Problemers using Freeradius with Anyconnect..
Thomas Raabo - ZitCom A/S
tr at zitcom.dk
Tue Sep 28 11:13:57 CEST 2010
Iam trying to use Freeradius with Cisco ASA anyconnect.. But I just can´t get it to work
The problem is that when I use Freeradius the ASA just don't seem to get the framed-ip-address or something... ( when we try to connect with anyconnect it gives the error host or network is 0) with IAS the right ip gets assigned and all just works
If I try the same thing with Microsoft IAS it just works
Here is the output from radtest
First MS IAS
[root at mgmt3 raddb]# radtest tr2 at test.local XXXX 172.16.16.206:1812 1 test
Sending Access-Request of id 185 to 172.16.16.206 port 1812
User-Name = "tr2 at test.local"
User-Password = "XXXX"
NAS-IP-Address = 172.16.24.4
NAS-Port = 1
rad_recv: Access-Accept packet from host 172.16.16.206 port 1812, id=185, length=259
Framed-IP-Netmask = 255.255.255.128
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-IP-Address = 172.20.3.129
Class = 0xb4fc099a0000013700011700fe80000000000000e42365c53146798301cb5ed46d12aaaa0000000000000056
Cisco-AVPair = "ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.20.3.0 255.255.255.0"
Cisco-AVPair = "ip:inacl#101=permit ip 172.20.3.128 255.255.255.128 172.16.34.0 255.255.255.0"
>From Freeradius
[root at mgmt3 raddb]# radtest hmm2 XXXX 172.16.16.202:1812 1 Rzitcom!
Sending Access-Request of id 79 to 172.16.16.202 port 1812
User-Name = "hmm2"
User-Password = "XXXX"
NAS-IP-Address = 172.16.24.4
NAS-Port = 1
rad_recv: Access-Accept packet from host 172.16.16.202 port 1812, id=79, length=222
Framed-IP-Netmask = 255.255.255.128
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-IP-Address = 172.20.3.128
Class = 0x4f553d54455354
Cisco-AVPair = "ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.20.3.0 255.255.255.0"
Cisco-AVPair = "ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.16.34.0 255.255.255.0"
INSERT INTO `radreply` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES
(3, 'hmm2', 'Framed-IP-Netmask', ':=', '255.255.255.128'),
(4, 'hmm2', 'Framed-Protocol', ':=', 'PPP'),
(5, 'hmm2', 'Service-Type', ':=', 'Framed-User'),
(6, 'hmm2', 'Framed-IP-Address', ':=', '172.20.3.128'),
(8, 'hmm2', 'Cisco-AVPair', '+=', 'ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.20.3.0 255.255.255.0'),
(9, 'hmm2', 'Cisco-AVPair', '+=', 'ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.16.34.0 255.255.255.0'),
(7, 'hmm2', 'Class', ':=', 'OU=TEST');
This is the out from the ASA so its able to use freeradius... :) we also use it for administrative users
test aaa-server authentication RadiusServers host 172.16.16.202 us$
INFO: Attempting Authentication test to IP address <172.16.16.202> (timeout: 12 seconds)
INFO: Authentication Successful
Med venlig hilsen | Best regards
Thomas Raabo
Netværksansvarlig
[Description: Description: Description: cid:image001.jpg at 01C9A70C.01A27540]<http://www.zitcom.dk/>
tr at zitcom.dk<mailto:tr at zitcom.dk> | Direkte: +45 69 10 60 18 | Tlf: +45 70 23 55 66
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100928/c2671ea6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 5006 bytes
Desc: image001.jpg
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100928/c2671ea6/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 337 bytes
Desc: image002.jpg
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100928/c2671ea6/attachment-0001.jpg>
More information about the Freeradius-Users
mailing list