Cisco's split tunneling policy attribute not returned?

Geoff Silver geoff+freeradius at uslinux.net
Wed Aug 2 19:19:20 CEST 2006 

Running FreeRadius 1.1.0, and I'm wondering if I'm doing something wrong here. 
  We have some users who have a split tunneling policy configured on their 
account for various historical reasons.  The entries look like so:

myuser          Huntgroup-Name=="Office", Hint==Port-1812, Auth-Type:=Accept
                 CVPN3000-IPSEC-Split-Tunneling-Policy = 1,
		CVPN3000-IPSEC-Split-Tunnel-List = "SPCCOLO_ST",
                 Class = "OU=AOL-TW", Filter-Id = "SPCCOLO_O"

Unfortunately, the split tunneling attributes aren't being returned by radiusd 
to the client (neither the NAS nor radclient).  In testing with radclient, I get:

# echo 'User-Name = "myuser", User-Password = "", NAS-IP-Address = 127.0.0.1, 
NAS-Port = 1' |  /opt/bin/radclient -d /opt/share/dictionary/ -x 
127.0.0.1:1812 auth foobar
Sending Access-Request of id 63 to 127.0.0.1 port 1812
         User-Name = "myuser"
         User-Password = ""
         NAS-IP-Address = 127.0.0.1
         NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=63, length=42
         Class = 0x4f553d414f4c2d5457
         Filter-Id = "SPCCOLO_O"

Our prior GNU radius setup (which I hate) did this just fine, returning:

Sending Access-Request of id 224 to 172.18.165.36 port 1645
         User-Name = "myuser"
         User-Password = ""
         NAS-IP-Address = 172.18.209.18
         NAS-Port = 1
rad_recv: Access-Accept packet from host 172.18.165.36:1645, id=224, length=72
         Class = 0x4f553d414f4c2d5457
         Filter-Id = "SPCCOLO_O"
         Vendor-3076-Attr-55 = 0x00000001
         Vendor-3076-Attr-27 = 0x535043434f4c4f5f5354

Is there something special I need to do to ensure that the Split-Tunneling 
attributes are returned upon successful authentication?  Running radiusd in 
debug mode doesn't reveal anything obvious to me:

# /opt/reverb/sbin/radiusd -AX
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /opt/reverb/etc/clients.conf
Config:   including file: /opt/reverb/etc/proxy.conf
  main: prefix = "/opt/reverb"
  main: localstatedir = "/var"
  main: logdir = "/var/log/radius"
  main: libdir = "/opt/reverb/lib"
  main: radacctdir = "/var/log/radius"
  main: hostname_lookups = no
  main: max_request_time = 30
  main: cleanup_delay = 5
  main: max_requests = 1024
  main: delete_blocked_requests = 0
  main: port = 1812
  main: allow_core_dumps = no
  main: log_stripped_names = no
  main: log_file = "/var/log/radius/radius.log"
  main: log_auth = yes
  main: log_auth_badpass = no
  main: log_auth_goodpass = no
  main: pidfile = "/var/run/radiusd/radiusd.pid"
  main: user = "reverb"
  main: group = "reverb"
  main: usercollide = no
  main: lower_user = "yes"
  main: lower_pass = "no"
  main: nospace_user = "before"
  main: nospace_pass = "no"
  main: checkrad = "/opt/reverb/sbin/checkrad"
  main: proxy_requests = yes
  proxy: retry_delay = 5
  proxy: retry_count = 1
  proxy: synchronous = no
  proxy: default_fallback = yes
  proxy: dead_time = 300
  proxy: post_proxy_authorize = yes
  proxy: wake_all_if_all_dead = no
  security: max_attributes = 200
  security: reject_delay = 1
  security: status_server = no
  main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
  listen: port = 1645
  listen: type = "auth"
  listen: port = 1646
  listen: type = "acct"
  listen: port = 1812
  listen: type = "auth"
  listen: port = 1813
  listen: type = "acct"
radiusd:  entering modules setup
Module: Library search path is /opt/reverb/lib
Module: Loaded exec
  exec: wait = yes
  exec: program = "(null)"
  exec: input_pairs = "request"
  exec: output_pairs = "none"
  exec: packet_type = "(null)"
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded preprocess
  preprocess: huntgroups = "/opt/reverb/etc/huntgroups"
  preprocess: hints = "/opt/reverb/etc/hints"
  preprocess: with_ascend_hack = no
  preprocess: ascend_channels_per_line = 23
  preprocess: with_ntdomain_hack = no
  preprocess: with_specialix_jetstream_hack = no
  preprocess: with_cisco_vsa_hack = yes
Module: Instantiated preprocess (preprocess)
Module: Loaded syslog
  syslog: hidepasswd = "yes"
  syslog: logextra = "(null)"
  syslog: logfacility = "local3"
  syslog: loglevel = "info"
  syslog: logname = "radiusd-auth"
Module: Instantiated syslog (auth_log)
Module: Loaded files
  files: usersfile = "/opt/reverb/etc/users"
  files: acctusersfile = "/opt/reverb/etc/acct_users"
  files: preproxy_usersfile = "/opt/reverb/etc/preproxy_users"
  files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
  acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
  syslog: hidepasswd = "yes"
  syslog: logextra = "(null)"
  syslog: logfacility = "local3"
  syslog: loglevel = "info"
  syslog: logname = "radiusd-acct"
Module: Instantiated syslog (acct_log)
  syslog: hidepasswd = "yes"
  syslog: logextra = "User-Name = %{User-Name},Client-IP-Address = 
%{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port}"
  syslog: logfacility = "local3"
  syslog: loglevel = "info"
  syslog: logname = "radiusd-auth"
Module: Instantiated syslog (reply_log)
Listening on authentication *:1645
Listening on accounting *:1646
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1647
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:36126, id=68, length=64
         User-Name = "myuser"
         User-Password = ""
         NAS-IP-Address = 127.0.0.1
         NAS-Port = 1
rad_rmspace_pair:  User-Name now 'myuser'
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   hints: Matched DEFAULT at 35
radius_xlat:  'Port-1812'
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "auth_log" returns ok for request 0
     users: Matched entry myuser at line 28547
   modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
   rad_check_password:  Found Auth-Type Accept
   rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [myuser] (from client localhost port 1)
   Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat:  'User-Name = myuser,Client-IP-Address = 127.0.0.1,NAS-IP-Address 
= 127.0.0.1,NAS-Port = 1'
rlm_syslog: User-Name = %{User-Name},Client-IP-Address = 
%{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port} 
expands to User-Name = myuser,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 
127.0.0.1,NAS-Port = 1
   modcall[post-auth]: module "reply_log" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 68 to 127.0.0.1 port 36126
         Class = 0x4f553d414f4c2d5457
         Filter-Id = "SPCCOLO_O"
Finished request 0
Going to the next request

More information about the Freeradius-Users mailing list