<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:3.0cm 2.0cm 3.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DA link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Iam trying to use Freeradius with Cisco ASA anyconnect.. But I just can´t get it to work<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>The problem is that when I use Freeradius the ASA just don’t seem to get the framed-ip-address or something… ( when we try to connect with anyconnect it gives the error host or network is 0) with IAS the right ip gets assigned and all just works<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>If I try the same thing with Microsoft IAS it just works<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Here is the output from radtest<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>First MS IAS<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>[root@mgmt3 raddb]# radtest tr2@test.local XXXX 172.16.16.206:1812 1 test<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Sending Access-Request of id 185 to 172.16.16.206 port 1812<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> User-Name = "tr2@test.local"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> User-Password = "XXXX”<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> NAS-IP-Address = 172.16.24.4<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> NAS-Port = 1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>rad_recv: Access-Accept packet from host 172.16.16.206 port 1812, id=185, length=259<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Framed-IP-Netmask = 255.255.255.128<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Framed-Protocol = PPP<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Service-Type = Framed-User<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Framed-IP-Address = 172.20.3.129<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Class = 0xb4fc099a0000013700011700fe80000000000000e42365c53146798301cb5ed46d12aaaa0000000000000056<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Cisco-AVPair = "ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.20.3.0 255.255.255.0"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Cisco-AVPair = "ip:inacl#101=permit ip 172.20.3.128 255.255.255.128 172.16.34.0 255.255.255.0"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>From Freeradius<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>[root@mgmt3 raddb]# radtest hmm2 XXXX 172.16.16.202:1812 1 Rzitcom!<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Sending Access-Request of id 79 to 172.16.16.202 port 1812<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> User-Name = "hmm2"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> User-Password = "XXXX"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> NAS-IP-Address = 172.16.24.4<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> NAS-Port = 1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>rad_recv: Access-Accept packet from host 172.16.16.202 port 1812, id=79, length=222<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Framed-IP-Netmask = 255.255.255.128<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Framed-Protocol = PPP<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Service-Type = Framed-User<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Framed-IP-Address = 172.20.3.128<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Class = 0x4f553d54455354<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Cisco-AVPair = "ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.20.3.0 255.255.255.0"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> Cisco-AVPair = "ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.16.34.0 255.255.255.0"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>INSERT INTO `radreply` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(3, 'hmm2', 'Framed-IP-Netmask', ':=', '255.255.255.128'),<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(4, 'hmm2', 'Framed-Protocol', ':=', 'PPP'),<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(5, 'hmm2', 'Service-Type', ':=', 'Framed-User'),<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(6, 'hmm2', 'Framed-IP-Address', ':=', '172.20.3.128'),<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(8, 'hmm2', 'Cisco-AVPair', '+=', 'ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.20.3.0 255.255.255.0'),<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(9, 'hmm2', 'Cisco-AVPair', '+=', 'ip:inacl#100=permit ip 172.20.3.128 255.255.255.128 172.16.34.0 255.255.255.0'),<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(7, 'hmm2', 'Class', ':=', 'OU=TEST');<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US> This is the out from the ASA so its able to use freeradius… </span><span lang=EN-US style='font-family:Wingdings'>J</span><span lang=EN-US> we also use it for administrative users<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>test aaa-server authentication RadiusServers host 172.16.16.202 us$<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>INFO: Attempting Authentication test to IP address <172.16.16.202> (timeout: 12 seconds)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>INFO: Authentication Successful<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:9.0pt;color:black;mso-fareast-language:DA'>Med venlig hilsen | Best regards<o:p></o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='color:black;mso-fareast-language:DA'>Thomas Raabo<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:9.0pt;color:black;mso-fareast-language:DA'>Netværksansvarlig<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black;mso-fareast-language:DA'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:4.0pt;color:#1F497D;mso-fareast-language:DA'><o:p> </o:p></span></p><p class=MsoNormal><a href="http://www.zitcom.dk/"><span style='font-size:1.0pt;color:blue;mso-fareast-language:DA;text-decoration:none'><img border=0 width=134 height=30 id="Picture_x0020_1" src="cid:image001.jpg@01CB5EFD.BE72EA10" alt="Description: Description: Description: cid:image001.jpg@01C9A70C.01A27540"></span></a><span style='font-size:10.0pt;color:#1F497D;mso-fareast-language:DA'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:1.0pt;color:#1F497D;mso-fareast-language:DA'><img border=0 width=364 height=1 id="Picture_x0020_2" src="cid:image002.jpg@01CB5EFD.BE72EA10" alt="Description: Description: Description: cid:image002.jpg@01C9A70C.01A27540"></span><span style='font-size:9.0pt;color:#1F497D;mso-fareast-language:DA'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;color:#1F497D;mso-fareast-language:DA'><a href="mailto:tr@zitcom.dk"><span style='color:blue'>tr@zitcom.dk</span></a> | Direkte: +45 69 10 60 18 | Tlf: +45 70 23 55 66<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>