06-04-2013 09:38 AM
Hi,
I'm trying to assign different ip addresses to each vpn client depending the group the belong to. To do so, I create three different pools locally to the router and configure the radius server to send the Cisco-AVPair=”ip:addr-pool=poolname” attribute. The radius server is sending this attribute correctly but the router isn't using it. If I try with the Framed-IP-Address it works fine, but not for the pool.
Here is the related router config:
aaa new-model
aaa authentication login RemoteUsers group radius
aaa authorization network UsersGroup group radius
aaa session-id common
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group Users
key xxxx
pool pool1
acl UsersSplit
crypto isakmp profile UsersProfile
match identity group Users
client authentication list RemoteUsers
isakmp authorization list UsersGroup
client configuration address respond
virtual-template 1
crypto ipsec transform-set Transf-Users esp-aes esp-sha-hmac
mode transport
crypto ipsec profile Prof-Users
set transform-set Transf-Users
set isakmp-profile UsersProfile
ip local pool pool1 192.168.110.10 192.168.110.20
ip local pool pool2 192.168.120.10 192.168.120.20
ip local pool pool3 192.168.130.10 192.168.130.20
Freeradius config:
testuser Auth-Type := Local, User-Password == "testpass"
Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ip:addr-pool=pool1",
Without enabling authorization, testuser connects succesfully, but after I enable authorization to instruct the router to accept pool configuration, it automatically authenticate using the isakmp Users user, without asking for the real vpn testuser client and the connection fails.
Is authorization essential? Using authentication I can assign ip addresses from Radius.
I also used the Framed-IP-Pool value without success.
What I'm missing?
Thanks in advance.
06-04-2013 10:56 AM
To use IP pools, the AAA client must have network authorization (in IOS, aaa authorization network) and accounting (in IOS, aaa accounting) enabled.
Could you please turn on the authorization along with the below listed debugs on router (as per your conveinience)
debug radius
debug aaa authen
debug aaa autho
try to connect again, get the error message from the radius server and debugs from the IOS.
Jatin Katyal
- Do rate helpful posts -
06-04-2013 02:35 PM
Hi Jatin,
Thanks for your quick reply. Here is the new configuration and the debugs. I'm using IOS c890-universalk9-mz.152-1.T.bin and Cisco VPN client 5.0.07.0290 version.
IOS Configuration with authorization and accounting enabled:
aaa new-model
aaa authentication login RemoteUsers group radius
aaa authorization network UsersGroup group radius
aaa accounting network default
aaa session-id common
IOS Debugs:
Jun 4 21:20:46.133: AAA/BIND(00000010): Bind i/f
Jun 4 21:20:46.149: AAA/AUTHOR (0x10): Pick method list 'UsersGroup'
Jun 4 21:20:46.153: RADIUS/ENCODE(00000010):Orig. component type = VPN IPSEC
Jun 4 21:20:46.153: RADIUS: AAA Unsupported Attr: interface [222] 11
Jun 4 21:20:46.153: RADIUS: 31 30 2E 31 34 2E 31 34 2E [ 10.14.14.]
Jun 4 21:20:46.153: RADIUS(00000010): Config NAS IP: 0.0.0.0
Jun 4 21:20:46.153: RADIUS(00000010): Config NAS IPv6: ::
Jun 4 21:20:46.153: RADIUS/ENCODE(00000010): acct_session_id: 6
Jun 4 21:20:46.153: RADIUS(00000010): sending
Jun 4 21:20:46.153: RADIUS/ENCODE: Best Local IP-Address 10.14.14.30 for Radius-Server 10.14.14.17
Jun 4 21:20:46.153: RADIUS(00000010): Send Access-Request to 10.14.14.17:1812 id 1645/4, len 98
Jun 4 21:20:46.153: RADIUS: authenticator 01 A1 34 BE 06 3D C2 C5 - 4F EE 98 D7 47 4D BF AB
Jun 4 21:20:46.153: RADIUS: User-Name [1] 10 "Users"
Jun 4 21:20:46.153: RADIUS: User-Password [2] 18 *
Jun 4 21:20:46.153: RADIUS: Calling-Station-Id [31] 13 "10.14.14.17"
Jun 4 21:20:46.153: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jun 4 21:20:46.153: RADIUS: NAS-Port [5] 6 0
ruc#
Jun 4 21:20:46.153: RADIUS: NAS-Port-Id [87] 13 "10.14.14.30"
Jun 4 21:20:46.153: RADIUS: Service-Type [6] 6 Outbound [5]
Jun 4 21:20:46.153: RADIUS: NAS-IP-Address [4] 6 10.14.14.30
Jun 4 21:20:46.153: RADIUS(00000010): Sending a IPv4 Radius Packet
Jun 4 21:20:46.153: RADIUS(00000010): Started 5 sec timeout
ruc#
Jun 4 21:20:48.205: RADIUS: Received from id 1645/4 10.14.14.17:1812, Access-Reject, len 20
Jun 4 21:20:48.205: RADIUS: authenticator 2A B6 91 42 DF 70 2B 89 - AF D5 59 82 31 3B EA 53
Jun 4 21:20:48.205: RADIUS(00000010): Received from id 1645/4
As you can see, the router authenticates automatically using the Users user configured under at the isakmp client configuration group. The VPN client software does not prompt for the real user account and fails. Why the router is not asking for the user? I was expecting the router performs authentication first and authorization later. Take a look at the FreeRadius debug:
FreeRadius debug:
Ready to process requests.
rad_recv: Access-Request packet from host 10.14.14.30:1645, id=4, length=98
User-Name = "Users"
User-Password = "cisco" <--Where does this password comes from?!
Calling-Station-Id = "10.14.14.17"
NAS-Port-Type = Virtual
NAS-Port = 0
NAS-Port-Id = "10.14.14.30"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.14.14.30
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '../var/log/radius/radacct/10.14.14.30/auth-detail-20130604.log'
rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.lo
g expands to ../var/log/radius/radacct/10.14.14.30/auth-detail-20130604.log
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "Users", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 188
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user. Authentication m
ay fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
ERROR: Unknown value specified for Auth-Type. Cannot perform requested action
.
auth: Failed to validate the user.
Login incorrect: [Users/cisco] (from client vpnServer port 0 cli 10.14.14.17)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 4 to 10.14.14.30 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 4 with timestamp 51ae5a41
Nothing to do. Sleeping until we see a request.
Any idea Jatin?
06-08-2013 10:38 AM
Finally is working!
If we enable authorization, the routers not only authenticate the user but the vpn group as well. We have to specify the user group in the Radius configuration and within this user the ike password using the cisco-avpair ="ipsec:tunnel-password=IKEPass".
Thanks to:
http://www.ciscopress.com/articles/article.asp?p=421514&seqNum=3
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide