Re: (RADIATOR) Cisco 2611 VPN group authentication

[Hugh Irvine]

Hello Emilie -

Thanks for the update.

I will need to see a trace 4 debug from Radiator showing what is happening.

I suspect the Service-Type in the access request for "eshoop" does not match what you have in your users file.

regards

Hugh


On Saturday, Feb 1, 2003, at 03:10 Australia/Melbourne, Emilie Shoop wrote:

Hugh,

It turns out that it was looking for the password cisco, so after I set it to that, it was successful.

Now onto my next problem.� I have been successful in getting the group and user to authenticate, but not establish a connection. I believe that I am missing some reply� attributes. Can you tell me what I am missing? And where do I put them?

Here is my working Radiator config:
# radius.cfg

LogDir /services/radius/log
DbDir /services/radius/conf
BindAddress x.x.x.25
AuthPort 1812
AcctPort 1813
Trace 5


#For VPN access
<Client x.x.x.54>
Secret xxxx
</Client>

#VPN Authentication x.x.x.54
<Handler NAS-IP-Address = "x.x.x.54">
<AuthBy FILE>
Filename %D/vpn_users
</AuthBy>

PasswordLogFileName %D/passwordlog


</Handler>


Here is my vpn_users file:

eshoop User-Password = xxxxx
��������Service-Type= "Framed-User"
��������Framed-Protocol= "PPP"
��������cisco-avpair= "ISAKMP:addr-pool=ippool"

VPNclients User-Password = cisco
��������cisco-avpair= "ipsec:key-exchange=ike"
��������cisco-avpair= "tunnel-password=bbb"



Here is my debug from my 2611:

5w1d: ISAKMP (0:0): received packet from x.x.x.127 (N) NEW SA
5w1d: ISAKMP: local port 500, remote port 500
5w1d: ISAKMP: Created a peer node for x.x.x.127
5w1d: ISAKMP (0:1): Setting client config settings 82DE3AE0
5w1d: ISAKMP (0:1): (Re)Setting client xauth list userauthen and
state
5w1d: ISAKMP: Locking CONFIG struct 0x82DE3AE0 from
crypto_ikmp_config_initialize_sa, count 1
5w1d: ISAKMP (0:1): processing SA payload. message ID = 0
5w1d: ISAKMP (0:1): processing ID payload. message ID = 0
5w1d: ISAKMP (0:1): processing vendor id payload
5w1d: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major
5w1d: ISAKMP (0:1): vendor ID is XAUTH
5w1d: ISAKMP (0:1): processing vendor id payload
5w1d: ISAKMP (0:1): vendor ID is DPD
5w1d: ISAKMP (0:1): processing vendor id payload
5w1d: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major
5w1d: ISAKMP (0:1): processing vendor id payload
5w1d: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major
5w1d: ISAKMP (0:1): processing vendor id payload
5w1d: ISAKMP (0:1): vendor ID is Unity
5w1d: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash SHA
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth XAUTHInitPreShared
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash MD5
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth XAUTHInitPreShared
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash SHA
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth pre-share
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash MD5
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth pre-share
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 5 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash SHA
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth XAUTHInitPreShared
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 6 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash MD5
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth XAUTHInitPreShared
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 7 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash SHA
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth pre-share
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 8 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash MD5
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth pre-share
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 9 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash SHA
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth XAUTHInitPreShared
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 10 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash MD5
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth XAUTHInitPreShared
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 11 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash SHA
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth pre-share
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 12 against priority 3
policy
5w1d: ISAKMP: encryption... What? 7?
5w1d: ISAKMP: hash MD5
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth pre-share
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP: attribute 14
5w1d: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
5w1d: ISAKMP (0:1): atts are not acceptable. Next payload is 3
5w1d: ISAKMP (0:1): Checking ISAKMP transform 13 against priority 3
policy
5w1d: ISAKMP: encryption 3DES-CBC
5w1d: ISAKMP: hash SHA
5w1d: ISAKMP: default group 2
5w1d: ISAKMP: auth XAUTHInitPreShared
5w1d: ISAKMP: life type in seconds
5w1d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
5w1d: ISAKMP (0:1): atts are acceptable. Next payload is 3
5w1d: ISAKMP (0:1): processing KE payload. message ID = 0
5w1d: ISAKMP (0:1): processing NONCE payload. message ID = 0
5w1d: ISAKMP (0:1): processing vendor id payload
5w1d: ISAKMP (0:1): processing vendor id payload
5w1d: ISAKMP (0:1): processing vendor id payload
5w1d: ISAKMP (0:1): processing vendor id payload
5w1d: ISAKMP (0:1): processing vendor id payload
5w1d: voice_parse_intf_name: Using the old NAS_PORT string
5w1d: AAA: parse name=ISAKMP-ID-AUTH idb type=-1 tty=-1
5w1d: AAA/MEMORY: create_user (0x82DFF060) user='VPNclients'
ruser='NULL' ds0=0 port='ISAKMP-ID-AUTH' rem_addr='x.x.x.127'
authen_type=NONE service=LOGIN priv=0 initial_task_id='0'
5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

