Cisco's split tunneling policy attribute not returned?
Running FreeRadius 1.1.0, and I'm wondering if I'm doing something wrong here. We have some users who have a split tunneling policy configured on their account for various historical reasons. The entries look like so: myuser Huntgroup-Name=="Office", Hint==Port-1812, Auth-Type:=Accept CVPN3000-IPSEC-Split-Tunneling-Policy = 1, CVPN3000-IPSEC-Split-Tunnel-List = "SPCCOLO_ST", Class = "OU=AOL-TW", Filter-Id = "SPCCOLO_O" Unfortunately, the split tunneling attributes aren't being returned by radiusd to the client (neither the NAS nor radclient). In testing with radclient, I get: # echo 'User-Name = "myuser", User-Password = "", NAS-IP-Address = 127.0.0.1, NAS-Port = 1' | /opt/bin/radclient -d /opt/share/dictionary/ -x 127.0.0.1:1812 auth foobar Sending Access-Request of id 63 to 127.0.0.1 port 1812 User-Name = "myuser" User-Password = "" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=63, length=42 Class = 0x4f553d414f4c2d5457 Filter-Id = "SPCCOLO_O" Our prior GNU radius setup (which I hate) did this just fine, returning: Sending Access-Request of id 224 to 172.18.165.36 port 1645 User-Name = "myuser" User-Password = "" NAS-IP-Address = 172.18.209.18 NAS-Port = 1 rad_recv: Access-Accept packet from host 172.18.165.36:1645, id=224, length=72 Class = 0x4f553d414f4c2d5457 Filter-Id = "SPCCOLO_O" Vendor-3076-Attr-55 = 0x00000001 Vendor-3076-Attr-27 = 0x535043434f4c4f5f5354 Is there something special I need to do to ensure that the Split-Tunneling attributes are returned upon successful authentication? Running radiusd in debug mode doesn't reveal anything obvious to me: # /opt/reverb/sbin/radiusd -AX Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/reverb/etc/clients.conf Config: including file: /opt/reverb/etc/proxy.conf main: prefix = "/opt/reverb" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/opt/reverb/lib" main: radacctdir = "/var/log/radius" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "reverb" main: group = "reverb" main: usercollide = no main: lower_user = "yes" main: lower_pass = "no" main: nospace_user = "before" main: nospace_pass = "no" main: checkrad = "/opt/reverb/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 1 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 300 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms listen: port = 1645 listen: type = "auth" listen: port = 1646 listen: type = "acct" listen: port = 1812 listen: type = "auth" listen: port = 1813 listen: type = "acct" radiusd: entering modules setup Module: Library search path is /opt/reverb/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "none" exec: packet_type = "(null)" Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded preprocess preprocess: huntgroups = "/opt/reverb/etc/huntgroups" preprocess: hints = "/opt/reverb/etc/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded syslog syslog: hidepasswd = "yes" syslog: logextra = "(null)" syslog: logfacility = "local3" syslog: loglevel = "info" syslog: logname = "radiusd-auth" Module: Instantiated syslog (auth_log) Module: Loaded files files: usersfile = "/opt/reverb/etc/users" files: acctusersfile = "/opt/reverb/etc/acct_users" files: preproxy_usersfile = "/opt/reverb/etc/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) syslog: hidepasswd = "yes" syslog: logextra = "(null)" syslog: logfacility = "local3" syslog: loglevel = "info" syslog: logname = "radiusd-acct" Module: Instantiated syslog (acct_log) syslog: hidepasswd = "yes" syslog: logextra = "User-Name = %{User-Name},Client-IP-Address = %{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port}" syslog: logfacility = "local3" syslog: loglevel = "info" syslog: logname = "radiusd-auth" Module: Instantiated syslog (reply_log) Listening on authentication *:1645 Listening on accounting *:1646 Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1647 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:36126, id=68, length=64 User-Name = "myuser" User-Password = "" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 rad_rmspace_pair: User-Name now 'myuser' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 35 radius_xlat: 'Port-1812' modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "auth_log" returns ok for request 0 users: Matched entry myuser at line 28547 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [myuser] (from client localhost port 1) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 radius_xlat: 'User-Name = myuser,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,NAS-Port = 1' rlm_syslog: User-Name = %{User-Name},Client-IP-Address = %{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port} expands to User-Name = myuser,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,NAS-Port = 1 modcall[post-auth]: module "reply_log" returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 68 to 127.0.0.1 port 36126 Class = 0x4f553d414f4c2d5457 Filter-Id = "SPCCOLO_O" Finished request 0 Going to the next request
Geoff Silver <geoff+freeradius@uslinux.net> wrote:
Unfortunately, the split tunneling attributes aren't being returned by radiusd to the client (neither the NAS nor radclient). In testing with radclient, I get:
Due to another bug in the server, it isn't telling you that it's ignoring the VPN3000 attributes. See the "dictionary" file that $INCLUDE's all of the other ones. The VPN3000 dictionary is commented out because it conflicts with another one. Uncomment it, and comment out the other one, and it should work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
D'oh! Thanks, Alan, that did the trick! Alan DeKok wrote:
Geoff Silver <geoff+freeradius@uslinux.net> wrote:
Unfortunately, the split tunneling attributes aren't being returned by radiusd to the client (neither the NAS nor radclient). In testing with radclient, I get:
Due to another bug in the server, it isn't telling you that it's ignoring the VPN3000 attributes. See the "dictionary" file that $INCLUDE's all of the other ones. The VPN3000 dictionary is commented out because it conflicts with another one. Uncomment it, and comment out the other one, and it should work.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Geoff Silver