Cisco ignores Framed-IP-Address from freeradius

Gilloteau Frederic frederic_gilloteau at yahoo.fr
Mon Jul 6 16:48:52 CEST 2009


Hello,
I use freeradius 2.1.1-7 and a CISCO router (IOS 12.4(6)T9) to provide VPN connections.
I would like my CISCO router to assign static IP address to remote VPN users thanks to the Freeradius server.
My freeradius server is configured to give static ip address to users. I can check it with radtest :
[root at host ~]# radtest toto at domain.com mypassword 127.0.0.1 0 testing123
Sending Access-Request of id 152 to 127.0.0.1 port 1812
        User-Name = "toto at domain.com"
        User-Password = "mypassword"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=152, length=69
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 15.1.1.99
        Framed-IP-Netmask = 255.255.255.0

and the CISCO router gets it ...

Log Buffer (32768 bytes):
Jul  3 17:50:35.368: RADIUS/ENCODE(00000058):Orig. component type = VPN_IPSEC
Jul  3 17:50:35.368: RADIUS:  AAA Unsupported Attr: interface         [158] 13
Jul  3 17:50:35.368: RADIUS:   32 31 33 2E 34 31 2E 31 33 33 2E
Jul  3 17:50:35.368: RADIUS/ENCODE(00000058): dropping service type, "radius-ser
ver attribute 6 on-for-login-auth" is off
Jul  3 17:50:35.368: RADIUS(00000058): Config NAS IP: 0.0.0.0
Jul  3 17:50:35.368: RADIUS/ENCODE(00000058): acct_session_id: 72
Jul  3 17:50:35.368: RADIUS(00000058): sending
Jul  3 17:50:35.368: RADIUS/ENCODE: Best Local IP-Address X.X.X.X for Radius
-Server Y.Y.Y.Y
Jul  3 17:50:35.368: RADIUS(00000058): Send Access-Request to Y.Y.Y.Y:1812 i
d 1645/50, len 112
Jul  3 17:50:35.368: RADIUS:  authenticator 73 C3 A8 1F E5 ED BA C6 - B0 39 12 7
4 33 3C 80 A7
Jul  3 17:50:35.372: RADIUS:  User-Name           [1]   25  "toto at domain.com"
Jul  3 17:50:35.372: RADIUS:  User-Password       [2]   18  *
Jul  3 17:50:35.372: RADIUS:  Calling-Station-Id  [31]  16  "A.B.C.D"
Jul  3 17:50:35.372: RADIUS:  NAS-Port-Type       [61]  6   Virtual
      [5]
Jul  3 17:50:35.372: RADIUS:  NAS-Port            [5]   6   3
Jul  3 17:50:35.372: RADIUS:  NAS-Port-Id         [87]  15  "E.F.G.H"
Jul  3 17:50:35.372: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.X
Jul  3 17:50:35.440: RADIUS: Received from id 1645/50 Y.Y.Y.Y:1812, Access-A
ccept, len 44
Jul  3 17:50:35.444: RADIUS:  authenticator 86 A5 0A EA BE DF 30 E0 - 11 E3 24 5
4 9B 2C C6 77
Jul  3 17:50:35.444: RADIUS:  Service-Type        [6]   6   Framed
      [2]
Jul  3 17:50:35.444: RADIUS:  Framed-Protocol     [7]   6   PPP
      [1]
Jul  3 17:50:35.444: RADIUS:  Framed-IP-Address   [8]   6   15.1.1.99
Jul  3 17:50:35.444: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.0
Jul  3 17:50:35.444: RADIUS(00000058): Received from id 1645/50
Jul  3 17:50:35.444: RADIUS: Constructed " ppp negotiate"
Jul  3 17:50:37.852: RADIUS/ENCODE(00000058):Orig.. component type = VPN_IPSEC
Jul  3 17:50:37.852: RADIUS(00000058): Config NAS IP: 0.0.0.0
Jul  3 17:50:37.852: RADIUS(00000058): sending
Jul  3 17:50:37.852: RADIUS/ENCODE: Best Local IP-Address X.X.X.X for Radius
-Server Y.Y.Y.Y
Jul  3 17:50:37.852: RADIUS(00000058): Send Accounting-Request to Y.Y.Y.Y:18
13 id 1646/33, len 112
Jul  3 17:50:37.852: RADIUS:  authenticator AE 34 03 31 02 D0 C3 19 - 16 B0 6F D
D 1E 26 FE 66
Jul  3 17:50:37.852: RADIUS:  Acct-Session-Id     [44]  10  "00000048"
Jul  3 17:50:37.852: RADIUS:  Framed-IP-Address   [8]   6   15.1.1.18
Jul  3 17:50:37.852: RADIUS:  User-Name           [1]   25  "toto at domain.com"
Jul  3 17:50:37.852: RADIUS:  Acct-Authentic      [45]  6   RADIUS
      [1]
Jul  3 17:50:37.852: RADIUS:  Acct-Status-Type    [40]  6   Start
      [1]
Jul  3 17:50:37.852: RADIUS:  NAS-Port-Type       [61]  6   Virtual
      [5]
Jul  3 17:50:37.852: RADIUS:  NAS-Port            [5]   6   3
Jul  3 17:50:37.852: RADIUS:  NAS-Port-Id         [87]  15  "E.F.G.H"
Jul  3 17:50:37.852: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.X
Jul  3 17:50:37.852: RADIUS:  Acct-Delay-Time     [41]  6   0
Jul  3 17:50:37.856: RADIUS: Received from id 1646/33 Y.Y.Y.Y:1813, Accounti
ng-response, len 20
Jul  3 17:50:37.856: RADIUS:  authenticator B8 26 8E 14 AE AB AF AA - 67 C3 3C 1
F 62 4D 70 5B


.. but never assign it to remote users, the cisco router assigns an IP address from its local pool.

The interesting lines of my cisco configuration are :

aaa new-model
!
!
aaa authentication login ClientAuth group radius
aaa authorization network ClienAuth group radius local
aaa accounting delay-start
aaa accounting network ClientAuth start-stop group radius
crypto isakmp client configuration address-pool local vpnpool
crypto map rasvpn client authentication list ClientAuth
crypto map rasvpn client accounting list ClientAuth
crypto map rasvpn isakmp authorization list ClientAuth
crypto map rasvpn client configuration address respond
crypto map rasvpn 10 ipsec-isakmp dynamic dynmap

I also tried with the cisco av-pair attribute with no luck ...

Does anybody know what the problem could be ?

Thanks!

Fred


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090706/594c351b/attachment.html>


More information about the Freeradius-Users mailing list