04-12-2007 11:29 AM - edited 02-20-2020 09:38 PM
Hi there,
i'm trying to setup cisco router to act like pptp concentrator.On this router, i think to terminate two kind of pptp connections:
- to core
- to colleagues
For this reason, i need to setup two vpdn-groups because , i need different local-ip addres for my CORE devices and other for the vpn clients (colleagues). My configuration is attached bellow
[snipped from running-config]
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius if-authenticated
vpdn enable
vpdn authen-before-forward
vpdn tunnel authorization network default
vpdn-group clients
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
session-limit 50
local name VPN-Router
!
vpdn-group core
accept-dialin
protocol pptp
virtual-template 2
session-limit 5
local name border
interface Virtual-Template1
description PPTP Clients interface
ip address 192.168.25.100 255.255.255.0
ip mtu 1460
compress lzs
ppp encrypt mppe auto
ppp authentication chap ms-chap ms-chap-v2
!
interface Virtual-Template2
ip address 10.0.0.1 255.255.255.240
description Core devices
ip mtu 1460
load-interval 30
compress mppc
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2
!
[/snip]
To differing who is vpn client and which pptp needs to be considered as core link, i'm trying to setup Cisco AVPairs with radius like that:
border#test aaa group radius username password legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
Apr 12 2007 22:17:32.971 EEST: RADIUS: Pick NAS IP for u=0x43FE4A2C tableid=0 cfg_addr=radius.server.tld
Apr 12 2007 22:17:32.971 EEST: RADIUS: ustruct sharecount=1
Apr 12 2007 22:17:32.971 EEST: Radius: radius_port_info() success=0 radius_nas_port=1
Apr 12 2007 22:17:32.971 EEST: RADIUS(00000000): Send Access-Request to radius.server.tld:1812 id 1645/41, len 56
Apr 12 2007 22:17:32.971 EEST: RADIUS: authenticator 76 BC 13 6F 4B FC 5F 42 - 12 D1 E2 2F CE 47 A4 4F
Apr 12 2007 22:17:32.971 EEST: RADIUS: NAS-IP-Address [4] 6 my-router.ip.tld
Apr 12 2007 22:17:32.971 EEST: RADIUS: NAS-Port-Type [61] 6 Async [0]
Apr 12 2007 22:17:32.971 EEST: RADIUS: User-Name [1] 6 "main"
Apr 12 2007 22:17:32.971 EEST: RADIUS: User-Password [2] 18 *
Apr 12 2007 22:17:32.983 EEST: RADIUS: Received from id 1645/41 radius.server.tld:1812, Access-Accept, len 67
Apr 12 2007 22:17:32.983 EEST: RADIUS: authenticator 16 10 FD 06 97 57 32 35 - 16 B0 B8 E7 5A E3 4A BD
Apr 12 2007 22:17:32.983 EEST: RADIUS: Framed-Protocol [7] 6 PPP [1]
Apr 12 2007 22:17:32.983 EEST: RADIUS: Framed-IP-Address [8] 6 10.0.0.13
Apr 12 2007 22:17:32.983 EEST: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.240
Apr 12 2007 22:17:32.983 EEST: RADIUS: Framed-MTU [12] 6 1460
Apr 12 2007 22:17:32.983 EEST: RADIUS: Vendor, Cisco [26] 23
Apr 12 2007 22:17:32.983 EEST: RADIUS: Cisco AVpair [1] 17 "vpdn:vpdn-group=core"
Apr 12 2007 22:17:32.983 EEST: RADIUS: saved authorization data for user 43FE4A2C at 440F71DC
So ... as you can see, there is Cisco AVPair, but my router didn't use it. The router still use the first available vpdn-group (clients) and use the Virtual-template 1 interface for this connection. Does anyone know why? I need to setup my router to read the AVpairs from radius reply message. Is it possible to do that at all?
Here is the radius Accept-Accept message sent to router:
Sending Access-Accept of id 43 to radius.server.tld:1645
Framed-Protocol = PPP
Framed-IP-Address = 10.0.0.13
Framed-IP-Netmask = 255.255.255.240
Framed-MTU = 1460
Cisco-AVPair = "vpdn:vpdn-group=core"
THanks in advance!
04-18-2007 12:36 PM
To use pptp/mppe, the Radius server must be able to return the MPPE_KEY_ATTRIBUTES to pix.
To debug the problem, you can trun on the debug for ppp:
debug ppp uauth
debug ppp error
Try this link:
05-21-2007 11:28 AM
Hello j-block,
it looks like you don't get my question. i don't have encryption problems. I just want to ask is it possible to read the group that should be used for p2p connection from radius server. However...
BR,
Danail Petrov
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide