Guys,<br>I currently have FreeRadius working with a MySQL back-end to authenticate VPN users on my 2800 Cisco router. I have been trying to get the download-able access list feature working but am hitting a brick wall. If i enable cisco-avpair:=ipsec:inacl=185 i can see the radius server responding with the access-list but it does not get applied on the connecting vpn client which is then unable to successfully connect.<br>
My router config and radius debug are below. Your help is greatly appreciated.<br><br>Router Config:<br>aaa authentication login default group radius local<br>aaa authentication login vpnauth group radius local<br>aaa authorization exec default group radius local<br>
aaa authorization network vpnautho local<br>!<br>crypto isakmp policy 1<br> encr 3des<br> hash md5<br> authentication pre-share<br> group 2<br>!<br>crypto isakmp client configuration group test<br> key test<br> dns 200.12.240.9<br>
domain <a href="http://greendottt.net">greendottt.net</a><br> pool ippool<br>!<br>!<br>crypto ipsec transform-set MD5_3DES esp-3des esp-md5-hmac<br>!<br>crypto dynamic-map VPNClientMap 1<br> set transform-set MD5_3DES<br>
reverse-route<br>!<br>!<br>crypto map Remoteusers client authentication list vpnauth<br>crypto map Remoteusers isakmp authorization list vpnautho<br>crypto map Remoteusers client configuration address respond<br>crypto map Remoteusers 10 ipsec-isakmp dynamic VPNClientMap<br>
!<br>!<br>!<br>!<br>interface FastEthernet0/0<br> description External<br> ip address 192.168.74.46 255.255.255.0<br> duplex auto<br> speed auto<br> crypto map Remoteusers<br><br>radius-server host 192.168.74.45 auth-port 1812 acct-port 1813 key cisco<br>
<br>access-list 185 permit ip any any<br><br><br>Router debug:<br>*Feb 28 23:00:35.791: AAA/BIND(0000006B): Bind i/f<br>*Feb 28 23:00:36.039: AAA/AUTHOR (0x6B): Pick method list 'vpnautho'<br>*Feb 28 23:00:36.103: AAA/BIND(0000006C): Bind i/f<br>
RouterB#<br>*Feb 28 23:00:39.147: RADIUS/ENCODE(0000006C):Orig. component type = VPN_IPSEC<br>*Feb 28 23:00:39.151: RADIUS: AAA Unsupported Attr: interface [157] 13 <br>*Feb 28 23:00:39.155: RADIUS: 31 39 32 2E 31 36 38 2E 37 34 2E [192.168.74.]<br>
*Feb 28 23:00:39.155: RADIUS/ENCODE(0000006C): dropping service type, "radius-server attribute 6 on-for-login-auth" is off<br>*Feb 28 23:00:39.159: RADIUS(0000006C): Config NAS IP: 0.0.0.0<br>*Feb 28 23:00:39.163: RADIUS/ENCODE(0000006C): acct_session_id: 108<br>
*Feb 28 23:00:39.163: RADIUS(0000006C): sending<br>*Feb 28 23:00:39.171: RADIUS/ENCODE: Best Local IP-Address 192.168.74.46 for Radius-Server 192.168.74.45<br>*Feb 28 23:00:39.179: RADIUS(0000006C): Send Access-Request to <a href="http://192.168.74.45:1812">192.168.74.45:1812</a> id 1645/56, len 96<br>
*Feb 28 23:00:39.183: RADIUS: authenticator 39 23 30 9E 12 B5 1A 85 - E8 FF 5E 4D 13 99 6C 73<br>*Feb 28 23:00:39.183: RADIUS: User-Name [1] 10 "smathura"<br>*Feb 28 23:00:39.187: RADIUS: User-Password [2]<br>
RouterB# 18 *<br>*Feb 28 23:00:39.187: RADIUS: Calling-Station-Id [31] 15 "192.168.74.43"<br>*Feb 28 23:00:39.191: RADIUS: NAS-Port-Type [61] 6 Virtual [5]<br>*Feb 28 23:00:39.195: RADIUS: NAS-Port [5] 6 0 <br>
*Feb 28 23:00:39.195: RADIUS: NAS-Port-Id [87] 15 "192.168.74.46"<br>*Feb 28 23:00:39.199: RADIUS: NAS-IP-Address [4] 6 192.168.74.46 <br>*Feb 28 23:00:39.383: RADIUS: Received from id 1645/56 <a href="http://192.168.74.45:1812">192.168.74.45:1812</a>, Access-Accept, len 49<br>
*Feb 28 23:00:39.387: RADIUS: authenticator 28 AB B2 01 8C 17 3C E2 - AD 2C 98 DD 91 0D CF 6D<br>*Feb 28 23:00:39.387: RADIUS: Service-Type [6] 6 NAS Prompt [7]<br>*Feb 28 23:00:39.391: RADIUS: Vendor, Cisco [26] 23<br>
*Feb 28 23:00:39.391: RADIUS: Cisco AVpair [1] 17 "ipsec:inacl=185"<br>*Feb 28 23:00:39.399: RADIUS(0000006C): Received from id 1645/56<br><br><br><br>Radius Server Debug<br><br>rad_recv: Access-Request packet from host 192.168.74.46 port 1645, id=56, length=96<br>
User-Name = "smathura"<br> User-Password = "xxxxxxxxx"<br> Calling-Station-Id = "192.168.74.43"<br> NAS-Port-Type = Virtual<br> NAS-Port = 0<br> NAS-Port-Id = "192.168.74.46"<br>
NAS-IP-Address = 192.168.74.46<br>+- entering group authorize<br>++[preprocess] returns ok<br>rlm_sql (sql): - sql_xlat<br> expand: %{User-Name} -> smathura<br>rlm_sql (sql): sql_set_user escaped user --> 'smathura'<br>
expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF (SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "%{User-Name}") -> SELECT groupname FROM radhuntgroup WHERE nasipaddress="192.168.74.46" AND nasportid LIKE IF (SUBSTRING("192.168.74.46", 1, 3) = 'tty', 'tty', "192.168.74.46") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "smathura") <br>
rlm_sql (sql): Reserving sql socket id: 3<br>rlm_sql (sql): - sql_xlat finished<br>rlm_sql (sql): Released sql socket id: 3<br> expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF (SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "%{User-Name}") } -> vpn<br>
++[request] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br> rlm_realm: No '@' in User-Name = "smathura", looking up realm NULL<br> rlm_realm: No such realm "NULL"<br>++[suffix] returns noop<br>
rlm_eap: No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br> users: Matched entry DEFAULT at line 211<br>++[files] returns ok<br> expand: %{User-Name} -> smathura<br>rlm_sql (sql): sql_set_user escaped user --> 'smathura'<br>
rlm_sql (sql): Reserving sql socket id: 2<br> expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'smathura' ORDER BY id<br>
rlm_sql (sql): User found in radcheck table<br> expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'smathura' ORDER BY id<br>
expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'smathura' ORDER BY priority<br>
expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'engineering' ORDER BY id<br>
rlm_sql (sql): User found in group engineering<br> expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'engineering' ORDER BY id<br>
rlm_sql (sql): Released sql socket id: 2<br>++[sql] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>rlm_pap: Normalizing SHA-Password from hex encoding<br>rlm_pap: Found existing Auth-Type, not changing it.<br>
++[pap] returns noop<br> rad_check_password: Found Auth-Type Accept<br> rad_check_password: Auth-Type = Accept, accepting the user<br>Login OK: [smathura] (from client R1 port 0 cli 192.168.74.43)<br>+- entering group post-auth<br>
++[exec] returns noop<br>Sending Access-Accept of id 56 to 192.168.74.46 port 1645<br> Service-Type := NAS-Prompt-User<br> Cisco-AVPair := "ipsec:inacl=185"<br>Finished request 15.<br>Going to the next request<br>
Waking up in 4.9 seconds.<br>Cleaning up request 15 ID 56 with timestamp +2444<br>Ready to process requests.<br><br><br>