Assigning IP address from RADIUS to Cisco PPTP users
Neville
nev at itsnev.co.uk
Tue May 26 23:43:18 CEST 2009
> Message: 1
> Date: Tue, 26 May 2009 18:56:42 +0100 (BST)
> From: "Ivan Kalik" <tnt at kalik.net>
> Subject: Re: Assigning IP address from RADIUS to Cisco PPTP users
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <52973.87.194.16.13.1243360602.squirrel at webmail.kalik.net>
> Content-Type: text/plain;charset=utf-8
>
>> I've used Livingston and Cistron radiusd's in the past with dialup ppp
>> users and Cisco/Lucent NASes and have been able to do this with no
>> problems.
>>
>> Users are currently authenticating fine and getting assigned IPs from the
>> IP pool as defined in the Cisco NAS. However, I'd like to have a few,
>> select users assigned static IPs from outside that pool, but the Cisco
>> (2811) is simply ignoring the raddb/users file entry for that user and
>> assigning an IP from the pool on the NAS.
>>
>> Here is my Cisco config::
>> --------------------
>> aaa new-model
>> aaa authentication login default local group radius
>> aaa authentication ppp default group radius local
>> aaa authorization exec default local
>> aaa authorization network default if-authenticated
>> aaa session-id common
>>
>> vpdn-group 1
>> accept-dialin
>> protocol pptp
>> virtual-template 1
>>
>> interface Loopback0
>> ip address 99.99.99.99 255.255.255.255
>> ip nat inside
>> ip virtual-reassembly
>>
>> interface Virtual-Template1
>> ip unnumbered FastEthernet0/0
>> ip policy route-map VPN-Client
>> peer match aaa-pools
>> peer default ip address pool vpnpool
>> no keepalive
>> ppp encrypt mppe auto
>> ppp authentication pap chap ms-chap ms-chap-v2
>> !
>> ip local pool vpnpool 172.16.30.2 172.16.30.254
>> ---------
>> Here is the raddb/users file entry:
>> ---------
>> testuser Service-Type == Framed-User
>> Framed-Protocol == PPP,
>> Framed-IP-Address = 172.16.1.2,
>> Framed-IP-Netmask = 255.255.255.255,
>> Framed-Compression = Van-Jacobson-TCP-IP
>>
>> DEFAULT Framed-Protocol == PPP
>> Framed-Protocol = PPP,
>> Framed-Compression = Van-Jacobson-TCP-IP
>> --------------
>> The DEFAULT entry allows users in /etc/passwd to authenticate fine, but
>> "testuser" still gets an IP from the NAS pool instead of the one above..
>> Any pointers appreciated!
>
> http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21
>
> Post the debug of the authentication attempt.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 26 May 2009 14:15:44 -0500
> From: jon jon <free9360 at gmail.com>
> Subject: Re: next
> To: tim.sylvester at networkradius.com, FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <c1efadb10905261215n4c0a4cdbw143227509a69c594 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> ok so after reading the admin.sql it looks like it is telling me what to
> type into my mysql, to create a default admin for radius,and so freeradius
> can read any table in sql, does it matter what I change localhost to or
> can
> it be anyname I want. guess I am seeing what I have to do but not fully
> understanding it. I am using a mysql book also but think that might be
> getting me more confused.
> jon
>
> On Tue, May 26, 2009 at 12:02 PM, Tim Sylvester <
> tim.sylvester at networkradius.com> wrote:
>
>> Read the SQL HOWTO at: http://wiki.freeradius.org/SQL_HOWTO. Also, look
>> at the sql.conf file in the raddb directory and the mysql files in
>> raddb/sql/mysql. You will want to read the information in admin.sql and
>> schema.sql.
>>
>>
>>
>> Tim
>>
>>
>>
>> *From:* freeradius-users-bounces+tim.sylvester=networkradius.com@
>> lists.freeradius.org
>> [mailto:freeradius-users-bounces+tim.sylvester<freeradius-users-bounces%2Btim.sylvester>
>> =networkradius.com at lists.freeradius.org] *On Behalf Of *jon jon
>> *Sent:* Tuesday, May 26, 2009 9:51 AM
>> *To:* FreeRadius users mailing list
>> *Subject:* next
>>
>>
>>
>> I have my freeradius working, I running slackware 12.1 with freeradius
>> version 2.1.5. I used NTRAping utility to send packets to my freeradius
>> server. I also used radtest and that was successful. So now I want to set
>> freeradius with backend mysql database. I am looking for the script
>> db_mysql.sql and cannot find this file. I installed mysql as a package,
>> when
>> I installed slackware. So, does that file even exist anymore? I have the
>> radius book and the directory it shows doesn't contain any file with that
>> name.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/15e2a75c/attachment.html>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 26 May 2009 20:45:03 +0100 (BST)
> From: "Ivan Kalik" <tnt at kalik.net>
> Subject: Re: next
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <53183.87.194.16.13.1243367103.squirrel at webmail.kalik.net>
> Content-Type: text/plain;charset=utf-8
>
>> ok so after reading the admin.sql it looks like it is telling me what to
>> type into my mysql, to create a default admin for radius,and so
>> freeradius
>> can read any table in sql, does it matter what I change localhost to or
>> can
>> it be anyname I want. guess I am seeing what I have to do but not fully
>> understanding it. I am using a mysql book also but think that might be
>> getting me more confused.
>
> Well, change localhost to the IP address of your mysql database server. If
> your server is on local host *don't* change localhost into anything else.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 26 May 2009 15:48:49 -0400 (EDT)
> From: up at 3.am
> Subject: Re: Assigning IP address from RADIUS to Cisco PPTP users
> To: tnt at kalik.net, FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <Pine.BSF.4.64.0905261541170.6427 at richard2.pil.net>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> On Tue, 26 May 2009, Ivan Kalik wrote:
>
>>> I've used Livingston and Cistron radiusd's in the past with dialup ppp
>>> users and Cisco/Lucent NASes and have been able to do this with no
>>> problems.
>>>
>>> Users are currently authenticating fine and getting assigned IPs from
>>> the
>>> IP pool as defined in the Cisco NAS. However, I'd like to have a few,
>>> select users assigned static IPs from outside that pool, but the Cisco
>>> (2811) is simply ignoring the raddb/users file entry for that user and
>>> assigning an IP from the pool on the NAS.
>>>
>>> Here is my Cisco config::
>>> --------------------
>>> aaa new-model
>>> aaa authentication login default local group radius
>>> aaa authentication ppp default group radius local
>>> aaa authorization exec default local
>>> aaa authorization network default if-authenticated
>>> aaa session-id common
>>>
>>> vpdn-group 1
>>> accept-dialin
>>> protocol pptp
>>> virtual-template 1
>>>
>>> interface Loopback0
>>> ip address 99.99.99.99 255.255.255.255
>>> ip nat inside
>>> ip virtual-reassembly
>>>
>>> interface Virtual-Template1
>>> ip unnumbered FastEthernet0/0
>>> ip policy route-map VPN-Client
>>> peer match aaa-pools
>>> peer default ip address pool vpnpool
>>> no keepalive
>>> ppp encrypt mppe auto
>>> ppp authentication pap chap ms-chap ms-chap-v2
>>> !
>>> ip local pool vpnpool 172.16.30.2 172.16.30.254
>>> ---------
>>> Here is the raddb/users file entry:
>>> ---------
>>> testuser Service-Type == Framed-User
>>> Framed-Protocol == PPP,
>>> Framed-IP-Address = 172.16.1.2,
>>> Framed-IP-Netmask = 255.255.255.255,
>>> Framed-Compression = Van-Jacobson-TCP-IP
>>>
>>> DEFAULT Framed-Protocol == PPP
>>> Framed-Protocol = PPP,
>>> Framed-Compression = Van-Jacobson-TCP-IP
>>> --------------
>>> The DEFAULT entry allows users in /etc/passwd to authenticate fine, but
>>> "testuser" still gets an IP from the NAS pool instead of the one above..
>>> Any pointers appreciated!
>>
>> http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21
>>
>> Post the debug of the authentication attempt.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>
> Hi Ivan:
>
> Here it is...I including startup stuff as well:
>
> FreeRADIUS Version 2.0.4, for host i686-pc-linux-gnu, built on Jun 4 2008
> at 11:29:00
> Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License.
> Starting - reading configuration files ...
> including configuration file /usr/etc/raddb/radiusd.conf
> including configuration file /usr/etc/raddb/clients.conf
> including configuration file /usr/etc/raddb/eap.conf
> including configuration file /usr/etc/raddb/policy.conf
> including files in directory /usr/etc/raddb/sites-enabled/
> including configuration file /usr/etc/raddb/sites-enabled/inner-tunnel
> including configuration file /usr/etc/raddb/sites-enabled/default
> including dictionary file /usr/etc/raddb/dictionary
> main {
> prefix = "/usr"
> localstatedir = "/usr/var"
> logdir = "/var/log/radius"
> libdir = "/usr/lib"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> allow_core_dumps = no
> pidfile = "/usr/var/run/radiusd/radiusd.pid"
> user = "root"
> group = "wheel"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = no
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
> }
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = "some_secret"
> nastype = "other"
> }
> client 216.1.12.66 {
> require_message_authenticator = no
> secret = "another_secret"
> shortname = "cisco_pptp"
> nastype = "cisco"
> }
> client 192.168.3.36 {
> require_message_authenticator = no
> secret = "yet_another"
> shortname = "s036"
> nastype = "other"
> }
> client 216.1.12.74 {
> require_message_authenticator = no
> secret = "one_more_secret"
> shortname = "utopia"
> nastype = "other"
> }
> radiusd: #### Loading Realms and Home Servers ####
> radiusd: #### Instantiating modules ####
> instantiate {
> Module: Linked to module rlm_exec
> Module: Instantiating exec
> exec {
> wait = yes
> input_pairs = "request"
> shell_escape = yes
> }
> Module: Linked to module rlm_expr
> Module: Instantiating expr
> Module: Linked to module rlm_expiration
> Module: Instantiating expiration
> expiration {
> reply-message = "Password Has Expired "
> }
> Module: Linked to module rlm_logintime
> Module: Instantiating logintime
> logintime {
> reply-message = "You are calling outside your allowed timespan "
> minimum-timeout = 60
> }
> }
> radiusd: #### Loading Virtual Servers ####
> server inner-tunnel {
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_pap
> Module: Instantiating pap
> pap {
> encryption_scheme = "auto"
> auto_header = no
> }
> Module: Linked to module rlm_chap
> Module: Instantiating chap
> Module: Linked to module rlm_mschap
> Module: Instantiating mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = no
> }
> Module: Linked to module rlm_unix
> Module: Instantiating unix
> unix {
> radwtmp = "/var/log/radius/radwtmp"
> }
> Module: Linked to module rlm_eap
> Module: Instantiating eap
> eap {
> default_eap_type = "md5"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> }
> Module: Linked to sub-module rlm_eap_md5
> Module: Instantiating eap-md5
> Module: Linked to sub-module rlm_eap_leap
> Module: Instantiating eap-leap
> Module: Linked to sub-module rlm_eap_gtc
> Module: Instantiating eap-gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> Module: Linked to sub-module rlm_eap_tls
> Module: Instantiating eap-tls
> tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> pem_file_type = yes
> private_key_file = "/usr/etc/raddb/certs/server.pem"
> certificate_file = "/usr/etc/raddb/certs/server.pem"
> CA_file = "/usr/etc/raddb/certs/ca.pem"
> private_key_password = "whatever"
> dh_file = "/usr/etc/raddb/certs/dh"
> random_file = "/usr/etc/raddb/certs/random"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> make_cert_command = "/usr/etc/raddb/certs/bootstrap"
> }
> Module: Linked to sub-module rlm_eap_ttls
> Module: Instantiating eap-ttls
> ttls {
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> }
> Module: Linked to sub-module rlm_eap_peap
> Module: Instantiating eap-peap
> peap {
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> }
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> }
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_realm
> Module: Instantiating suffix
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> Module: Linked to module rlm_files
> Module: Instantiating files
> files {
> usersfile = "/usr/etc/raddb/users"
> acctusersfile = "/usr/etc/raddb/acct_users"
> preproxy_usersfile = "/usr/etc/raddb/preproxy_users"
> compat = "no"
> }
> Module: Checking session {...} for more modules to load
> Module: Linked to module rlm_radutmp
> Module: Instantiating radutmp
> radutmp {
> filename = "/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> perm = 384
> callerid = yes
> }
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> Module: Linked to module rlm_attr_filter
> Module: Instantiating attr_filter.access_reject
> attr_filter attr_filter.access_reject {
> attrsfile = "/usr/etc/raddb/attrs.access_reject"
> key = "%{User-Name}"
> }
> }
> }
> server {
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_preprocess
> Module: Instantiating preprocess
> preprocess {
> huntgroups = "/usr/etc/raddb/huntgroups"
> hints = "/usr/etc/raddb/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> Module: Checking preacct {...} for more modules to load
> Module: Linked to module rlm_acct_unique
> Module: Instantiating acct_unique
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
> Module: Checking accounting {...} for more modules to load
> Module: Linked to module rlm_detail
> Module: Instantiating detail
> detail {
> detailfile =
> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> header = "%t"
> detailperm = 384
> dirperm = 493
> locking = no
> log_packet_header = no
> }
> Module: Instantiating attr_filter.accounting_response
> attr_filter attr_filter.accounting_response {
> attrsfile = "/usr/etc/raddb/attrs.accounting_response"
> key = "%{User-Name}"
> }
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> }
> }
>
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = *
> port = 1812
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> }
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Ready to process requests.
> Framed-Protocol = PPP
> User-Name = "testuser"
> User-Password = "some_password"
> NAS-Port-Type = Virtual
> NAS-Port = 62
> NAS-Port-Id = "Uniq-Sess-ID62"
> Service-Type = Framed-User
> NAS-IP-Address = 216.1.12.66
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
> rlm_realm: No such realm "NULL"
> ++[suffix] returns noop
> rlm_eap: No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns updated
> users: Matched entry testuser at line 172
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns updated
> rad_check_password: Found Auth-Type
> auth: type "PAP"
> +- entering group PAP
> rlm_pap: login attempt with password "some_password"
> rlm_pap: Using CRYPT encryption.
> rlm_pap: User authenticated successfully
> ++[pap] returns ok
> Login OK: [testuser/some_password] (from client cisco_pptp port 62)
> +- entering group post-auth
> ++[exec] returns noop
> Framed-Protocol == PPP
> Framed-IP-Address = 172.16.1.2
> Framed-IP-Netmask = 255.255.255.255
> Framed-Compression = Van-Jacobson-TCP-IP
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 205 with timestamp +17
> Ready to process requests.
> -----------
> I'm not using realms, so I'm assuming that realms error is meaningless?
>
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> up at 3.am http://3.am
> =========================================================================
Make Sure Overide is Disabled in the ippool module..
e.g. # override:
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# with a Framed-IP-Address assigned here.
override = no
Regards
Nev
More information about the Freeradius-Users
mailing list