Re: Assigning IP address from RADIUS to Cisco PPTP users

Wed, 27 May 2009 09:31:40 -0700 


FYI: Cisco TAC quickly found my config problem.  I took out:

aaa authorization network default if-authenticated

and replaced it with:

aaa authorization network default group radius local
and that did it. Thanks for all of your suggestions! Next up is to start defining pools and associating unix groups with them. 

On Tue, 26 May 2009, u...@3.am wrote:


On Wed, 27 May 2009, Vadim Ostranitsyn wrote:


  Hi!

On Tue, May 26, 2009 at 11:34:41AM -0400, u...@3.am wrote:

Users are currently authenticating fine and getting assigned IPs from the
IP pool as defined in the Cisco NAS.  However, I'd like to have a few,
select users assigned static IPs from outside that pool, but the Cisco
(2811) is simply ignoring the raddb/users file entry for that user and
assigning an IP from the pool on the NAS.

[...]

interface Virtual-Template1
  ip unnumbered FastEthernet0/0
  ip policy route-map VPN-Client
  peer match aaa-pools
  peer default ip address pool vpnpool

   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  Drop this line


  no keepalive
  ppp encrypt mppe auto
  ppp authentication pap chap ms-chap ms-chap-v2
!
ip local pool vpnpool 172.16.30.2 172.16.30.254
---------
Here is the raddb/users file entry:
---------
testuser        Service-Type == Framed-User
                 Framed-Protocol == PPP,
                 Framed-IP-Address = 172.16.1.2,
                 Framed-IP-Netmask = 255.255.255.255,
                 Framed-Compression = Van-Jacobson-TCP-IP


Cisco-AVPair = "ip:addr-pool=vpnpool"

  Add line above to the DEFAULT user entry.

--


Hi Vadim:
This looked promising, but when I remove that line from my Cisco config, I cannot log in at all. It just says that it cannot negotiate a ppp connection (Mac OS X) The debug on radius looks fine (I can supply that again if needed)). Here is the verbose logging from my Mac's /var/log/ppp.log: 

Tue May 26 23:21:13 2009 : PPTP connecting to server '10.2.2.2' (10.2.2.2)
...
Tue May 26 23:21:13 2009 : PPTP connection established.
Tue May 26 23:21:13 2009 : using link 0
Tue May 26 23:21:13 2009 : Using interface ppp0
Tue May 26 23:21:13 2009 : Connect: ppp0 <--> socket[34:17]
Tue May 26 23:21:13 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xc916 
6b8c> <pcomp> <accomp>]
Tue May 26 23:21:13 2009 : rcvd [LCP ConfReq id=0x1 <auth pap> <magic 0x3f29a7d2 
]

Tue May 26 23:21:13 2009 : lcp_reqci: returning CONFACK.
Tue May 26 23:21:13 2009 : sent [LCP ConfAck id=0x1 <auth pap> <magic 0x3f29a7d2 
]
Tue May 26 23:21:13 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xc916 
6b8c> <pcomp> <accomp>]
Tue May 26 23:21:13 2009 : sent [LCP EchoReq id=0x0 magic=0xc9166b8c]
Tue May 26 23:21:13 2009 : sent [PAP AuthReq id=0x1 user="testuser" password=< 
hidden>]
Tue May 26 23:21:13 2009 : rcvd [LCP EchoRep id=0x0 magic=0x3f29a7d2]
Tue May 26 23:21:13 2009 : rcvd [PAP AuthAck id=0x1 ""]
Tue May 26 23:21:13 2009 : PAP authentication succeeded
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0 
.0.0> <ms-dns3 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPV6CP ConfReq id=0x1 <addr fe80::021e:c2ff:feb 
5:8003>]
Tue May 26 23:21:13 2009 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 0 
0 00 01
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfReq id=0x1 <addr 192.168.7.1>]
Tue May 26 23:21:13 2009 : ipcp: returning Configure-ACK
Tue May 26 23:21:13 2009 : sent [IPCP ConfAck id=0x1 <addr 192.168.7.1>]
Tue May 26 23:21:13 2009 : rcvd [CCP ConfReq id=0x1]
Tue May 26 23:21:13 2009 : Unsupported protocol 'Compression Control Protocol' ( 
0x80fd) received
Tue May 26 23:21:13 2009 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 04]
Tue May 26 23:21:13 2009 : rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1 
e c2 ff fe b5 80 03]
Tue May 26 23:21:13 2009 : rcvd [LCP ProtRej id=0x3 82 35 01 01 00 10 01 06 00 0 
0 00 01 02 06 00 00 00 01]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x1 <addr 0.0.0.0> <ms-dns3 0.0 
.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x2 <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x2 <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x3 <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x3 <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x4 <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x4 <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x5 <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x5 <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x6 <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x6 <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x7 <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x7 <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x8 <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x8 <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x9 <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x9 <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xa <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xa <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xb <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xb <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xc <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xc <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xd <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xd <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xe <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xe <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xf <addrs 0.0.0.0 0.0.0.0> <ms 
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xf <addrs 0.0.0.0 0.0.0.0>]
Tue May 26 23:21:13 2009 : IPCP: Maximum Config-Requests exceeded
Tue May 26 23:21:13 2009 : sent [LCP TermReq id=0x3 "No network protocols runnin 
g"]
Tue May 26 23:21:14 2009 : rcvd [LCP TermAck id=0x3]
Tue May 26 23:21:14 2009 : Connection terminated.
Tue May 26 23:21:14 2009 : PPTP disconnecting...
Tue May 26 23:21:14 2009 : PPTP disconnected
When I put 'peer default ip address pool vpnpool' back in the Cisco config, it works again: 

Tue May 26 23:26:48 2009 : PPTP connecting to server '10.2.2.2' (10.2.2.2)
...
Tue May 26 23:26:48 2009 : PPTP connection established.
Tue May 26 23:26:48 2009 : using link 0
Tue May 26 23:26:48 2009 : Using interface ppp0
Tue May 26 23:26:48 2009 : Connect: ppp0 <--> socket[34:17]
Tue May 26 23:26:48 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x3b8a 
3df8> <pcomp> <accomp>]
Tue May 26 23:26:48 2009 : rcvd [LCP ConfReq id=0x1 <auth pap> <magic 0x3f2ec37a 
]

Tue May 26 23:26:48 2009 : lcp_reqci: returning CONFACK.
Tue May 26 23:26:48 2009 : sent [LCP ConfAck id=0x1 <auth pap> <magic 0x3f2ec37a>] Tue May 26 23:26:48 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x3b8a 
3df8> <pcomp> <accomp>]
Tue May 26 23:26:48 2009 : sent [LCP EchoReq id=0x0 magic=0x3b8a3df8]
Tue May 26 23:26:48 2009 : sent [PAP AuthReq id=0x1 user="testuser" password=<hidden>] 
Tue May 26 23:26:48 2009 : rcvd [LCP EchoRep id=0x0 magic=0x3f2ec37a]
Tue May 26 23:26:48 2009 : rcvd [PAP AuthAck id=0x1 ""]
Tue May 26 23:26:48 2009 : PAP authentication succeeded
Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>] Tue May 26 23:26:48 2009 : sent [IPV6CP ConfReq id=0x1 <addr fe80::021e:c2ff:feb5:8003>] Tue May 26 23:26:48 2009 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 0 
0 00 01
Tue May 26 23:26:48 2009 : rcvd [IPCP ConfReq id=0x1 <addr 192.168.7.1>]
Tue May 26 23:26:48 2009 : ipcp: returning Configure-ACK
Tue May 26 23:26:48 2009 : sent [IPCP ConfAck id=0x1 <addr 192.168.7.1>]
Tue May 26 23:26:48 2009 : rcvd [CCP ConfReq id=0x1]
Tue May 26 23:26:48 2009 : Unsupported protocol 'Compression Control Protocol' (0x80fd) received 
Tue May 26 23:26:48 2009 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 04]
Tue May 26 23:26:48 2009 : rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1 
e c2 ff fe b5 80 03]
Tue May 26 23:26:48 2009 : rcvd [LCP ProtRej id=0x3 82 35 01 01 00 10 01 06 00 0 
0 00 01 02 06 00 00 00 01]
Tue May 26 23:26:48 2009 : rcvd [IPCP ConfRej id=0x1 <ms-dns3 0.0.0.0>]
Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x2 <addr 0.0.0.0> <ms-dns1 0.0 
.0.0>]
Tue May 26 23:26:48 2009 : rcvd [IPCP ConfNak id=0x2 <addr 172.16.30.9> <ms-dns1 
10.2.2.2>]
Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x3 <addr 172.16.30.9> <ms-dns1 
10.2.2.2>]
Tue May 26 23:26:48 2009 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.30.9> <ms-dns1 
10.2.2.2>]
Tue May 26 23:26:48 2009 : ipcp: up
Tue May 26 23:26:48 2009 : local  IP address 172.16.30.9
Tue May 26 23:26:48 2009 : remote IP address 192.168.7.1
Tue May 26 23:26:48 2009 : primary   DNS address 10.1.1.1
Tue May 26 23:26:48 2009 : sent [IP data <src addr 172.16.30.9> <dst addr 255.25 5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameter 
s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue May 26 23:26:51 2009 : sent [IP data <src addr 172.16.30.9> <dst addr 255.25 5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameter 
s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue May 26 23:26:54 2009 : sent [IP data <src addr 172.16.30.9> <dst addr 255.25 5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameter 
s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue May 26 23:26:57 2009 : sent [IP data <src addr 172.16.30.9> <dst addr 255.25 5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameter 
s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue May 26 23:27:00 2009 : sent [IP data <src addr 172.16.30.9> <dst addr 255.25 5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>] 
Tue May 26 23:27:03 2009 : No DHCP server replied
--------

James Smallacombe                     PlantageNet, Inc. CEO and Janitor
u...@3.am                                                           http://3.am
=========================================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 



James Smallacombe                     PlantageNet, Inc. CEO and Janitor
u...@3.am                                                           http://3.am
=========================================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to