cisco vpn & radius
Pierre LEONARD
pier.leonard at free.fr
Wed May 10 09:59:05 CEST 2006
Pierre LEONARD a écrit :
> hi
>
> i would like to configure my cisco 2620 router as VPN concentrator
> with a 12.3 IOS and i use a radius server (freeradius) to authenticate
> the users of the VPN but when the radius get the ip config to the
> router then the router don't relay these informations to the VPN
> client and it assigns an ip in its pool.
>
> i don't know how must i config the router in order that it uses the
> radius ip config to configure the VPN client...
>
> if i delete the pool from the router then i cannot connect on the VPN
> router and i didn't find any configuration to specify the router to
> use the ip config from the radius...
>
> i hope i'm clear !!
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
i forgot to join my config
*******************radiusd.conf*********************
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
passwd user2ip {
filename = /etc/freeradius/user2ip
format = "*User-Name:=Framed-IP-Address"
hashsize = 100
}
}
authorize {
preprocess
files
user2ip
}
authenticate {
}
preacct {
preprocess
files
}
accounting {
detail
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
*****************************clients.conf***************************************
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
client <@ip routeur VPN> {
secret = <clé partagé radius/routeur>
shortname = router
nastype = cisco
}
*****************************users**********************************************
DEFAULT
Tunnel-Type = VLAN,
Fall-Through = 1
DEFAULT Nas-Port == 2, Nas-IP-Address == <@ip routeur VPN>
Idle-Timeout = 300,
Fall-through = 1
pierre User-Password == "pierrot"
Tunnel-Private-Group-Id = 12,
toto User-Password == "titi"
Tunnel-Private-Group-Id = 13,
*****************************user2ip********************************************
pierre:192.168.6.6
toto:192.168.10.10
*****************************router*********************************************
Current configuration : 2759 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn2600
!
boot-start-marker
boot system tftp c2600-ik9o3s3-mz.123-18.bin <private>
boot system tftp c2600-ik9o3s3-mz.123-18.bin2 <private>
boot system tftp c2600-ik9o3s3-mz.123-18.bin3 <private>
boot-end-marker
!
enable secret 5 $1$j8hq$EhL3/t7cL.uNf5spPQ7mX0
!
aaa new-model
!
!
aaa group server radius group-radius
server <private> auth-port 1812 acct-port 1813
!
aaa authentication login leo local
aaa authentication login authentication-radius group group-radius
aaa authorization network groupleo local
aaa authorization configuration authorization-radius group group-radius
aaa session-id common
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
username pierre password 7 1119100005000E
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
!
!
crypto isakmp client configuration group test-cisco-vpn
key key-vpn
domain u-bordeaux.fr
pool pool-cisco-vpn
!
!
crypto ipsec transform-set set-cisco-vpn esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap-cisco-vpn 10
set transform-set set-cisco-vpn
!
!
crypto map clientmap-cisco-vpn client authentication list
authentication-radius
crypto map clientmap-cisco-vpn isakmp authorization list
authorization-radius
crypto map clientmap-cisco-vpn client configuration address initiate
crypto map clientmap-cisco-vpn client configuration address respond
crypto map clientmap-cisco-vpn 10 ipsec-isakmp dynamic dynmap-cisco-vpn
!
!
interface FastEthernet0/0
ip address <private> <private>
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet1/0
ip address <private> <private>
half-duplex
crypto map clientmap-cisco-vpn
!
ip local pool pool-cisco-vpn 192.168.3.5 192.168.3.10
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 <private>
!
!
radius-server host <private> auth-port 1812 acct-port 1813 key key-vpn
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pier.leonard.vcf
Type: text/x-vcard
Size: 179 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060510/8b9d8b0c/attachment.vcf>
More information about the Freeradius-Users
mailing list