Downloadable Access List Not Getting Applied

Satyam Mathura satz.sm at gmail.com
Fri Dec 4 01:05:29 CET 2009 

Guys,
I currently have FreeRadius working with a MySQL back-end to authenticate
VPN users on my 2800 Cisco router. I have been trying to get the
download-able access list feature working but am hitting a brick wall. If i
enable cisco-avpair:=ipsec:inacl=185 i can see the radius server responding
with the access-list but it does not get applied on the connecting vpn
client which is then unable to successfully connect.
My router config and radius debug are below. Your help is greatly
appreciated.

Router Config:
aaa authentication login default group radius local
aaa authentication login vpnauth group radius local
aaa authorization exec default group radius local
aaa authorization network vpnautho local
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group test
 key test
 dns 200.12.240.9
 domain greendottt.net
 pool ippool
!
!
crypto ipsec transform-set MD5_3DES esp-3des esp-md5-hmac
!
crypto dynamic-map VPNClientMap 1
 set transform-set MD5_3DES
 reverse-route
!
!
crypto map Remoteusers client authentication list vpnauth
crypto map Remoteusers isakmp authorization list vpnautho
crypto map Remoteusers client configuration address respond
crypto map Remoteusers 10 ipsec-isakmp dynamic VPNClientMap
!
!
!
!
interface FastEthernet0/0
 description External
 ip address 192.168.74.46 255.255.255.0
 duplex auto
 speed auto
 crypto map Remoteusers

radius-server host 192.168.74.45 auth-port 1812 acct-port 1813 key cisco

access-list 185 permit ip any any


Router debug:
*Feb 28 23:00:35.791: AAA/BIND(0000006B): Bind i/f
*Feb 28 23:00:36.039: AAA/AUTHOR (0x6B): Pick method list 'vpnautho'
*Feb 28 23:00:36.103: AAA/BIND(0000006C): Bind i/f
RouterB#
*Feb 28 23:00:39.147: RADIUS/ENCODE(0000006C):Orig. component type =
VPN_IPSEC
*Feb 28 23:00:39.151: RADIUS:  AAA Unsupported Attr: interface         [157]
13
*Feb 28 23:00:39.155: RADIUS:   31 39 32 2E 31 36 38 2E 37 34
2E                 [192.168.74.]
*Feb 28 23:00:39.155: RADIUS/ENCODE(0000006C): dropping service type,
"radius-server attribute 6 on-for-login-auth" is off
*Feb 28 23:00:39.159: RADIUS(0000006C): Config NAS IP: 0.0.0.0
*Feb 28 23:00:39.163: RADIUS/ENCODE(0000006C): acct_session_id: 108
*Feb 28 23:00:39.163: RADIUS(0000006C): sending
*Feb 28 23:00:39.171: RADIUS/ENCODE: Best Local IP-Address 192.168.74.46 for
Radius-Server 192.168.74.45
*Feb 28 23:00:39.179: RADIUS(0000006C): Send Access-Request to
192.168.74.45:1812 id 1645/56, len 96
*Feb 28 23:00:39.183: RADIUS:  authenticator 39 23 30 9E 12 B5 1A 85 - E8 FF
5E 4D 13 99 6C 73
*Feb 28 23:00:39.183: RADIUS:  User-Name           [1]   10  "smathura"
*Feb 28 23:00:39.187: RADIUS:  User-Password       [2]
RouterB#  18  *
*Feb 28 23:00:39.187: RADIUS:  Calling-Station-Id  [31]  15  "192.168.74.43"
*Feb 28 23:00:39.191: RADIUS:  NAS-Port-Type       [61]  6
Virtual                   [5]
*Feb 28 23:00:39.195: RADIUS:  NAS-Port            [5]   6
0
*Feb 28 23:00:39.195: RADIUS:  NAS-Port-Id         [87]  15  "192.168.74.46"
*Feb 28 23:00:39.199: RADIUS:  NAS-IP-Address      [4]   6
192.168.74.46
*Feb 28 23:00:39.383: RADIUS: Received from id 1645/56 192.168.74.45:1812,
Access-Accept, len 49
*Feb 28 23:00:39.387: RADIUS:  authenticator 28 AB B2 01 8C 17 3C E2 - AD 2C
98 DD 91 0D CF 6D
*Feb 28 23:00:39.387: RADIUS:  Service-Type        [6]   6   NAS
Prompt                [7]
*Feb 28 23:00:39.391: RADIUS:  Vendor, Cisco       [26]  23
*Feb 28 23:00:39.391: RADIUS:   Cisco AVpair       [1]   17
"ipsec:inacl=185"
*Feb 28 23:00:39.399: RADIUS(0000006C): Received from id 1645/56



Radius Server Debug

rad_recv: Access-Request packet from host 192.168.74.46 port 1645, id=56,
length=96
        User-Name = "smathura"
        User-Password = "xxxxxxxxx"
        Calling-Station-Id = "192.168.74.43"
        NAS-Port-Type = Virtual
        NAS-Port = 0
        NAS-Port-Id = "192.168.74.46"
        NAS-IP-Address = 192.168.74.46
+- entering group authorize
++[preprocess] returns ok
rlm_sql (sql): - sql_xlat
        expand: %{User-Name} -> smathura
rlm_sql (sql): sql_set_user escaped user --> 'smathura'
        expand: SELECT groupname FROM radhuntgroup WHERE
nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF
(SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND
usergroup IN (SELECT groupname FROM radusergroup where username LIKE
"%{User-Name}")  -> SELECT groupname FROM radhuntgroup WHERE
nasipaddress="192.168.74.46" AND nasportid LIKE IF
(SUBSTRING("192.168.74.46", 1, 3) = 'tty', 'tty', "192.168.74.46") AND
usergroup IN (SELECT groupname FROM radusergroup where username LIKE
"smathura")
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
        expand: %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF
(SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND
usergroup IN (SELECT groupname FROM radusergroup where username LIKE
"%{User-Name}") } -> vpn
++[request] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "smathura", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
    users: Matched entry DEFAULT at line 211
++[files] returns ok
        expand: %{User-Name} -> smathura
rlm_sql (sql): sql_set_user escaped user --> 'smathura'
rlm_sql (sql): Reserving sql socket id: 2
        expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'smathura'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = 'smathura'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'smathura'           ORDER BY priority
        expand: SELECT id, groupname, attribute,           Value,
op           FROM radgroupcheck           WHERE groupname =
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname,
attribute,           Value, op           FROM radgroupcheck           WHERE
groupname = 'engineering'           ORDER BY id
rlm_sql (sql): User found in group engineering
        expand: SELECT id, groupname, attribute,           value,
op           FROM radgroupreply           WHERE groupname =
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname,
attribute,           value, op           FROM radgroupreply           WHERE
groupname = 'engineering'           ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing SHA-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [smathura] (from client R1 port 0 cli 192.168.74.43)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 56 to 192.168.74.46 port 1645
        Service-Type := NAS-Prompt-User
        Cisco-AVPair := "ipsec:inacl=185"
Finished request 15.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 15 ID 56 with timestamp +2444
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091203/8c0f9965/attachment.html>

More information about the Freeradius-Users mailing list