Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
982
Views
0
Helpful
0
Replies

Missing Tunnel-Client-Endpoint attribute in AAA accounting from 2821

mrechter2
Level 1
Level 1

‎06-24-2013 10:31 PM - edited ‎03-10-2019 08:34 PM

I am trying to optimise the detailed accounting records for VPN client connections on our system

but have noticed I am not receiving Tunnel-Client-Endpoint (attribute 66) in tunnel start accounting records from the router.

The VPN functionality works fine, this is just an accounting issue.

All other accouting attributes I need are received fine (times, username, VPN Framed IP, NAS identifier).

The system details are:

VPN server : Cisco 2821 with IOS 12.4(11)XW3

Tunnel type: VPDN, PPTP, MPPE 128bit, MS-CHAPv2

Accouting RADIUS: Microsoft Windows Server 2008 R2 NPS

I have used the same setup many times previously on various 2801, 2811, and 2911 platfroms with no issue (across v12 and v15 IOS).

Sending attribute 66 "Tunnel-Client-Endpoint" appeared to be standard for any tunnel setup, no config was require to send it.

Does anyone know a reason why this fairly standard tunnel RADIUS attribute is not being sent to us from the router in this case?

Example debug of tunnel start accounting message, showing that attribute 66 is not included in info sent to accouting server:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Jun 25 2013 14:55:13.591 AEST: RADIUS/ENCODE(0000061A):Orig. component type = VPDN

Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Config NAS IP: 0.0.0.0

Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): sending

Jun 25 2013 14:55:13.595 AEST: RADIUS/ENCODE: Best Local IP-Address 192.168.xxx.xxx for Radius-Server 192.168.xxx.xxx

Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Send Accounting-Request to 192.168.xxx.xxx:1646 id 1646/220, len 184

Jun 25 2013 14:55:13.595 AEST: RADIUS:  authenticator D7 DD 05 D9 72 FC 72 9C - 02 E0 6A FD D1 AC DB 06

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Session-Id     [44]  10  "00000642"

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Assignment-Id[82]  3   "1"

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Server-Auth-I[91]  14  "********"

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Tunnel-Connecti[68]  4   "44"

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Framed-IP-Address   [8]   6   192.168.xxx.xxx          

Jun 25 2013 14:55:13.595 AEST: RADIUS:  User-Name           [1]   10  "*********"

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Authentic      [45]  6  

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]

Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port            [5]   6   426                      

Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port-Id         [87]  17  "Uniq-Sess-ID426"

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Class               [25]  46 

Jun 25 2013 14:55:13.595 AEST: RADIUS:   69 89 04 FA 00 00 01 37 00 01 02 00 C0 A8 AC 01  [i??????7????????]

Jun 25 2013 14:55:13.595 AEST: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 01 CE 6E 22  [??????????????n"]

Jun 25 2013 14:55:13.595 AEST: RADIUS:   2F A7 37 14 00 00 00 00 00 00 00 29              [/?7????????)]

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Service-Type        [6]   6   Framed                    [2]

Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-IP-Address      [4]   6   192.168.xxx.xxx          

Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Delay-Time     [41]  6   0                        

Jun 25 2013 14:55:13.691 AEST: RADIUS: Received from id 1646/220 192.168.xxx.xxx:1646, Accounting-response, len 20

Jun 25 2013 14:55:13.691 AEST: RADIUS:  authenticator E8 EC 1C 30 D2 01 8E D8 - 15 10 09 5F 37 95 D4 25

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Important config

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

aaa new-model

aaa authentication login default local group radius

aaa authentication ppp default local group radius

aaa authorization exec default local group radius

aaa authorization network default local group radius

aaa accounting delay-start

aaa accounting session-duration ntp-adjusted

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa session-id common

vpdn enable

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

interface Virtual-Template1

ip unnumbered Dialer1

ip nat inside

ip virtual-reassembly

peer default ip address pool VPN

no keepalive

ppp encrypt mppe 128

ppp authentication ms-chap-v2

ip local pool VPN 192.168.xxx.xxx 192.168.xxx.xxx

radius-server host 192.168.xxx.xxx auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents