Iam trying to use Freeradius with Cisco ASA anyconnect.. But I just can´t get it to work
The problem is that when I use Freeradius the ASA just don't seem to get the framed-ip-address or something... ( when we try to connect with anyconnect it gives the error host or network is 0) with IAS the right ip gets assigned and all just works If I try the same thing with Microsoft IAS it just works Here is the output from radtest First MS IAS [r...@mgmt3 raddb]# radtest [email protected] XXXX 172.16.16.206:1812 1 test Sending Access-Request of id 185 to 172.16.16.206 port 1812 User-Name = "[email protected]" User-Password = "XXXX" NAS-IP-Address = 172.16.24.4 NAS-Port = 1 rad_recv: Access-Accept packet from host 172.16.16.206 port 1812, id=185, length=259 Framed-IP-Netmask = 255.255.255.128 Framed-Protocol = PPP Service-Type = Framed-User Framed-IP-Address = 172.20.3.129 Class = 0xb4fc099a0000013700011700fe80000000000000e42365c53146798301cb5ed46d12aaaa0000000000000056 Cisco-AVPair = "ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.20.3.0 255.255.255.0" Cisco-AVPair = "ip:inacl#101=permit ip 172.20.3.128 255.255.255.128 172.16.34.0 255.255.255.0" >From Freeradius [r...@mgmt3 raddb]# radtest hmm2 XXXX 172.16.16.202:1812 1 Rzitcom! Sending Access-Request of id 79 to 172.16.16.202 port 1812 User-Name = "hmm2" User-Password = "XXXX" NAS-IP-Address = 172.16.24.4 NAS-Port = 1 rad_recv: Access-Accept packet from host 172.16.16.202 port 1812, id=79, length=222 Framed-IP-Netmask = 255.255.255.128 Framed-Protocol = PPP Service-Type = Framed-User Framed-IP-Address = 172.20.3.128 Class = 0x4f553d54455354 Cisco-AVPair = "ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.20.3.0 255.255.255.0" Cisco-AVPair = "ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.16.34.0 255.255.255.0" INSERT INTO `radreply` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (3, 'hmm2', 'Framed-IP-Netmask', ':=', '255.255.255.128'), (4, 'hmm2', 'Framed-Protocol', ':=', 'PPP'), (5, 'hmm2', 'Service-Type', ':=', 'Framed-User'), (6, 'hmm2', 'Framed-IP-Address', ':=', '172.20.3.128'), (8, 'hmm2', 'Cisco-AVPair', '+=', 'ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.20.3.0 255.255.255.0'), (9, 'hmm2', 'Cisco-AVPair', '+=', 'ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.16.34.0 255.255.255.0'), (7, 'hmm2', 'Class', ':=', 'OU=TEST'); This is the out from the ASA so its able to use freeradius... :) we also use it for administrative users test aaa-server authentication RadiusServers host 172.16.16.202 us$ INFO: Attempting Authentication test to IP address <172.16.16.202> (timeout: 12 seconds) INFO: Authentication Successful Med venlig hilsen | Best regards Thomas Raabo Netværksansvarlig [Description: Description: Description: cid:[email protected]]<http://www.zitcom.dk/> [email protected]<mailto:[email protected]> | Direkte: +45 69 10 60 18 | Tlf: +45 70 23 55 66
<<inline: image001.jpg>>
<<inline: image002.jpg>>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