5w1d: ISAKMP-ID-AUTH AAA/AUTHOR/CRYPTO AAA(473770404): Port='ISAKMP-
ID-AUTH' list='groupauthor' service=NET
5w1d: AAA/AUTHOR/CRYPTO AAA: ISAKMP-ID-AUTH(473770404)
user='VPNclients'
5w1d: ISAKMP-ID-AUTH AAA/AUTHOR/CRYPTO AAA(473770404): send AV
service=ike
5w1d: ISAKMP-ID-AUTH AAA/AUTHOR/CRYPTO AAA(473770404): send AV
protocol=ipsec
5w1d: ISAKMP-ID-AUTH AAA/AUTHOR/CRYPTO AAA(473770404): found
list "groupauthor"
5w1d: ISAKMP-ID-AUTH AAA/AUTHOR/CRYPTO AAA(473770404): Method=radius
(radius)
5w1d: RADIUS: authenticating to get author data
5w1d: RADIUS: ustruct sharecount=3
5w1d: Radius: radius_port_info() success=0 radius_nas_port=1
5w1d: RADIUS: added cisco VSA 2 len 14 "ISAKMP-ID-AUTH"
5w1d: RADIUS: Send to ISAKMP-ID-AUTH id 175 x.x.x.25:1812, Access-
Request, len 107
5w1d: RADIUS: authenticator DA FF 45 E8 79 F6 B0 61 - 53 1A E3 1A
08 26 FF C3
5w1d: RADIUS: NAS-IP-Address [4] 6 x.x.x.54
5w1d: RADIUS: Vendor, Cisco [26] 22
5w1d: RADIUS: Unsupported [2] 16
5w1d: RADIUS: 49 53 41 4B 4D 50 2D 49 44 2D 41 55 54 48
[ISAKMP-ID-AUTH]
5w1d: RADIUS: NAS-Port-Type [61] 6
Async [0]
5w1d: RADIUS: User-Name [1] 12 "VPNclients"
5w1d: RADIUS: Calling-Station-Id [31] 17 "x.x.x.127"
5w1d: RADIUS: User-Password [2] 18 *
5w1d: RADIUS: Service-Type [6] 6
Outbound [5]
5w1d: RADIUS: Received from id 175 x.x.x.25:1812, Access-Accept, len
77
5w1d: RADIUS: authenticator 4E C5 12 67 E9 9F AD 7B - 3B 85 B2 AD
C4 37 CA B4
5w1d: RADIUS: Vendor, Cisco [26] 30
5w1d: RADIUS: Cisco AVpair [1] 24 "ipsec:key-exchange=ike"
5w1d: RADIUS: Vendor, Cisco [26] 27
5w1d: RADIUS: Cisco AVpair [1] 21 "tunnel-password=bbb"
5w1d: RADIUS: saved authorization data for user 82DFF060 at 82DE2B4C
5w1d: RADIUS: cisco AVPair "ipsec:key-exchange=ike"
5w1d: RADIUS: cisco AVPair ":tunnel-password=bbb"
5w1d: AAA/AUTHOR (473770404): Post authorization status = PASS_REPL
5w1d: ISAKMP: got callback 1
AAA/AUTHOR/IKE: Processing AV key-exchange=ike
AAA/AUTHOR/IKE: Processing AV tunnel-password=bbb
5w1d: ISAKMP (0:1): SKEYID state generated
5w1d: ISAKMP (0:1): SA is doing pre-shared key authentication plux
XAUTH using id type ID_IPV4_ADDR
5w1d: ISAKMP (1): ID payload
next-payload : 10
type : 1
protocol : 17
port : 500
length : 8
5w1d: ISAKMP (1): Total payload length: 12
5w1d: ISAKMP (0:1): sending packet to x.x.x.127 (R) AG_INIT_EXCH
5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

5w1d: AAA/MEMORY: free_user (0x82DFF060) user='VPNclients'
ruser='NULL' port='ISAKMP-ID-AUTH' rem_addr='x.x.x.127'
authen_type=NONE service=LOGIN priv=0
5w1d: ISAKMP (0:1): received packet from x.x.x.127 (R) AG_INIT_EXCH
5w1d: ISAKMP (0:1): processing HASH payload. message ID = 0
5w1d: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 82DF9E90
5w1d: ISAKMP (0:1): Process initial contact, bring down existing
phase 1 and 2 SA's
5w1d: ISAKMP (0:1): returning IP addr to the address pool
5w1d: ISAKMP (0:1): peer does not do paranoid keepalives.

5w1d: ISAKMP (0:1): SA has been authenticated with x.x.x.127
5w1d: IPSEC(key_engine): got a queue event...
5w1d: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
5w1d: IPSEC(key_engine_delete_sas): delete all SAs shared with
x.x.x.127
5w1d: ISAKMP (0:1): sending packet to x.x.x.127 (R) QM_IDLE
5w1d: ISAKMP (0:1): purging node 1017928958
5w1d: ISAKMP: Sending phase 1 responder lifetime 86400

5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE

5w1d: ISAKMP (0:1): Need XAUTH
5w1d: voice_parse_intf_name: Using the old NAS_PORT string
5w1d: AAA: parse name=ISAKMP idb type=-1 tty=-1
5w1d: AAA/MEMORY: create_user (0x82DFF060) user='NULL' ruser='NULL'
ds0=0 port='ISAKMP' rem_addr='x.x.x.127' authen_type=ASCII
service=LOGIN priv=0 initial_task_id='0'
5w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Old State = IKE_P1_COMPLETE New State =
IKE_XAUTH_AAA_START_LOGIN_AWAIT

5w1d: AAA/AUTHEN/START (2297331969): port='ISAKMP' list='userauthen'
action=LOGIN service=LOGIN
5w1d: AAA/AUTHEN/START (2297331969): found list userauthen
5w1d: AAA/AUTHEN/START (2297331969): Method=radius (radius)
5w1d: AAA/AUTHEN(2297331969): Status=GETUSER
5w1d: ISAKMP: got callback 1
5w1d: ISAKMP/xauth: request attribute XAUTH_TYPE_V2
5w1d: ISAKMP/xauth: request attribute XAUTH_MESSAGE_V2
5w1d: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
5w1d: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
5w1d: ISAKMP (0:1): initiating peer config to x.x.x.127. ID = -
1267797712
5w1d: ISAKMP (0:1): sending packet to x.x.x.127 (R) CONF_XAUTH
5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT New State =
IKE_XAUTH_REQ_SENT

5w1d: ISAKMP (0:1): received packet from x.x.x.127 (R) CONF_XAUTH
5w1d: ISAKMP (0:1): processing transaction payload from
141.142.102.127. message ID = -1267797712
5w1d: ISAKMP: Config payload REPLY
5w1d: ISAKMP/xauth: reply attribute XAUTH_TYPE_V2 unexpected
5w1d: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
5w1d: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
5w1d: ISAKMP (0:1): deleting node -1267797712 error FALSE
reason "done with xauth request/reply exchange"
5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Old State = IKE_XAUTH_REQ_SENT New State =
IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

5w1d: AAA/AUTHEN/CONT (2297331969): continue_login (user='(undef)')
5w1d: AAA/AUTHEN(2297331969): Status=GETUSER
5w1d: AAA/AUTHEN(2297331969): Method=radius (radius)
5w1d: AAA/AUTHEN(2297331969): Status=GETPASS
5w1d: AAA/AUTHEN/CONT (2297331969): continue_login (user='eshoop')
5w1d: AAA/AUTHEN(2297331969): Status=GETPASS
5w1d: AAA/AUTHEN(2297331969): Method=radius (radius)
5w1d: RADIUS: ustruct sharecount=2
5w1d: Radius: radius_port_info() success=0 radius_nas_port=1
5w1d: RADIUS: added cisco VSA 2 len 6 "ISAKMP"
5w1d: RADIUS: Send to ISAKMP id 176 x.x.x.25:1812, Access-Request,
len 89
5w1d: RADIUS: authenticator E5 D7 05 AF C4 E2 0B 4B - 50 92 BA 88
77 A6 4E 0A
5w1d: RADIUS: NAS-IP-Address [4] 6 x.x.x.54
5w1d: RADIUS: Vendor, Cisco [26] 14
5w1d: RADIUS: Unsupported [2] 8
5w1d: RADIUS: 49 53 41 4B 4D 50
[ISAKMP]
5w1d: RADIUS: NAS-Port-Type [61] 6
Async [0]
5w1d: RADIUS: User-Name [1] 8 "eshoop"
5w1d: RADIUS: Calling-Station-Id [31] 17 "x.x.x.127"
5w1d: RADIUS: User-Password [2] 18 *
5w1d: RADIUS: Received from id 176 x.x.x.25:1812, Access-Accept, len
63
5w1d: RADIUS: authenticator F2 C3 74 B9 C1 76 E1 7E - 2C 88 42 87
2E F1 36 94
5w1d: RADIUS: Service-Type [6] 6
Framed [2]
5w1d: RADIUS: Framed-Protocol [7] 6
PPP [1]
5w1d: RADIUS: Vendor, Cisco [26] 31
5w1d: RADIUS: Cisco AVpair [1] 25 "ISAKMP:addr-
pool=ippool"
5w1d: RADIUS: saved authorization data for user 82DFF060 at 82DDD3FC
5w1d: AAA/AUTHEN(2297331969): Status=PASS
5w1d: ISAKMP: got callback 1
5w1d: ISAKMP (0:1): initiating peer config to x.x.x.127. ID = -
732527648
5w1d: ISAKMP (0:1): sending packet to x.x.x.127 (R) CONF_XAUTH
5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State =
IKE_XAUTH_SET_SENT

5w1d: AAA/MEMORY: free_user (0x82DFF060) user='eshoop' ruser='NULL'
port='ISAKMP' rem_addr='x.x.x.127' authen_type=ASCII service=LOGIN
priv=0
5w1d: ISAKMP (0:1): received packet from x.x.x.127 (R) CONF_XAUTH
5w1d: ISAKMP (0:1): processing transaction payload from
141.142.102.127. message ID = -732527648
5w1d: ISAKMP: Config payload ACK
5w1d: ISAKMP (0:1): XAUTH ACK Processed
5w1d: ISAKMP (0:1): deleting node -732527648 error FALSE
reason "done with transaction"
5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE

5w1d: ISAKMP (0:1): received packet from x.x.x.127 (R) QM_IDLE
5w1d: ISAKMP (0:1): processing transaction payload from x.x.x.127.
message ID = -2147199950
5w1d: ISAKMP: Config payload REQUEST
5w1d: ISAKMP (0:1): checking request:
5w1d: ISAKMP: IP4_ADDRESS
5w1d: ISAKMP: IP4_NETMASK
5w1d: ISAKMP: IP4_DNS
5w1d: ISAKMP: IP4_NBNS
5w1d: ISAKMP: ADDRESS_EXPIRY
5w1d: ISAKMP: APPLICATION_VERSION
5w1d: ISAKMP: UNKNOWN Unknown Attr: 0x7000
5w1d: ISAKMP: UNKNOWN Unknown Attr: 0x7001
5w1d: ISAKMP: DEFAULT_DOMAIN
5w1d: ISAKMP: SPLIT_INCLUDE
5w1d: ISAKMP: UNKNOWN Unknown Attr: 0x7003
5w1d: ISAKMP: UNKNOWN Unknown Attr: 0x7007
5w1d: ISAKMP: UNKNOWN Unknown Attr: 0x7008
5w1d: ISAKMP: UNKNOWN Unknown Attr: 0x7009
5w1d: ISAKMP: UNKNOWN Unknown Attr: 0x700A
5w1d: ISAKMP: UNKNOWN Unknown Attr: 0x7005
5w1d: ISAKMP: UNKNOWN Unknown Attr: 0x7006
5w1d: voice_parse_intf_name: Using the old NAS_PORT string
5w1d: AAA: parse name=ISAKMP-GROUP-AUTH idb type=-1 tty=-1
5w1d: AAA/MEMORY: create_user (0x82DEE76C) user='VPNclients'
ruser='NULL' ds0=0 port='ISAKMP-GROUP-AUTH' rem_addr='x.x.x.127'
authen_type=NONE service=LOGIN priv=0 initial_task_id='0'
5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

5w1d: ISAKMP (0:1): Unknown Input: state =
IKE_CONFIG_AUTHOR_AAA_AWAIT, major, minor = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE

5w1d: ISAKMP-GROUP-AUTH AAA/AUTHOR/CRYPTO AAA(1896844658):
Port='ISAKMP-GROUP-AUTH' list='groupauthor' service=NET
5w1d: AAA/AUTHOR/CRYPTO AAA: ISAKMP-GROUP-AUTH(1896844658)
user='VPNclients'
5w1d: ISAKMP-GROUP-AUTH AAA/AUTHOR/CRYPTO AAA(1896844658): send AV
service=ike
5w1d: ISAKMP-GROUP-AUTH AAA/AUTHOR/CRYPTO AAA(1896844658): send AV
protocol=ipsec
5w1d: ISAKMP-GROUP-AUTH AAA/AUTHOR/CRYPTO AAA(1896844658): found
list "groupauthor"
5w1d: ISAKMP-GROUP-AUTH AAA/AUTHOR/CRYPTO AAA(1896844658):
Method=radius (radius)
5w1d: RADIUS: authenticating to get author data
5w1d: RADIUS: ustruct sharecount=3
5w1d: Radius: radius_port_info() success=0 radius_nas_port=1
5w1d: RADIUS: added cisco VSA 2 len 17 "ISAKMP-GROUP-AUTH"
5w1d: RADIUS: Send to ISAKMP-GROUP-AUTH id 177 x.x.x.25:1812, Access-
Request, len 110
5w1d: RADIUS: authenticator F6 55 BC F6 B5 CF AD 29 - 6D AD CA CF
22 04 77 54
5w1d: RADIUS: NAS-IP-Address [4] 6 x.x.x.54
5w1d: RADIUS: Vendor, Cisco [26] 25
5w1d: RADIUS: Unsupported [2] 19
5w1d: RADIUS: 49 53 41 4B 4D 50 2D 47 52 4F 55 50 2D 41 55 54
[ISAKMP-GROUP-AUT]
5w1d: RADIUS: 48 [H]
5w1d: RADIUS: NAS-Port-Type [61] 6
Async [0]
5w1d: RADIUS: User-Name [1] 12 "VPNclients"
5w1d: RADIUS: Calling-Station-Id [31] 17 "x.x.x.127"
5w1d: RADIUS: User-Password [2] 18 *
5w1d: RADIUS: Service-Type [6] 6
Outbound [5]
5w1d: RADIUS: Received from id 177 x.x.25:1812, Access-Accept, len 77
5w1d: RADIUS: authenticator 07 E6 72 73 E3 09 FC 50 - 95 C5 85 8C
F8 CA E2 B7
5w1d: RADIUS: Vendor, Cisco [26] 30
5w1d: RADIUS: Cisco AVpair [1] 24 "ipsec:key-exchange=ike"
5w1d: RADIUS: Vendor, Cisco [26] 27
5w1d: RADIUS: Cisco AVpair [1] 21 "tunnel-password=bbb"
5w1d: RADIUS: saved authorization data for user 82DEE76C at 82DFF060
5w1d: RADIUS: cisco AVPair "ipsec:key-exchange=ike"
5w1d: RADIUS: cisco AVPair ":tunnel-password=bbb"
5w1d: AAA/AUTHOR (1896844658): Post authorization status = PASS_REPL
5w1d: ISAKMP: got callback 1
AAA/AUTHOR/IKE: Processing AV key-exchange=ike
AAA/AUTHOR/IKE: Processing AV tunnel-password=bbb
5w1d: ISAKMP (0:1): attributes sent in message:
5w1d: Address: 0.2.0.0
5w1d: ISAKMP (0:1): No IP address pool defined for ISAKMP!
5w1d: ISAKMP: Unknown Attr: IP4_NETMASK (0x2)
5w1d: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the
address: 86397
5w1d: ISAKMP: Sending APPLICATION_VERSION string: Cisco Internetwork
Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S-M), Version 12.2(8)T4,
RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 06-May-02 00:52 by ccai
5w1d: ISAKMP: Unknown Attr: UNKNOWN (0x7000)
5w1d: ISAKMP: Unknown Attr: UNKNOWN (0x7001)
5w1d: ISAKMP: Unknown Attr: UNKNOWN (0x7003)
5w1d: ISAKMP: Unknown Attr: UNKNOWN (0x7007)
5w1d: ISAKMP: Unknown Attr: UNKNOWN (0x7008)
5w1d: ISAKMP: Unknown Attr: UNKNOWN (0x7009)
5w1d: ISAKMP: Unknown Attr: UNKNOWN (0x700A)
5w1d: ISAKMP: Unknown Attr: UNKNOWN (0x7005)
5w1d: ISAKMP: Unknown Attr: UNKNOWN (0x7006)
5w1d: ISAKMP (0:1): responding to peer config from x.x.x.127. ID = -
2147199950
5w1d: ISAKMP (0:1): sending packet to x.x.x.127 (R) CONF_ADDR
5w1d: ISAKMP (0:1): deleting node -2147199950 error FALSE reason ""
5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE

5w1d: AAA/MEMORY: free_user (0x82DEE76C) user='VPNclients'
ruser='NULL' port='ISAKMP-GROUP-AUTH' rem_addr='x.x.x.127'
authen_type=NONE service=LOGIN priv=0
5w1d: ISAKMP (0:1): received packet from x.x.x.127 (R) QM_IDLE
5w1d: ISAKMP (0:1): processing HASH payload. message ID = -1206147374
5w1d: ISAKMP (0:1): processing DELETE payload. message ID = -
1206147374
5w1d: ISAKMP (0:1): peer does not do paranoid keepalives.

5w1d: ISAKMP (0:1): deleting SA reason "P1 delete notify (in)" state
(R) QM_IDLE (peer x.x.x.127) input queue 0
5w1d: ISAKMP (0:1): deleting node -1206147374 error FALSE
reason "informational (in) state 1"
5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_DELETE
Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

5w1d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

5w1d: ISAKMP (0:1): deleting SA reason "" state (R) QM_IDLE
(peer 141.142.102.127) input queue 0
5w1d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_DEST_SA New State = IKE_DEST_SA



Thanks,
Emilie





At 01:01 AM 1/25/2003, Hugh Irvine wrote:

Hello Emilie -

I can only think that the shared secret is incorrect between the Cisco and Radiator.

Please check the shared secrets and if still unsuccessful please send me a trace 5 debug together with the real passwords and the shared secrets so we can check that they are correctly encrypted.

regards

Hugh


On Saturday, Jan 25, 2003, at 08:29 Australia/Melbourne, Emilie Shoop wrote:


Hugh,

I've tried every way I can think of to make this work today.� I was at first assuming that since it finds the user "VPNclients" (which is the group name) in the user file, that it should be able to authenticate the group with the user file.� Here is the trace that is making me think that way.� However, I get Bad Password...which I know is correct.� I can log in as the user VPNclients with the same password, when I turn the group authentication on locally on the router.

Code:������ Access-Request
Identifier: 14
Authentic:� <215>iw<236><189><145><29>N=<236><16><243><245>\<171><145>
Attributes:
������� NAS-IP-Address = x.x.x.x
������� NAS-Port-Type = Async
������� User-Name = "VPNclients"
������� Calling-Station-Id = "y.y.y.y"
������� User-Password = "|<20>RIQ)5<175>MV<196><21><190><191>5<198>"
������� Service-Type = Outbound-User

Fri Jan 24 15:26:59 2003: DEBUG: Handling request with Handler 'NAS-IP-Address� = "x.x.x.x"'
Fri Jan 24 15:26:59 2003: DEBUG:� Deleting session for VPNclients, x.x.x.x,
Fri Jan 24 15:26:59 2003: DEBUG: Handling with Radius::AuthFILE:
Fri Jan 24 15:26:59 2003: DEBUG: Radius::AuthFILE looks for match with VPNclients
Fri Jan 24 15:26:59 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password
Fri Jan 24 15:26:59 2003: INFO: Access rejected for VPNclients: Bad Password
Fri Jan 24 15:26:59 2003: DEBUG: Packet dump:
*** Sending to 141.142.101.54 port 1645 ....
Code:������ Access-Reject
Identifier: 14
Authentic:� <215>iw<236><189><145><29>N=<236><16><243><245>\<171><145>
Attributes:
������� Reply-Message = "Request Denied"

I tried to create a group that was called VPNclients with the right password, but was unsuccessful in figuring that out.

Any ideas?

Thanks,
Emilie




At 05:12 PM 1/24/2003 +1100, Hugh Irvine wrote:

Hello Emily -

Thanks for sending the URL.

As far as I can see, you will need to use the Cisco VPN client to make
the connection which will first ask you for the group and the group
password, then the username and the username password.

You should configure both the name of the group with its password and
corresponding reply attributes, and the username and password with its
reply attributes.

If you have any other questions, don't hesitate to ask.

regards

Hugh


On Friday, Jan 24, 2003, at 02:15 Australia/Melbourne, Emilie Shoop
wrote:

Hugh,

You are correct about the authentication of the group first, and then
the username.

Here is the url where Cisco explains how to do it on a Cisco Radius
server.
http://www.cisco.com/en/US/tech/tk648/tk367/ technologies_configuration_example09186a00800949ba.shtml

Does that help?

Thanks,
Emilie

At 08:54 PM 1/23/2003 +1100, Hugh Irvine wrote:

Hello Emilie -

Thanks for sending the trace files.

I am not familiar with this aspect of the Cisco IOS, but it may be
that it tries the group first, and then if it gets an accept it will
try the username.

You should check the Cisco web site to verify how this is supposed to
work, then configure Radiator in consequence.

If you can send me a reference to the Cisco URL I will take a look.

regards

Hugh


On Thursday, Jan 23, 2003, at 02:18 Australia/Melbourne, Emilie Shoop
wrote:

Thanks for the quick response.


This is the trace as I see it with the cisco configured with aaa
authorization network groupauthor local.
*** Received from x.x.x.x port 1645 ....

Packet length = 75
01 f4 00 4b f1 e4 49 72 a8 e7 29 28 94 cf 2a aa
b2 78 13 66 04 06 8d 8e 65 36 3d 06 00 00 00 00
01 08 65 73 68 6f 6f 70 1f 11 31 34 31 2e 31 34
32 2e 31 30 32 2e 31 32 37 02 12 6a 4a a4 90 af
70 8d 39 bf 20 17 0d 76 d3 71 0a
Code:������ Access-Request
Identifier: 244
Authentic:� <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f
Attributes:
������� NAS-IP-Address = x.x.x.x
������� NAS-Port-Type = Async
������� User-Name = "eshoop"
������� Calling-Station-Id = "y.y.y.y"
������� User-Password = "jJ<164><144><175>p<141>9<191>
<23><13>v<211>q<10>"

Wed Jan 22 08:57:06 2003: DEBUG: Handling request with Handler
'NAS-IP-Address� = "x.x.x.x"'
Wed Jan 22 08:57:06 2003: DEBUG:� Deleting session for eshoop,
x.x.x.x,
Wed Jan 22 08:57:06 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE looks for match
with eshoop
Wed Jan 22 08:57:06 2003: DEBUG: Radius::AuthFILE ACCEPT:
Wed Jan 22 08:57:06 2003: DEBUG: Access accepted for eshoop
Wed Jan 22 08:57:06 2003: DEBUG: Packet dump:
*** Sending to x.x.x.x port 1645 ....

Packet length = 32
02 f4 00 20 03 f8 31 7e 5c 75 48 85 30 fd 2c ac
78 94 12 95 19 0c 56 50 4e 63 6c 69 65 6e 74 73
Code:������ Access-Accept
Identifier: 244
Authentic:� <241><228>Ir<168><231>)(<148><207>*<170><178>x<19>f
Attributes:



This is the trace when I changed the cisco config. from aaa
authorization network groupauthor local to aaa authorization network
groupauthor group radius.

Wed Jan 22 09:01:39 2003: DEBUG: Packet dump:
*** Received from x.x.x.x port 1645 ....

Packet length = 85
01 f5 00 55 4b 93 93 fd d5 84 01 d0 28 d5 84 1e
83 05 69 c5 04 06 8d 8e 65 36 3d 06 00 00 00 00
01 0c 56 50 4e 63 6c 69 65 6e 74 73 1f 11 31 34
31 2e 31 34 32 2e 31 30 32 2e 31 32 37 02 12 07
87 dc 59 24 d7 63 07 02 1f 90 c9 cf 15 cf 40 06
06 00 00 00 05
Code:������ Access-Request
Identifier: 245
Authentic:
K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197>
Attributes:
������� NAS-IP-Address = x.x.x.x
������� NAS-Port-Type = Async
������� User-Name = "VPNclients"
������� Calling-Station-Id = "y.y.y.y"
������� User-Password =
"<7><135><220>Y$<215>c<7><2><31><144><201><207><21><207>@"
������� Service-Type = Outbound-User

Wed Jan 22 09:01:39 2003: DEBUG: Handling request with Handler
'NAS-IP-Address� = "x.x.x.x"'
Wed Jan 22 09:01:39 2003: DEBUG:� Deleting session for VPNclients,
x.x.x.x,
Wed Jan 22 09:01:39 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE looks for match
with VPNclients
Wed Jan 22 09:01:39 2003: DEBUG: Radius::AuthFILE REJECT: Bad
Password
Wed Jan 22 09:01:39 2003: INFO: Access rejected for VPNclients: Bad
Password
Wed Jan 22 09:01:39 2003: DEBUG: Packet dump:
*** Sending to 141.142.101.54 port 1645 ....

Packet length = 36
03 f5 00 24 1f 66 6f de ba 0f b2 4e 6e 59 b2 0d
fc 53 3e ad 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:������ Access-Reject
Identifier: 245
Authentic:
K<147><147><253><213><132><1><208>(<213><132><30><131><5>i<197>
Attributes:
������� Reply-Message = "Request Denied"

It appears to me that it tries to authenticate the group information
(VPNclients and password) before it prompts me for my username.
This fails, so I never put in my personal information.� However, if
I change the cisco config back to group authorization locally, I can
log in successfully as a user named VPNclients.

