Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1787
Views
0
Helpful
0
Replies

disable dhcp proxy for PPP VPN (outside DHCP server + NPS)

Sascha Ferley
Level 1
Level 1

‎01-15-2013 01:11 AM

Hi,

Our VPN setup is to authenticate / authorize via RADIUS to a Microsoft NPS server / Active Directory and use our internal DHCP server to receive its information. We are running a Cisco 2811, with firmware release k9 15.1- 4.M5.

However, we have been having some issues with our setup for a dial-in VPN. We managed to get almost everything working.

The user can dial in and authenticate and it even builds the proper PPTP tunnel. However, the client machine when it sends out a DHCP requests seems to get forced to proxy through the Cisco router. Thus what the DHCP server sees is a encoded MAC address from the cisco all the time and sees the client as being the cisco router not the VPN client/user. This is rather frustrating, as in Active directory DNS tables it will show up as the router having x number of different IP addresses and the end client doesn't show up at all.

I have tried utilizing a bunch of different configuration options to test, all with the same outcome.

Utilizing "ip helper-address <dhcp server>", didn't work to forward correct. Thent trying to turn of all DHCP services, with the global command of "no service dhcp", didn't change any result. Neither did setting a global command of "ip dhcp-server <dhcp server>".

What i am trying to acchive is that the cisco does NOT mess with the dhcp request and just allows it to pass through.

Anyone have any idea?

Here are the parts of the current configuration in respect to this:

no service dhcp

!

aaa new-model

!

aaa authentication login CONSOLE local

aaa authentication ppp default group radius local

aaa authorization network default if-authenticated

!

aaa session-id common

!        

no ip domain lookup

ip domain name <domain>

ip name-server xxx.xxx.xxx.xxx

ip dhcp-server xxx.xxx.xxx.xxx

!

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

!

interface Virtual-Template1

ip unnumbered FastEthernet0/1    <-Internal Interface

no ip proxy-arp

ip nat inside

no ip virtual-reassembly in

peer default ip address dhcp

ppp encrypt mppe auto required

ppp authentication pap chap ms-chap ms-chap-v2

!

radius-server host xxx.xxx.xxx.xxx

radius-server key <private key>

And the problem that i am seeing when running a debug on dhcp:

*Jan 15 09:01:46.558: DHCP: proxy allocate request

*Jan 15 09:01:46.558: DHCP: new entry. add to queue, interface Virtual-Access5

*Jan 15 09:01:46.558: DHCP: Client socket is opened

*Jan 15 09:01:46.558: DHCP: SDiscover attempt # 1 for entry:

*Jan 15 09:01:46.558: DHCP: SDiscover: sending 284 byte length DHCP packet

*Jan 15 09:01:46.558: DHCP: SDiscover 284 bytes

*Jan 15 09:01:46.562: DHCP: XID MATCH in dhcpc_for_us()

*Jan 15 09:01:46.990: DHCP: Received a BOOTREP pkt

*Jan 15 09:01:46.990: DHCP: offer received from <DHCP SERVER>

*Jan 15 09:01:46.990: DHCP: SRequest attempt # 1 for entry:

*Jan 15 09:01:46.990: DHCP: SRequest- Server ID option: <DHCP SERVER>

*Jan 15 09:01:46.990: DHCP: SRequest- Requested IP addr option: 192.168.10.100

*Jan 15 09:01:46.990: DHCP: SRequest: 296 bytes

*Jan 15 09:01:46.990: DHCP: SRequest: 296 bytes

*Jan 15 09:01:46.994: DHCP: XID MATCH in dhcpc_for_us()

*Jan 15 09:01:46.994: DHCP: Received a BOOTREP pkt

*Jan 15 09:01:46.994: DHCP: Sending notification of ASSIGNMENT:

*Jan 15 09:01:46.994:   Address 0.0.0.0 mask 0.0.0.0

*Jan 15 09:01:46.994: DHCP Proxy Client Pooling: ***Allocated IP address: 192.168.10.100

*Jan 15 09:01:46.994: DHCP: look up prim DNS for Vi5 from lease good ret: <DNS server 1>

*Jan 15 09:01:46.998: DHCP: look up prim NBNS for Vi5 from lease any ret: fail

*Jan 15 09:01:46.998: DHCP: look up sec DNS for Vi5 from lease good ret: <DHCP Server>

*Jan 15 09:01:46.998: DHCP: look up sec NBNS for Vi5 from lease any ret: fail

*Jan 15 09:01:47.018: DHCP: look up prim DNS for Vi5 from lease good ret: <DNS server 1>

*Jan 15 09:01:47.018: DHCP: look up sec DNS for Vi5 from lease good ret: <DHCP Server>

*Jan 15 09:01:47.038: DHCP: look up prim DNS for Vi5 from lease good ret: <DNS server 1>

*Jan 15 09:01:47.038: DHCP: look up sec DNS for Vi5 from lease good ret: <DHCP Server>

*Jan 15 09:01:56.826: DHCP: Interface Virtual-Access5 going down. Releasing: 192.168.10.100

*Jan 15 09:01:56.826: DHCP: start holddown for 192.168.10.100

*Jan 15 09:01:56.826: DHCP: Holddown and T1 remain 1792 sec

As one can see even with the configuration to turn of any proxy or dhcp, the cisco router still try's to interject and proxy the request, aka:

DHCP: proxy allocate request

If anyone has any idea, please let me know

Thanks

S.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents