Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2224
Views
0
Helpful
8
Replies

CVPN3030 and FreeRADIUS - attribute "Framed-IP-Address"

stursa
Level 1
Level 1

‎06-08-2005 11:37 AM - edited ‎02-21-2020 12:11 AM

We are authenticating VPN users via a FreeRADIUS server (see www.freeradius.org). This works fine for username/password, but we don't seem to be able to pass RADIUS attributes back to the VPN, or at least not in a way that affects the user's session. I'm focussing on "Framed-IP-Address" (to assign the VPN client a specific IP); if I can get it working for this, I'm sure I can port the method to other attributes.

Ayone out there doing this? With FreeRADIUS?

Thanks!

0 Helpful
8 Replies 8

gfullage
Cisco Employee
Cisco Employee

‎06-19-2005 09:16 PM

Make sure under Config - System - Address Management - Assignment, you have the "Use address from authentication server" box checked. Only then will the 3000 use the address received from the Radius server and assign it to the client.

0 Helpful

stursa
Level 1
Level 1
In response to gfullage

‎06-20-2005 12:13 PM

Yes, that's set.

In fact, I opened a TAC ticket on this, and Cisco pronounced the VPN concentrator's config "good" (although I'm not 100% convinced). I'm 99% sure the problem is on the freeradius side, and this is where I could use some expertise.

Thanks.

- SLS

0 Helpful

amodi
Level 1
Level 1

‎07-18-2005 07:35 AM

Can you check the log of FreeRadius to see if that attribute is sent when user authenticates. Check if you can enable better logging on FreeRadisu to find out what happens when radius server authenticates the user.

0 Helpful

keimel
Level 1
Level 1
In response to amodi

‎07-25-2006 11:11 AM

FYI, Freeradius will run in a debugging mode by running freeradius with the -x option. It provides lots of useful information. (amid lots of useless info I'm sure)

0 Helpful

asp13
Level 1
Level 1

‎09-14-2005 06:21 AM

Hi!

As far as i remember VPN3k don't understand neither "Framed-IP-Address" nor cisco-av-pair.

I've used "Group Lock" feature to specify which ip-pool concentrator should use for authenticated user. It works like specifying "cisco-av-pair=ip:addr-pool" in Radius for usual (ios) NAS.

In your Radius-server you should add "Class" attribute. When user authenticates he moves to a new group which has an associated address pool.

For more detail look at the http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

0 Helpful

asp13
Level 1
Level 1
In response to asp13

‎09-14-2005 10:55 AM

Oh, my memory betrayed me :) Of course Framed-IP-Address works with VPN3K.

Considering you problem i think any sniffer would be the best starting point.

0 Helpful

pavelchjen
Level 1
Level 1

‎07-26-2006 06:10 AM

This is usual attribute RFC2865.

Yes I did it. with dialup and vpdn on c3620, AS5350, AS5300, c3662, c3640.

But those devices used IOS.

You can try to modify options detail auth_log at radiusd.conf.in and analyse radiusd.log

0 Helpful

pavelchjen
Level 1
Level 1

‎07-26-2006 07:14 AM

This is usual attribute RFC2865.

Yes I did it. with dialup and vpdn on c3620, AS5350, AS5300, c3662, c3640.

You can try to modify options detail auth_log and detail reply_log at radiusd.conf.in and analyse radiusd.log. It should show what radius reply to NAS and what VPN3030 sent to radius server at authentiacetion process

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card