(RADIATOR) FramedGroup/FramedGroupBaseAddress

Hugh Irvine hugh at open.com.au
Sun Nov 12 22:44:26 CST 2006 

Hello Stuart -

The problem here is the value of the NAS-Port attribute contained in  
the access request:


	NAS-Port = 6820


as this is what is used to calculate the Framed-IP-Address (the NAS- 
Port value is added to the FramedGroupBaseAddress). As you can  
imagine this will not work and results in absurd Framed-IP-Address's  
as you have seen.

The best way to do what you require is to define multiple named IP  
address pools on the Cisco and then have Radiator indicate which one  
to use with a "Framed-Pool = ...." reply item for each user.

hope that helps

regards

Hugh




On 13 Nov 2006, at 13:41, Stuart Kendrick wrote:

> hi hugh,
>
> ok, i want to specify a pool of addresses which a NAS will assign  
> to users belonging to a certain group.  i'm using the FramedGroup /  
> FramedGroupBaseAddress feature.  when i try doing this, i can log  
> in fine ... but i don't receive an address i'm expecting.  and in  
> the logfile, i see
>
> "WARNING: Empty string attribute Framed-IP-Address will be ignored"
>
> along with an IP address which i find hard to believe ... check out  
> that last octet
> 	Framed-IP-Address = 10.1.40.440
>
> have any tips for me?  any thoughts on where that "10.1.40.440"  
> address comes from?  and what the "Empty string attribute ..."  
> message means?
>
> --sk
>
>
> here are snippets from my radius.cfg:
>
> [...]
> # VPN Servers
> <Client foozle.company.com>
> 	Secret secret
> 	Identifier vpn-servers
> 	# This is the base address for FramedGroup 0
> 	FramedGroupBaseAddress 10.1.14.250
> </Client>
> [...]
> ##### VPN Servers #####
> <Handler Client-Identifier=vpn-servers>
> 	AuthByPolicy	ContinueUntilAccept
> 	RejectHasReason
>
> 	# Handle Software Consulting Services (SCS) access,
> 	# limit them to one session at a time. specify the
> 	# addresses they receive
> 	<AuthBy LSA>
> 		Domain COMPANY
> 		Group SCS
> 		FramedGroup 0
> 		AddToReply Altiga-Simultaneous-Logins-G/U = 1
> 	</AuthBy>
> 	
> 	# Handle Software VPN users
> 	<AuthBy LSA>
> 		Domain COMPANY
> 		Group SWVPNUSERS
> 	</AuthBy>	
>
> 	# Log it
> 	AuthLog			vpn-authlog
> 	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
> </Handler>
> [...]
>
>
> however, when i log in, i don't get an address anywhere near  
> 10.1.14.250 ... instead, i receive 10.1.14.41.  and the next time i  
> log in, 10.1.14.42 ... these addresses are ones i might receive if  
> i remove the FramedGroup 0 line ... they land inside a pool which  
> the NAS owns
>
> with tracelevel set to 4, here's what i see:
>
> [...]
> Sun Nov 12 18:23:24 2006: DEBUG: Finished reading configuration  
> file 'C:\Program Files\Radiator\radius.cfg'
> Sun Nov 12 18:23:24 2006: DEBUG: Reading dictionary file 'C:/ 
> Program Files/Radiator/dictionary'
> Sun Nov 12 18:23:25 2006: DEBUG: Creating authentication port  
> 0.0.0.0:1645
> Sun Nov 12 18:23:25 2006: DEBUG: Creating accounting port 0.0.0.0:1646
> Sun Nov 12 18:23:25 2006: NOTICE: Server started: Radiator 3.15 on  
> Doozy
> Sun Nov 12 18:23:25 2006: DEBUG: Packet dump:
>
> [...]
> *** Received from 10.1.14.8 port 1057 ....
> Code:       Access-Request
> Identifier: 201
> Authentic:  [...]
> Attributes:
> 	User-Name = "skendric"
> 	User-Password = "[...]"
> 	NAS-Port = 6820
> 	Service-Type = Framed-User
> 	Framed-Protocol = PPP
> 	Called-Station-Id = "10.1.12.28"
> 	Calling-Station-Id = "24.42.39.142"
> 	Tunnel-Client-Endpoint = 24.42.39.141
> 	NAS-IP-Address = 10.1.14.8
> 	NAS-Port-Type = Virtual
>
> Sun Nov 12 18:12:32 2006: DEBUG: Handling request with Handler  
> 'Client-Identifier=vpn-servers'
> Sun Nov 12 18:12:32 2006: DEBUG:  Deleting session for skendric,  
> 10.1.4.8, 6820
> Sun Nov 12 18:12:32 2006: DEBUG: Handling with Radius::AuthLSA:
> Sun Nov 12 18:12:32 2006: DEBUG: Radius::AuthLSA looks for match  
> with skendric [skendric]
> Sun Nov 12 18:12:32 2006: DEBUG: Radius::AuthLSA ACCEPT: : skendric  
> [skendric]
> Sun Nov 12 18:12:32 2006: DEBUG: FramedGroup 0 address is being  
> assigned
> Sun Nov 12 18:12:32 2006: DEBUG: AuthBy LSA result: ACCEPT,
> Sun Nov 12 18:12:32 2006: DEBUG: Access accepted for skendric
> Sun Nov 12 18:12:34 2006: WARNING: Empty string attribute Framed-IP- 
> Address will be ignored
> Sun Nov 12 18:12:34 2006: DEBUG: Packet dump:
> *** Sending to 140.107.14.8 port 1057 ....
> Code:       Access-Accept
> Identifier: 201
> Authentic:  [...]
> Attributes:
> 	Framed-IP-Address = 10.1.40.440
> 	Altiga-Simultaneous-Logins-G/U = 1
>
>
>
> Notes:
> -i thought about doing this from the NAS side ... but it will only  
> restrict users to a given pool if it does the authenticating ...  
> and since i want Radiator to do the authenticating ... i figure i  
> want Radiator to hand out the IP addresses, also
>
> -Radiator 3.15, perl-5.6.1, Windows 2003, Cisco VPN Concentrator 3030
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list