IP pool selection from RADIUS

Antonio Macia · ‎06-04-2013

Hi,

I'm trying to assign different ip addresses to each vpn client depending the group the belong to. To do so, I create three different pools locally to the router and configure the radius server to send the Cisco-AVPair=”ip:addr-pool=poolname” attribute. The radius server is sending this attribute correctly but the router isn't using it. If I try with the Framed-IP-Address it works fine, but not for the pool.

Here is the related router config:

aaa new-model

aaa authentication login RemoteUsers group radius

aaa authorization network UsersGroup group radius

aaa session-id common

crypto isakmp policy 100

encr aes 256

authentication pre-share

group 2

crypto isakmp client configuration group Users

key xxxx

pool pool1

acl UsersSplit

crypto isakmp profile UsersProfile

match identity group Users

client authentication list RemoteUsers

isakmp authorization list UsersGroup

client configuration address respond

virtual-template 1

crypto ipsec transform-set Transf-Users esp-aes esp-sha-hmac

mode transport

crypto ipsec profile Prof-Users

set transform-set Transf-Users

set isakmp-profile UsersProfile

ip local pool pool1 192.168.110.10 192.168.110.20

ip local pool pool2 192.168.120.10 192.168.120.20

ip local pool pool3 192.168.130.10 192.168.130.20

Freeradius config:

testuser Auth-Type := Local, User-Password == "testpass"

Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ip:addr-pool=pool1",

Without enabling authorization, testuser connects succesfully, but after I enable authorization to instruct the router to accept pool configuration, it automatically authenticate using the isakmp Users user, without asking for the real vpn testuser client and the connection fails.

Is authorization essential? Using authentication I can assign ip addresses from Radius.

I also used the Framed-IP-Pool value without success.

What I'm missing?

Thanks in advance.

Jatin Katyal · ‎06-04-2013

To use IP pools, the AAA client must have network authorization (in IOS, aaa authorization network) and accounting (in IOS, aaa accounting) enabled.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html

Could you please turn on the authorization along with the below listed debugs on router (as per your conveinience)

debug radius

debug aaa authen

debug aaa autho

try to connect again, get the error message from the radius server and debugs from the IOS.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Antonio Macia · ‎06-04-2013

Hi Jatin,

Thanks for your quick reply. Here is the new configuration and the debugs. I'm using IOS c890-universalk9-mz.152-1.T.bin and Cisco VPN client 5.0.07.0290 version.

IOS Configuration with authorization and accounting enabled:

aaa new-model

aaa authentication login RemoteUsers group radius

aaa authorization network UsersGroup group radius

aaa accounting network default

aaa session-id common

IOS Debugs:

Jun 4 21:20:46.133: AAA/BIND(00000010): Bind i/f

Jun 4 21:20:46.149: AAA/AUTHOR (0x10): Pick method list 'UsersGroup'

Jun 4 21:20:46.153: RADIUS/ENCODE(00000010):Orig. component type = VPN IPSEC

Jun 4 21:20:46.153: RADIUS: AAA Unsupported Attr: interface [222] 11

Jun 4 21:20:46.153: RADIUS: 31 30 2E 31 34 2E 31 34 2E [ 10.14.14.]

Jun 4 21:20:46.153: RADIUS(00000010): Config NAS IP: 0.0.0.0

Jun 4 21:20:46.153: RADIUS(00000010): Config NAS IPv6: ::

Jun 4 21:20:46.153: RADIUS/ENCODE(00000010): acct_session_id: 6

Jun 4 21:20:46.153: RADIUS(00000010): sending

Jun 4 21:20:46.153: RADIUS/ENCODE: Best Local IP-Address 10.14.14.30 for Radius-Server 10.14.14.17

Jun 4 21:20:46.153: RADIUS(00000010): Send Access-Request to 10.14.14.17:1812 id 1645/4, len 98

Jun 4 21:20:46.153: RADIUS: authenticator 01 A1 34 BE 06 3D C2 C5 - 4F EE 98 D7 47 4D BF AB

Jun 4 21:20:46.153: RADIUS: User-Name [1] 10 "Users"

Jun 4 21:20:46.153: RADIUS: User-Password [2] 18 *

Jun 4 21:20:46.153: RADIUS: Calling-Station-Id [31] 13 "10.14.14.17"

Jun 4 21:20:46.153: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Jun 4 21:20:46.153: RADIUS: NAS-Port [5] 6 0

ruc#

Jun 4 21:20:46.153: RADIUS: NAS-Port-Id [87] 13 "10.14.14.30"

Jun 4 21:20:46.153: RADIUS: Service-Type [6] 6 Outbound [5]

Jun 4 21:20:46.153: RADIUS: NAS-IP-Address [4] 6 10.14.14.30

Jun 4 21:20:46.153: RADIUS(00000010): Sending a IPv4 Radius Packet

Jun 4 21:20:46.153: RADIUS(00000010): Started 5 sec timeout

ruc#

Jun 4 21:20:48.205: RADIUS: Received from id 1645/4 10.14.14.17:1812, Access-Reject, len 20

Jun 4 21:20:48.205: RADIUS: authenticator 2A B6 91 42 DF 70 2B 89 - AF D5 59 82 31 3B EA 53

Jun 4 21:20:48.205: RADIUS(00000010): Received from id 1645/4

As you can see, the router authenticates automatically using the Users user configured under at the isakmp client configuration group. The VPN client software does not prompt for the real user account and fails. Why the router is not asking for the user? I was expecting the router performs authentication first and authorization later. Take a look at the FreeRadius debug:

FreeRadius debug:

Ready to process requests.
rad_recv: Access-Request packet from host 10.14.14.30:1645, id=4, length=98
        User-Name = "Users"
        User-Password = "cisco" <--Where does this password comes from?!
        Calling-Station-Id = "10.14.14.17"
        NAS-Port-Type = Virtual
        NAS-Port = 0
        NAS-Port-Id = "10.14.14.30"
        Service-Type = Dialout-Framed-User
        NAS-IP-Address = 10.14.14.30
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '../var/log/radius/radacct/10.14.14.30/auth-detail-20130604.log'
rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.lo
g expands to ../var/log/radius/radacct/10.14.14.30/auth-detail-20130604.log
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "Users", looking up realm NULL
    rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 188
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user. Authentication m
ay fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
ERROR: Unknown value specified for Auth-Type. Cannot perform requested action
.
auth: Failed to validate the user.
Login incorrect: [Users/cisco] (from client vpnServer port 0 cli 10.14.14.17)

Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 4 to 10.14.14.30 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 4 with timestamp 51ae5a41
Nothing to do. Sleeping until we see a request.

Any idea Jatin?

Antonio Macia · ‎06-08-2013

Finally is working!

If we enable authorization, the routers not only authenticate the user but the vpn group as well. We have to specify the user group in the Radius configuration and within this user the ike password using the cisco-avpair ="ipsec:tunnel-password=IKEPass".

Thanks to:

http://www.ciscopress.com/articles/article.asp?p=421514&seqNum=3