L2TP and fixed Framed IP Address for VPN user

aspectmeyer · ‎03-30-2012

Hi,

I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.

The radius server is returning the correct parameters, I think.

I hope someone can help me.

It´s a Cisco 892 Integrated Service Router.

Router Config:

=============================================================

Current configuration : 8239 bytes

!

! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service internal

!

hostname vpngw2

!

boot-start-marker

boot config usbflash0:CVO-BOOT.CFG

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 secret

!

aaa new-model

!

aaa authentication login default local group radius

aaa authentication login userauthen local group radius

aaa authentication ppp default group radius local

aaa authorization exec default local

aaa authorization network groupauthor local

aaa accounting delay-start

aaa accounting update newinfo

aaa accounting exec default

action-type start-stop

group radius

!

aaa accounting network default

action-type start-stop

group radius

!

aaa accounting resource default

action-type start-stop

group radius

!

aaa session-id common

!

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

ip domain name aspect-online.de

ip name-server 10.28.1.31

ip inspect WAAS flush-timeout 10

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip cef

no ipv6 cef

virtual-profile if-needed

!

multilink bundle-name authenticated

async-bootp dns-server 10.28.1.31

async-bootp nbns-server 10.28.1.31

vpdn enable

vpdn authen-before-forward

vpdn authorize directed-request

!

vpdn-group L2TP

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

!

license udi pid -K9 sn FCZ

!

username root password 7 secret

!

ip ssh source-interface FastEthernet8

ip ssh version 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key mykey address 0.0.0.0 no-xauth

!

crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac

mode transport

!

crypto dynamic-map config-map-l2tp 10

set nat demux

set transform-set configl2tp

!

crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

spanning-tree portfast

!

interface FastEthernet1

no ip address

spanning-tree portfast

!

<snip>

!

interface FastEthernet7

no ip address

spanning-tree portfast

!

interface FastEthernet8

ip address 10.28.1.97 255.255.255.0

ip access-group vpn_to_lan out

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0

ip access-group vpn_to_inet_lan in

ip nat inside

ip virtual-reassembly in

peer default ip address pool l2tpvpnpool

ppp encrypt mppe 128

ppp authentication chap

!

interface GigabitEthernet0

description WAN Port

ip address x.x.x.39 255.255.255.0

ip access-group from_inet in

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map vpnl2tp

!

interface Vlan1

no ip address

shutdown

!

ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199

ip local pool remotepool 192.168.252.240 192.168.252.243

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip nat log translations syslog

ip nat inside source route-map natmap interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 x.x.x.33

!

ip access-list extended from_inet

<snip>

ip access-list extended nat_clients

permit ip 192.168.252.0 0.0.0.255 any

ip access-list extended vpn_to_inet_lan

<snip>

ip access-list extended vpn_to_lan

<snip>

deny ip any any log-input

!

logging trap debugging

logging facility local2

logging 10.28.1.42

no cdp run

!

route-map natmap permit 10

match ip address nat_clients

!

radius-server attribute 8 include-in-access-req

radius-server host 10.27.1.228 auth-port 1812 acct-port 1813

radius-server key 7 mykey

radius-server vsa send accounting

radius-server vsa send authentication

!

control-plane

!

mgcp profile default

!

banner login ^C

Hostname: vpngw2

Model: Cisco 892 Integrated Service Router

Description: L2TP/IPsec VPN Gateway with Radius Auth

^C

!

line con 0

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

!

=============================================================

User Config in Radius (tying multiple attributes):

=============================================================

Attribute          | op | Value

Service-Type | = | Framed-User

Cisco-AVPair | = | vpdn:ip-addresses=192.168.252.220

Framed-IP-Address | := | 192.168.252.221

Cisco-AVPair | = | ip:addr-pool=remotepool

=============================================================

Debug Log from freeradius2:

=============================================================

rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100

Framed-Protocol = PPP

User-Name = "me1"

CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8

Connect-Info = "100000000"

NAS-Port-Type = Sync

NAS-Port = 10007

NAS-Port-Id = "Uniq-Sess-ID7"

Service-Type = Framed-User

NAS-IP-Address = 10.28.1.97

# Executing section authorize from file /etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

[chap] Setting 'Auth-Type := CHAP'

++[chap] returns ok

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "me1", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

[files] users: Matched entry DEFAULT at line 172

++[files] returns ok

[sql] expand: %{User-Name} -> me1

[sql] sql_set_user escaped user --> 'me1'

rlm_sql (sql): Reserving sql socket id: 4

[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'me1' ORDER BY id

[sql] User found in radcheck table

[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'me1' ORDER BY id

[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'me1' ORDER BY priority

rlm_sql (sql): Released sql socket id: 4

++[sql] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING: Auth-Type already set. Not setting to PAP

++[pap] returns noop

Found Auth-Type = CHAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group CHAP {...}

[chap] login attempt by "me1" with CHAP password

[chap] Using clear text password "test" for user me1 authentication.

[chap] chap user me1 authenticated succesfully

++[chap] returns ok

Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)

# Executing section post-auth from file /etc/raddb/sites-enabled/default

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 7 to 10.28.1.97 port 1645

Framed-Protocol = PPP

Framed-Compression = Van-Jacobson-TCP-IP

Framed-IP-Address := 192.168.252.221

Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"

Service-Type = Framed-User

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213

Acct-Session-Id = "00000011"

Tunnel-Type:0 = L2TP

Tunnel-Medium-Type:0 = IPv4

Tunnel-Server-Endpoint:0 = "x.x.x.39"

Tunnel-Client-Endpoint:0 = "x.x.x.34"

Tunnel-Assignment-Id:0 = "L2TP"

Tunnel-Client-Auth-Id:0 = "me1"

Tunnel-Server-Auth-Id:0 = "vpngw2"

Framed-Protocol = PPP

Framed-IP-Address = 192.168.252.9

User-Name = "me1"

Cisco-AVPair = "connect-progress=LAN Ses Up"

Acct-Authentic = RADIUS

Acct-Status-Type = Start

Connect-Info = "100000000"

NAS-Port-Type = Sync

NAS-Port = 10007

NAS-Port-Id = "Uniq-Sess-ID7"

Service-Type = Framed-User

NAS-IP-Address = 10.28.1.97

Acct-Delay-Time = 0

# Executing section preacct from file /etc/raddb/sites-enabled/default

+- entering group preacct {...}

++[preprocess] returns ok

[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'

[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".

++[acct_unique] returns ok

[suffix] No '@' in User-Name = "me1", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

++[files] returns noop

# Executing section accounting from file /etc/raddb/sites-enabled/default

+- entering group accounting {...}

[detail] expand: %{Packet-Src-IP-Address} -> 10.28.1.97

[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330

[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330

[detail] expand: %t -> Fri Mar 30 11:20:07 2012

++[detail] returns ok

++[unix] returns ok

[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp

[radutmp] expand: %{User-Name} -> me1

++[radutmp] returns ok

[sql] expand: %{User-Name} -> me1

[sql] sql_set_user escaped user --> 'me1'

[sql] expand: %{Acct-Delay-Time} -> 0

[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',

rlm_sql (sql): Reserving sql socket id: 3

rlm_sql (sql): Released sql socket id: 3

++[sql] returns ok

++[exec] returns noop

[attr_filter.accounting_response] expand: %{User-Name} -> me1

attr_filter: Matched entry DEFAULT at line 12

++[attr_filter.accounting_response] returns updated

Sending Accounting-Response of id 19 to 10.28.1.97 port 1646

Finished request 1.

Cleaning up request 1 ID 19 with timestamp +53

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407

Acct-Session-Id = "00000011"

Tunnel-Type:0 = L2TP

Tunnel-Medium-Type:0 = IPv4

Tunnel-Server-Endpoint:0 = "x.x.x.39"

Tunnel-Client-Endpoint:0 = "x.x.x.34"

Tunnel-Assignment-Id:0 = "L2TP"

Tunnel-Client-Auth-Id:0 = "me1"

Tunnel-Server-Auth-Id:0 = "vpngw2"

Framed-Protocol = PPP

Framed-IP-Address = 192.168.252.9

Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"

User-Name = "me1"

Acct-Authentic = RADIUS

Cisco-AVPair = "connect-progress=LAN Ses Up"

Cisco-AVPair = "nas-tx-speed=100000000"

Cisco-AVPair = "nas-rx-speed=100000000"

Acct-Session-Time = 5

Acct-Input-Octets = 5980

Acct-Output-Octets = 120

Acct-Input-Packets = 47

Acct-Output-Packets = 11

Acct-Terminate-Cause = User-Request

Cisco-AVPair = "disc-cause-ext=PPP Receive Term"

Acct-Status-Type = Stop

Connect-Info = "100000000"

NAS-Port-Type = Sync

NAS-Port = 10007

NAS-Port-Id = "Uniq-Sess-ID7"

Service-Type = Framed-User

NAS-IP-Address = 10.28.1.97

Acct-Delay-Time = 0

# Executing section preacct from file /etc/raddb/sites-enabled/default

+- entering group preacct {...}

++[preprocess] returns ok

[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'

[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".

++[acct_unique] returns ok

[suffix] No '@' in User-Name = "me1", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

++[files] returns noop

# Executing section accounting from file /etc/raddb/sites-enabled/default

+- entering group accounting {...}

[detail] expand: %{Packet-Src-IP-Address} -> 10.28.1.97

[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330

[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330

[detail] expand: %t -> Fri Mar 30 11:20:12 2012

++[detail] returns ok

++[unix] returns ok

[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp

[radutmp] expand: %{User-Name} -> me1

++[radutmp] returns ok

[sql] expand: %{User-Name} -> me1

[sql] sql_set_user escaped user --> 'me1'

[sql] expand: %{Acct-Input-Gigawords} ->

[sql] ... expanding second conditional

[sql] expand: %{Acct-Input-Octets} -> 5980

[sql] expand: %{Acct-Output-Gigawords} ->

[sql] ... expanding second conditional

[sql] expand: %{Acct-Output-Octets} -> 120

[sql] expand: %{Acct-Delay-Time} -> 0

[sql] expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstoptime = '2012-03-30 11:20:12', acctsessiontime = '5', acctinputoctets = '0' << 32 | '5980', acctoutputoctets = '0' << 32 |

rlm_sql (sql): Reserving sql socket id: 2

rlm_sql (sql): Released sql socket id: 2

++[sql] returns ok

++[exec] returns noop

[attr_filter.accounting_response] expand: %{User-Name} -> me1

attr_filter: Matched entry DEFAULT at line 12

++[attr_filter.accounting_response] returns updated

Sending Accounting-Response of id 20 to 10.28.1.97 port 1646

Finished request 2.

Cleaning up request 2 ID 20 with timestamp +58

Going to the next request

Waking up in 0.1 seconds.

Cleaning up request 0 ID 7 with timestamp +53

Ready to process requests.

=============================================================

Log From Cisco Router:

=============================================================

Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN

Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added

Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0

Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::

Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included

Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17

Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending

Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228

Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100

Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS: authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22

Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS: Framed-Protocol [7] 6 PPP [1]

Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS: User-Name [1] 5 "me1"

Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS: CHAP-Password [3] 19 *

Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS: Connect-Info [77] 11 "100000000"

Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS: NAS-Port-Type [61] 6 Sync [1]

Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS: NAS-Port [5] 6 10007

Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"

Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS: Service-Type [6] 6 Framed [2]

Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS: NAS-IP-Address [4] 6 10.28.1.97

Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet

Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout

Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85

Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS: authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16

Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS: Framed-Protocol [7] 6 PPP [1]

Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]

Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS: Framed-IP-Address [8] 6 192.168.252.221

Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS: Vendor, Cisco [26] 41

Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS: Cisco AVpair [1] 35 "vpdn:ip-addresses=192.168.252.220"

Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS: Service-Type [6] 6 Framed [2]

Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7

Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up

Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up

Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN

Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0

Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::

Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending

Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228

Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213

Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS: authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53

Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS: Acct-Session-Id [44] 10 "00000011"

Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS: Tunnel-Type [64] 6 00:

Mar 30 11:20:07 vpngw2 1258: L2TP [3]

Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]

Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"

Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"

Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS: Tunnel-Assignment-Id[82] 6 "L2TP"

Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Auth-I[90] 5 "me1"

Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Auth-I[91] 8 "vpngw2"

Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS: Framed-Protocol [7] 6 PPP [1]

Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS: Framed-IP-Address [8] 6 192.168.252.9

Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS: User-Name [1] 5 "me1"

Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS: Vendor, Cisco [26] 35

Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"

Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS: Acct-Authentic [45] 6 RADIUS [1]

Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS: Acct-Status-Type [40] 6 Start [1]

Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS: Connect-Info [77] 11 "100000000"

Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS: NAS-Port-Type [61] 6 Sync [1]

Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS: NAS-Port [5] 6 10007

Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"

Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS: Service-Type [6] 6 Framed [2]

Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS: NAS-IP-Address [4] 6 10.28.1.97

Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS: Acct-Delay-Time [41] 6 0

Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet

Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout

Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20

Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS: authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4

Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN

Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0

Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::

Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending

Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228

Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407

Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS: authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12

Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS: Acct-Session-Id [44] 10 "00000011"

Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS: Tunnel-Type [64] 6 00:

Mar 30 11:20:12 vpngw2 1292: L2TP [3]

Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]

Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"

Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"

Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS: Tunnel-Assignment-Id[82] 6 "L2TP"

Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Auth-I[90] 5 "me1"

Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Auth-I[91] 8 "vpngw2"

Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS: Framed-Protocol [7] 6 PPP [1]

Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS: Framed-IP-Address [8] 6 192.168.252.9

Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 59

Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 53 "ppp-disconnect-cause=Received LCP TERMREQ from peer"

Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS: User-Name [1] 5 "me1"

Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS: Acct-Authentic [45] 6 RADIUS [1]

Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 35

Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"

Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 30

Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 24 "nas-tx-speed=100000000"

Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 30

Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 24 "nas-rx-speed=100000000"

Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS: Acct-Session-Time [46] 6 5

Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS: Acct-Input-Octets [42] 6 5980

Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS: Acct-Output-Octets [43] 6 120

Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS: Acct-Input-Packets [47] 6 47

Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS: Acct-Output-Packets [48] 6 11

Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS: Acct-Terminate-Cause[49] 6 user-request [1]

Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 39

Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 33 "disc-cause-ext=PPP Receive Term"

Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS: Acct-Status-Type [40] 6 Stop [2]

Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS: Connect-Info [77] 11 "100000000"

Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS: NAS-Port-Type [61] 6 Sync [1]

Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS: NAS-Port [5] 6 10007

Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"

Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS: Service-Type [6] 6 Framed [2]

Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS: NAS-IP-Address [4] 6 10.28.1.97

Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS: Acct-Delay-Time [41] 6 0

Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet

Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout

Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20

Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS: authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5

Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down

Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down

=============================================================

aspectmeyer · ‎04-01-2012

Does nobody knows why the cisco router is not using the correct ip (returnd by the radius server)?

aspectmeyer · ‎04-02-2012

I found the failure.

In the cisco config it must be

aaa authorization network default group radius local

not

aaa authorization network groupauthor local