I'm not sure if this is what you were looking for or not?

Thanks,
Emilie

At 11:30 AM 1/22/2003 +1100, Hugh Irvine wrote:

Hello Emilie -

If the Cisco can be configured to do group authentication with
radius, then it should be possible to use Radiator to deal with the
requests.

If you run Radiator at trace 4 you will be able to see the incoming
requests and then you can configure accordingly.

The simplest way to do this sort of debugging is to run radiusd
from the command line and watch the log messages:

������� perl radiusd -foreground -log_stdout -trace 4 -config_file
......

If you send me a copy of the trace 4 I will try to help.

regards

Hugh



I was wondering if anyone had a sample Radiator config. for
authenticating
the group information on a Cisco 2611, and subsequently handing
out DNS and
WINS information?

I have my Radius set up to authenticate the users, but now would
like to
move the group information (for the group VPNClients) to the
radius as well.


Here is my Radius config:

# radius.cfg

LogDir /services/radius/log
DbDir /services/radius/conf
BindAddress x.x.x.x
AuthPort 1812
AcctPort 1813
Trace�� 5
#User
#Group


#For VPN access
<Client x.x.x.x>
��� Secret�� xxxx
</Client>

# For testing: this allows us to honour requests from radpwtst on
localhost
<Client localhost>
��� Secret mysecret
��� DupInterval 0
</Client>

#Look for a Realm with an exact match on the realm name
#look for a matching regular expression Realm
#look for a <Realm DEFAULT>
#look at each Handler in the order they appear

#VPN Authentication x.x.x.x
<Handler NAS-IP-Address� = "x.x.x.x">
��� <AuthBy FILE>
�������� Filename�� %D/vpn_users
��� </AuthBy>

</Handler>

#Default Handler for anything not specified above
<Handler>
��� <AuthBy FILE>
��� #The Filename defaults to %D/users
��� </AuthBy>
</Handler>

Here is my Cisco 2611 config.:

CLIENT_VPN#sh run


aaa authentication login userauthen group radius
aaa authorization network groupauthor local
aaa session-id common
!
!

crypto isakmp policy 3
� encr 3des
� authentication pre-share
� group 2
!
crypto isakmp client configuration group VPNClients
� key xxxx
� dns x.x.x.x
� wins x.x.x.x
� domain ncsa.uiuc.edu
� pool ippool
!
!
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
� set transform-set SET1
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!

interface FastEthernet0/0
� crypto map clientmap
!

ip local pool ippool x.x.x.x y.y.y.y

radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxx
radius-server retransmit 3
call rsvp-sync
!


Thanks,
Emilie

*********************************************************
�� Emilie Shoop������������ Network Engineer
�� [EMAIL PROTECTED]
�� Phone:� 217.244.5407������������ Cell:� 217.649.8514
�� National Center for Supercomputing Applications
**********************************************************

-------------------------------------------------------

--
Mike McCauley������������������������������ [EMAIL PROTECTED]
Open System Consultants Pty. Ltd����������� Unix, Perl, Motif,
C++, WWW
24 Bateman St Hampton, VIC 3188 Australia��
http://www.open.com.au
Phone +61 3 9598-0985���������������������� Fax�� +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS
server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.


--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database
independence.


*********************************************************
� Emilie Shoop������������� Network Engineer
� [EMAIL PROTECTED]
� Phone:� 217.244.5407������������� Cell:� 217.649.8514
� National Center for Supercomputing Applications
**********************************************************


--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.


*********************************************************
� Emilie Shoop������������� Network Engineer
� [EMAIL PROTECTED]
� Phone:� 217.244.5407������������� Cell:� 217.649.8514
� National Center for Supercomputing Applications
**********************************************************


--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.


*********************************************************
� Emilie Shoop������������� Network Engineer
� [EMAIL PROTECTED] ����������������������� ������
� Phone:� 217.244.5407� ����������� Cell:� 217.649.8514�����������������
� National Center for Supercomputing Applications
**********************************************************


--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.


*********************************************************
� Emilie Shoop������������� Network Engineer�����
� [EMAIL PROTECTED] ����������������������� ��������������������
� Phone:� 217.244.5407� ����������� Cell:� 217.649.8514�������������������������������
� National Center for Supercomputing Applications��
**********************************************************

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.