ip pool and netmasks with cicso as5400

Scott_Knight Thu, 09 Jan 2003 11:42:06 -0800

I have a cisco as5400 with an ip pool setup for dynamic ip address
assignment.  For ip address assignment I use a script on the radius server
to lookup the ip in a file, if there isn't one it assigns 255.255.255.254.
Here are the default entries in the users file and the quick and very dirty
perl script...


DEFAULT Auth-Type := System
        Fall-Through = 1

DEFAULT Service-Type == Framed-User
        Framed-IP-Netmask = 255.255.252.0,
        Framed-MTU = 1500,
        Service-Type = Framed-User,
        Exec-Program-Wait = "/usr/local/etc/raddb/getip.pl %u",
        Fall-Through = Yes

DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP
====================================================
#!/usr/bin/perl

$user = $ARGV[0];

chop($pass = `grep -w ^$user /path/to/somefile`);
($userid, $f2, $pwd, $ip) = split(' ', $pass);

$ip = "255.255.255.254" unless $ip;
print "Framed-IP-Address = $ip,\n";
exit 0;
===================================================

The correct ip address is being assigned to the client but the netmask is
not.  The addresses are a subnet of a class B and the mask that gets
assigned is always 255.255.0.0 instead of the 255.255.252.0 even thought
the radius server is sending the correct mask to the as5400.  Here is the
radius and ppp debugging output on the cisco:

*Jan 30 00:16:16.671: RADIUS/ENCODE(00000075): ask "Username: "
*Jan 30 00:16:16.671: RADIUS/ENCODE(00000075): send packet; GET_USER
*Jan 30 00:16:16.791: As1/78 PPP: Treating connection as a callin
*Jan 30 00:16:16.791: As1/78 PPP: Phase is ESTABLISHING, Passive Open
*Jan 30 00:16:16.791: As1/78 LCP: State is Listen
*Jan 30 00:16:16.799: As1/78 LCP: I CONFREQ [Listen] id 1 len 23
*Jan 30 00:16:16.799: As1/78 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Jan 30 00:16:16.799: As1/78 LCP:    MagicNumber 0x1EA24B6F
(0x05061EA24B6F)
*Jan 30 00:16:16.799: As1/78 LCP:    PFC (0x0702)
*Jan 30 00:16:16.799: As1/78 LCP:    ACFC (0x0802)
*Jan 30 00:16:16.799: As1/78 LCP:    Callback 6  (0x0D0306)
*Jan 30 00:16:16.799: As1/78 LCP: O CONFREQ [Listen] id 1 len 24
*Jan 30 00:16:16.799: As1/78 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Jan 30 00:16:16.799: As1/78 LCP:    AuthProto PAP (0x0304C023)
*Jan 30 00:16:16.799: As1/78 LCP:    MagicNumber 0x9FF19824
(0x05069FF19824)
*Jan 30 00:16:16.799: As1/78 LCP:    PFC (0x0702)
*Jan 30 00:16:16.799: As1/78 LCP:    ACFC (0x0802)
*Jan 30 00:16:16.799: As1/78 LCP: O CONFREJ [Listen] id 1 len 7
*Jan 30 00:16:16.799: As1/78 LCP:    Callback 6  (0x0D0306)
*Jan 30 00:16:16.903: As1/78 LCP: I CONFREQ [REQsent] id 2 len 20
*Jan 30 00:16:16.903: As1/78 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Jan 30 00:16:16.903: As1/78 LCP:    MagicNumber 0x1EA24B6F
(0x05061EA24B6F)
*Jan 30 00:16:16.903: As1/78 LCP:    PFC (0x0702)
*Jan 30 00:16:16.903: As1/78 LCP:    ACFC (0x0802)
*Jan 30 00:16:16.903: As1/78 LCP: O CONFACK [REQsent] id 2 len 20
*Jan 30 00:16:16.903: As1/78 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Jan 30 00:16:16.903: As1/78 LCP:    MagicNumber 0x1EA24B6F
(0x05061EA24B6F)
*Jan 30 00:16:16.903: As1/78 LCP:    PFC (0x0702)
*Jan 30 00:16:16.903: As1/78 LCP:    ACFC (0x0802)
*Jan 30 00:16:18.795: As1/78 LCP: TIMEout: State ACKsent
*Jan 30 00:16:18.795: As1/78 LCP: O CONFREQ [ACKsent] id 2 len 24
*Jan 30 00:16:18.795: As1/78 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Jan 30 00:16:18.795: As1/78 LCP:    AuthProto PAP (0x0304C023)
*Jan 30 00:16:18.795: As1/78 LCP:    MagicNumber 0x9FF19824
(0x05069FF19824)
*Jan 30 00:16:18.795: As1/78 LCP:    PFC (0x0702)
*Jan 30 00:16:18.795: As1/78 LCP:    ACFC (0x0802)
*Jan 30 00:16:18.883: As1/78 LCP: I CONFACK [ACKsent] id 2 len 24
*Jan 30 00:16:18.883: As1/78 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Jan 30 00:16:18.883: As1/78 LCP:    AuthProto PAP (0x0304C023)
*Jan 30 00:16:18.883: As1/78 LCP:    MagicNumber 0x9FF19824
(0x05069FF19824)
*Jan 30 00:16:18.883: As1/78 LCP:    PFC (0x0702)
*Jan 30 00:16:18.883: As1/78 LCP:    ACFC (0x0802)
*Jan 30 00:16:18.883: As1/78 LCP: State is Open
*Jan 30 00:16:18.883: As1/78 PPP: Phase is AUTHENTICATING, by this end
*Jan 30 00:16:18.895: As1/78 PAP: I AUTH-REQ id 1 len 19 from "iptest"
*Jan 30 00:16:18.895: As1/78 PAP: Authenticating peer iptest
*Jan 30 00:16:18.895: As1/78 PPP: Phase is FORWARDING, Attempting Forward
*Jan 30 00:16:18.895: As1/78 PPP: Phase is AUTHENTICATING, Unauthenticated
User
*Jan 30 00:16:18.895: RADIUS/ENCODE: Attribute has no value set for AAA
attribute clid
*Jan 30 00:16:18.895: RADIUS:  AAA Unsupported     [91]  21
*Jan 30 00:16:18.895: RADIUS:   41 73 79 6E 63 31 2F 37 38 2A 53 65 72 69
61 6C  [Async1/78*Serial]
*Jan 30 00:16:18.895: RADIUS:   37 2F 31
[7/1]
*Jan 30 00:16:18.895: RADIUS/ENCODE(00000075): Unsupported AAA attribute
parent-interface
*Jan 30 00:16:18.895: RADIUS/ENCODE(00000075): Unsupported AAA attribute
parent-interface-type
*Jan 30 00:16:18.895: RADIUS/ENCODE(00000075): acct_session_id: 163
*Jan 30 00:16:18.895: RADIUS(00000075): sending
*Jan 30 00:16:18.895: RADIUS: Send to unknown id 80 165.104.1.246:1812,
Access-Request, len 85
*Jan 30 00:16:18.895: RADIUS:  authenticator 37 EB CA 75 2F B8 FE BE - 69
DB 71 01 B2 89 73 B9
*Jan 30 00:16:18.895: RADIUS:  Framed-Protocol     [7]   6   PPP
[1]
*Jan 30 00:16:18.899: RADIUS:  User-Name           [1]   8   "iptest"
*Jan 30 00:16:18.899: RADIUS:  User-Password       [2]   18  *
*Jan 30 00:16:18.899: RADIUS:  Called-Station-Id   [30]  9   "5555555"
*Jan 30 00:16:18.899: RADIUS:  NAS-Port            [5]   6   78
*Jan 30 00:16:18.899: RADIUS:  NAS-Port-Type       [61]  6   Async
[0]
*Jan 30 00:16:18.899: RADIUS:  Service-Type        [6]   6   Framed
[2]
*Jan 30 00:16:18.899: RADIUS:  NAS-IP-Address      [4]   6   165.104.1.247
*Jan 30 00:16:18.943: RADIUS: Received from id 80 165.104.1.246:1812,
Access-Accept, len 56
*Jan 30 00:16:18.943: RADIUS:  authenticator 4F 4B C2 E1 F5 28 38 83 - 5B
5F 66 EB C8 70 D8 B0
*Jan 30 00:16:18.943: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.252.0
*Jan 30 00:16:18.943: RADIUS:  Framed-MTU          [12]  6   1500
*Jan 30 00:16:18.943: RADIUS:  Service-Type        [6]   6   Framed
[2]
*Jan 30 00:16:18.943: RADIUS:  Framed-Protocol     [7]   6   PPP
[1]
*Jan 30 00:16:18.943: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP
Header Compressi[1]
*Jan 30 00:16:18.943: RADIUS:  Framed-IP-Address   [8]   6   165.104.79.199
*Jan 30 00:16:18.943: RADIUS: Received from id 75
*Jan 30 00:16:18.943: As1/78 PPP: Phase is FORWARDING, Attempting Forward
*Jan 30 00:16:18.943: As1/78 PPP: Phase is AUTHENTICATING, Authenticated
User
*Jan 30 00:16:18.943: As1/78 PAP: O AUTH-ACK id 1 len 5
*Jan 30 00:16:18.943: As1/78 PPP: Phase is UP
*Jan 30 00:16:18.943: As1/78 IPCP: O CONFREQ [Closed] id 1 len 16
*Jan 30 00:16:18.943: As1/78 IPCP:    CompressType VJ 15 slots
(0x0206002D0F00)
*Jan 30 00:16:18.943: As1/78 IPCP:    Address 165.104.76.1 (0x0306A5684C01)
*Jan 30 00:16:18.947: As1/78 IPCP: O CONFREQ [REQsent] id 2 len 16
*Jan 30 00:16:18.947: As1/78 IPCP:    CompressType VJ 15 slots
(0x0206002D0F00)
*Jan 30 00:16:18.947: As1/78 IPCP:    Address 165.104.76.1 (0x0306A5684C01)
*Jan 30 00:16:19.035: As1/78 IPCP: I CONFREQ [REQsent] id 1 len 40
*Jan 30 00:16:19.035: As1/78 IPCP:    CompressType VJ 15 slots
CompressSlotID (0x0206002D0F01)
*Jan 30 00:16:19.035: As1/78 IPCP:    Address 0.0.0.0 (0x030600000000)
*Jan 30 00:16:19.035: As1/78 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
*Jan 30 00:16:19.035: As1/78 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
*Jan 30 00:16:19.035: As1/78 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
*Jan 30 00:16:19.035: As1/78 IPCP:    SecondaryWINS 0.0.0.0
(0x840600000000)
*Jan 30 00:16:19.035: As1/78 AAA/AUTHOR/IPCP: Start.  Her address 0.0.0.0,
we want 165.104.76.11
*Jan 30 00:16:19.035: As1/78 AAA/AUTHOR/IPCP: Done.  Her address 0.0.0.0,
we want 165.104.79.199
*Jan 30 00:16:19.035: As1/78 IPCP: O CONFREJ [REQsent] id 1 len 16
*Jan 30 00:16:19.035: As1/78 IPCP:    PrimaryWINS 0.0.0.0 (0x820600000000)
*Jan 30 00:16:19.035: As1/78 IPCP:    SecondaryWINS 0.0.0.0
(0x840600000000)
*Jan 30 00:16:19.039: As1/78 CCP: I CONFREQ [Not negotiated] id 1 len 15
*Jan 30 00:16:19.043: As1/78 CCP:    MS-PPC supported bits 0x00000001
(0x120600000001)
*Jan 30 00:16:19.043: As1/78 CCP:    Stacker history 1 check mode EXTENDED
(0x1105000104)
*Jan 30 00:16:19.043: As1/78 LCP: O PROTREJ [Open] id 3 len 21 protocol CCP
*Jan 30 00:16:19.043: As1/78 LCP:  (0x80FD0101000F12060000000111050001)
*Jan 30 00:16:19.043: As1/78 LCP:  (0x04)
*Jan 30 00:16:19.051: As1/78 IPCP: I CONFACK [REQsent] id 1 len 16
*Jan 30 00:16:19.051: As1/78 IPCP:    CompressType VJ 15 slots
(0x0206002D0F00)
*Jan 30 00:16:19.051: As1/78 IPCP:    Address 165.104.76.1 (0x0306A5684C01)
*Jan 30 00:16:19.051: As1/78 IPCP: ID 1 didn't match 2, discarding packet
*Jan 30 00:16:19.051: As1/78 IPCP: I CONFACK [REQsent] id 2 len 16
*Jan 30 00:16:19.051: As1/78 IPCP:    CompressType VJ 15 slots
(0x0206002D0F00)
*Jan 30 00:16:19.051: As1/78 IPCP:    Address 165.104.76.1 (0x0306A5684C01)
*Jan 30 00:16:19.123: As1/78 IPCP: I CONFREQ [ACKrcvd] id 2 len 28
*Jan 30 00:16:19.123: As1/78 IPCP:    CompressType VJ 15 slots
CompressSlotID (0x0206002D0F01)
*Jan 30 00:16:19.123: As1/78 IPCP:    Address 0.0.0.0 (0x030600000000)
*Jan 30 00:16:19.127: As1/78 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
*Jan 30 00:16:19.127: As1/78 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
*Jan 30 00:16:19.127: As1/78 IPCP: O CONFNAK [ACKrcvd] id 2 len 22
*Jan 30 00:16:19.127: As1/78 IPCP:    Address 165.104.79.199
(0x0306A5684FC7)
*Jan 30 00:16:19.127: As1/78 IPCP:    PrimaryDNS 165.104.1.246
(0x8106A56801F6)
*Jan 30 00:16:19.127: As1/78 IPCP:    SecondaryDNS 165.104.1.24
(0x8306A5680118)
*Jan 30 00:16:19.215: As1/78 IPCP: I CONFREQ [ACKrcvd] id 3 len 28
*Jan 30 00:16:19.215: As1/78 IPCP:    CompressType VJ 15 slots
CompressSlotID (0x0206002D0F01)
*Jan 30 00:16:19.215: As1/78 IPCP:    Address 165.104.79.199
(0x0306A5684FC7)
*Jan 30 00:16:19.215: As1/78 IPCP:    PrimaryDNS 165.104.1.246
(0x8106A56801F6)
*Jan 30 00:16:19.215: As1/78 IPCP:    SecondaryDNS 165.104.1.24
(0x8306A5680118)
*Jan 30 00:16:19.215: As1/78 IPCP: O CONFACK [ACKrcvd] id 3 len 28
*Jan 30 00:16:19.215: As1/78 IPCP:    CompressType VJ 15 slots
CompressSlotID (0x0206002D0F01)
*Jan 30 00:16:19.215: As1/78 IPCP:    Address 165.104.79.199
(0x0306A5684FC7)
*Jan 30 00:16:19.215: As1/78 IPCP:    PrimaryDNS 165.104.1.246
(0x8106A56801F6)
*Jan 30 00:16:19.215: As1/78 IPCP:    SecondaryDNS 165.104.1.24
(0x8306A5680118)
*Jan 30 00:16:19.215: As1/78 IPCP: State is Open
*Jan 30 00:16:19.219: As1/78 IPCP: Install route to 165.104.79.199
*Jan 30 00:16:19.219: As1/78 IPCP: Add link info for cef entry
165.104.79.199
*Jan 30 00:16:19.219: RADIUS/ENCODE(00000075): Unsupported AAA attribute
timezone
*Jan 30 00:16:19.219: RADIUS/ENCODE: Attribute has no value set for AAA
attribute clid
*Jan 30 00:16:19.219: RADIUS/ENCODE(00000075): Unsupported AAA attribute
parent-interface
*Jan 30 00:16:19.219: RADIUS/ENCODE(00000075): Unsupported AAA attribute
parent-interface-type
*Jan 30 00:16:19.219: RADIUS(00000075): sending
*Jan 30 00:16:19.223: RADIUS: Send to unknown id 116 165.104.1.246:1813,
Accounting-Request, len 130
*Jan 30 00:16:19.223: RADIUS:  authenticator 6F 2D 56 D2 20 7C 3D 89 - 81
FF 90 78 D3 08 7A 3B
*Jan 30 00:16:19.223: RADIUS:  Acct-Session-Id     [44]  10  "000000A3"
*Jan 30 00:16:19.223: RADIUS:  Framed-Protocol     [7]   6   PPP
[1]
*Jan 30 00:16:19.223: RADIUS:  Framed-IP-Address   [8]   6   165.104.79.199
*Jan 30 00:16:19.223: RADIUS:  Connect-Info        [77]  29  "49333/26400
V90/V42bis/LAPM"
*Jan 30 00:16:19.223: RADIUS:  Authentic           [45]  6   RADIUS
[1]
*Jan 30 00:16:19.223: RADIUS:  User-Name           [1]   8   "iptest"
*Jan 30 00:16:19.223: RADIUS:  Acct-Status-Type    [40]  6   Start
[1]
*Jan 30 00:16:19.223: RADIUS:  Called-Station-Id   [30]  9   "5555555"
*Jan 30 00:16:19.223: RADIUS:  NAS-Port            [5]   6   78
*Jan 30 00:16:19.223: RADIUS:  NAS-Port-Type       [61]  6   Async
[0]
*Jan 30 00:16:19.223: RADIUS:  Service-Type        [6]   6   Framed
[2]
*Jan 30 00:16:19.223: RADIUS:  NAS-IP-Address      [4]   6   165.104.1.247
*Jan 30 00:16:19.223: RADIUS:  Acct-Delay-Time     [41]  6   0
*Jan 30 00:16:19.227: RADIUS: Received from id 116 165.104.1.246:1813,
Accounting-response, len 20
*Jan 30 00:16:19.231: RADIUS:  authenticator F4 00 1D 54 F0 C8 FC 9D - 48
C4 1F B7 D9 37 64 CD


Even with the incorrect mask the client works just fine and I see that the
netmask doesn't even seem to be negotiated by the peers which I guess makes
sense since this is a ppp connection and the mask is somewhat irrelevant.
But can somebody tell me why the client doesn't get the correct mask?

In addition, is there anything wrong about the way I am doing the ip
address assignment?  That is, should I be doing the ip pooling for dynamic
addressing on the radius box instead of the as5400?  Does it make a
difference?  It seems to work regardless.  TIA...
--
Scott Knight, Network Analyst - SSM Health Care, Information Center
email: [EMAIL PROTECTED] + phone: 314.644.7344 + fax: 314.647.1037
"Dad, when you come home with only shattered pieces of your dreams, your
little one can mend them like new with two magic words - 'Hi Dad!'"
- Alan Beck in "Fathers and Sons" -


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ip pool and netmasks with cicso as5400

Reply via email to