cisco-avpair in radius request

martin.hagmann · ‎09-01-2011

Hello

I have a cisco IOS router and a freeradius server. The radius server authenticate my admin login to this device. Now I have configured IPSec VPN on the same router and have also enabled the radius authentication for the VPN users.

I will avoid that I can also authenticate the VPN connection with the admin user for the router itself. Is it possible that the router sends the VPN group name(configured with "crypto isakmp client configuration group [GROUPNAME]") in a cisco-avpair attribute to the radius server (raduis request from NAS to radius server) and how can I check this attribute on the freeradius server?

Many thanks for your support.

Martin

Calvin Ryver · ‎09-10-2011

You may want to trun on the following debugs to see what you are sending

debug radius

debug aaa authen

debug aaa author

debug aaa account

Once you see what you are sending you can google the answer for the freeradius. The server should have a log to show if it is failing you and the reason.

martin.hagmann · ‎09-13-2011

Calvin

Thanks for your response. I turned on the debugging but the VPN group name was not sent to the freeradius. But the debugging shows me the value VPN_IPSEC (Orig. component type) if I connect with IPSec VPN. If I login to the router for administration the "Orig. component type" shows me EXEC

--- VPN ---

004984: Sep 13 18:50:48.951: RADIUS/ENCODE(00000014):Orig. component type = VPN_IPSEC

004985: Sep 13 18:50:48.951: RADIUS/ENCODE(00000014): Unsupported AAA attribute chap-authen-user

004986: Sep 13 18:50:48.951: RADIUS: AAA Unsupported Attr: interface [175] 11

004987: Sep 13 18:50:48.951: RADIUS: 38 35 2E 33 2E 32 32 2E 31 [85.3.22.1]

004988: Sep 13 18:50:48.951: RADIUS/ENCODE(00000014): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

004989: Sep 13 18:50:48.951: RADIUS(00000014): Config NAS IP: 192.168.66.2

004990: Sep 13 18:50:48.951: RADIUS/ENCODE(00000014): acct_session_id: 20

004991: Sep 13 18:50:48.951: RADIUS(00000014): sending

004992: Sep 13 18:50:48.951: RADIUS(00000014): Send Access-Request to 192.168.13.34:1812 id 1645/13, len 99

004993: Sep 13 18:50:48.951: RADIUS: authenticator A9 01 F7 6F 16 FD 73 93 - BE 1C 10 61 81 1B 49 A6

004994: Sep 13 18:50:48.951: RADIUS: User-Name [1] 14 "MyUser"

004995: Sep 13 18:50:48.951: RADIUS: User-Password [2] 18 *

004996: Sep 13 18:50:48.951: RADIUS: Calling-Station-Id [31] 16 "178.197.232.79"

004997: Sep 13 18:50:48.951: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

004998: Sep 13 18:50:48.951: RADIUS: NAS-Port [5] 6

hm01rt60#0

004999: Sep 13 18:50:48.951: RADIUS: NAS-Port-Id [87] 13 "85.3.22.100"

005000: Sep 13 18:50:48.951: RADIUS: NAS-IP-Address [4] 6 192.168.66.2

005001: Sep 13 18:50:48.995: RADIUS: Received from id 1645/13 192.168.13.34:1812, Access-Accept, len 20

005002: Sep 13 18:50:48.995: RADIUS: authenticator 1C 36 DE 50 92 54 CD B6 - 79 4C 28 A4 A9 23 4D 17

005003: Sep 13 18:50:48.995: RADIUS(00000014): Received from id 1645/13

--- admin login ---

005077: Sep 13 18:56:20.712: RADIUS/ENCODE(00000017):Orig. component type = EXEC

Q: It's not really a radius attribute but is it possible to send the string of the "Orig. component type" in a cisco-avpair attribute to the radius server?

My alternative solution is:

- The radius attribute NAS-Port-ID (87) shows the IP address of the interface the VPN terminates.When I login for administration the attribute NAS-Port-ID shows "tty". With this difference I can also verify if the login is for administration or not (freeradius operator =~ / NAS-Port-ID =~ )

--- VPN ---

004999: Sep 13 18:50:48.951: RADIUS: NAS-Port-Id [87] 13 "85.3.22.100"

--- admin login ---

005091: Sep 13 18:56:20.716: RADIUS: NAS-Port-Id [87] 8 "tty196"

Thanks for further responses.

Martin