Assigning IP address from RADIUS to Cisco PPTP users

Ivan Kalik tnt at kalik.net
Tue May 26 19:56:42 CEST 2009 

> I've used Livingston and Cistron radiusd's in the past with dialup ppp
> users and Cisco/Lucent NASes and have been able to do this with no
> problems.
>
> Users are currently authenticating fine and getting assigned IPs from the
> IP pool as defined in the Cisco NAS.  However, I'd like to have a few,
> select users assigned static IPs from outside that pool, but the Cisco
> (2811) is simply ignoring the raddb/users file entry for that user and
> assigning an IP from the pool on the NAS.
>
> Here is my Cisco config::
> --------------------
> aaa new-model
> aaa authentication login default local group radius
> aaa authentication ppp default group radius local
> aaa authorization exec default local
> aaa authorization network default if-authenticated
> aaa session-id common
>
> vpdn-group 1
>   accept-dialin
>    protocol pptp
>    virtual-template 1
>
> interface Loopback0
>   ip address 99.99.99.99 255.255.255.255
>   ip nat inside
>   ip virtual-reassembly
>
> interface Virtual-Template1
>   ip unnumbered FastEthernet0/0
>   ip policy route-map VPN-Client
>   peer match aaa-pools
>   peer default ip address pool vpnpool
>   no keepalive
>   ppp encrypt mppe auto
>   ppp authentication pap chap ms-chap ms-chap-v2
> !
> ip local pool vpnpool 172.16.30.2 172.16.30.254
> ---------
> Here is the raddb/users file entry:
> ---------
> testuser        Service-Type == Framed-User
>                  Framed-Protocol == PPP,
>                  Framed-IP-Address = 172.16.1.2,
>                  Framed-IP-Netmask = 255.255.255.255,
>                  Framed-Compression = Van-Jacobson-TCP-IP
>
> DEFAULT Framed-Protocol == PPP
>          Framed-Protocol = PPP,
>          Framed-Compression = Van-Jacobson-TCP-IP
> --------------
> The DEFAULT entry allows users in /etc/passwd to authenticate fine, but
> "testuser" still gets an IP from the NAS pool instead of the one above..
> Any pointers appreciated!

http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21

Post the debug of the authentication attempt.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list