09-01-2011 11:21 PM - edited 03-10-2019 06:21 PM
Hello
I have a cisco IOS router and a freeradius server. The radius server authenticate my admin login to this device. Now I have configured IPSec VPN on the same router and have also enabled the radius authentication for the VPN users.
I will avoid that I can also authenticate the VPN connection with the admin user for the router itself. Is it possible that the router sends the VPN group name(configured with "crypto isakmp client configuration group [GROUPNAME]") in a cisco-avpair attribute to the radius server (raduis request from NAS to radius server) and how can I check this attribute on the freeradius server?
Many thanks for your support.
Martin
09-10-2011 07:10 AM
You may want to trun on the following debugs to see what you are sending
debug radius
debug aaa authen
debug aaa author
debug aaa account
Once you see what you are sending you can google the answer for the freeradius. The server should have a log to show if it is failing you and the reason.
09-13-2011 11:59 PM
Calvin
Thanks for your response. I turned on the debugging but the VPN group name was not sent to the freeradius. But the debugging shows me the value VPN_IPSEC (Orig. component type) if I connect with IPSec VPN. If I login to the router for administration the "Orig. component type" shows me EXEC
--- VPN ---
004984: Sep 13 18:50:48.951: RADIUS/ENCODE(00000014):Orig. component type = VPN_IPSEC
004985: Sep 13 18:50:48.951: RADIUS/ENCODE(00000014): Unsupported AAA attribute chap-authen-user
004986: Sep 13 18:50:48.951: RADIUS: AAA Unsupported Attr: interface [175] 11
004987: Sep 13 18:50:48.951: RADIUS: 38 35 2E 33 2E 32 32 2E 31 [85.3.22.1]
004988: Sep 13 18:50:48.951: RADIUS/ENCODE(00000014): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
004989: Sep 13 18:50:48.951: RADIUS(00000014): Config NAS IP: 192.168.66.2
004990: Sep 13 18:50:48.951: RADIUS/ENCODE(00000014): acct_session_id: 20
004991: Sep 13 18:50:48.951: RADIUS(00000014): sending
004992: Sep 13 18:50:48.951: RADIUS(00000014): Send Access-Request to 192.168.13.34:1812 id 1645/13, len 99
004993: Sep 13 18:50:48.951: RADIUS: authenticator A9 01 F7 6F 16 FD 73 93 - BE 1C 10 61 81 1B 49 A6
004994: Sep 13 18:50:48.951: RADIUS: User-Name [1] 14 "MyUser"
004995: Sep 13 18:50:48.951: RADIUS: User-Password [2] 18 *
004996: Sep 13 18:50:48.951: RADIUS: Calling-Station-Id [31] 16 "178.197.232.79"
004997: Sep 13 18:50:48.951: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
004998: Sep 13 18:50:48.951: RADIUS: NAS-Port [5] 6
hm01rt60#0
004999: Sep 13 18:50:48.951: RADIUS: NAS-Port-Id [87] 13 "85.3.22.100"
005000: Sep 13 18:50:48.951: RADIUS: NAS-IP-Address [4] 6 192.168.66.2
005001: Sep 13 18:50:48.995: RADIUS: Received from id 1645/13 192.168.13.34:1812, Access-Accept, len 20
005002: Sep 13 18:50:48.995: RADIUS: authenticator 1C 36 DE 50 92 54 CD B6 - 79 4C 28 A4 A9 23 4D 17
005003: Sep 13 18:50:48.995: RADIUS(00000014): Received from id 1645/13
--- admin login ---
005077: Sep 13 18:56:20.712: RADIUS/ENCODE(00000017):Orig. component type = EXEC
Q: It's not really a radius attribute but is it possible to send the string of the "Orig. component type" in a cisco-avpair attribute to the radius server?
My alternative solution is:
- The radius attribute NAS-Port-ID (87) shows the IP address of the interface the VPN terminates.When I login for administration the attribute NAS-Port-ID shows "tty
--- VPN ---
004999: Sep 13 18:50:48.951: RADIUS: NAS-Port-Id [87] 13 "85.3.22.100"
--- admin login ---
005091: Sep 13 18:56:20.716: RADIUS: NAS-Port-Id [87] 8 "tty196"
Thanks for further responses.
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide