 12 18:12:34 2006: WARNING: Empty string attribute 
Framed-IP-Address will be ignored
Sun Nov 12 18:12:34 2006: DEBUG: Packet dump:
*** Sending to 140.107.14.8 port 1057 ....
Code:       Access-Accept
Identifier: 201
Authentic:  [...]
Attributes:
	Framed-IP-Address = 10.1.40.440
	Altiga-Simultaneous-Logins-G/U = 1



Notes:
-i thought about doing this from the NAS side ... but it will only 
restrict users to a given pool if it does the authenticating ... and 
since i want Radiator to do the authenticating ... i figure i want 
Radiator to hand out the IP addresses, also

-Radiator 3.15, perl-5.6.1, Windows 2003, Cisco VPN Concentrator 3030

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list