Assigning IP address from RADIUS to Cisco PPTP users
up at 3.am
up at 3.am
Wed May 27 05:43:28 CEST 2009
On Wed, 27 May 2009, Vadim Ostranitsyn wrote:
> Hi!
>
> On Tue, May 26, 2009 at 11:34:41AM -0400, up at 3.am wrote:
>> Users are currently authenticating fine and getting assigned IPs from the
>> IP pool as defined in the Cisco NAS. However, I'd like to have a few,
>> select users assigned static IPs from outside that pool, but the Cisco
>> (2811) is simply ignoring the raddb/users file entry for that user and
>> assigning an IP from the pool on the NAS.
> [...]
>> interface Virtual-Template1
>> ip unnumbered FastEthernet0/0
>> ip policy route-map VPN-Client
>> peer match aaa-pools
>> peer default ip address pool vpnpool
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Drop this line
>
>> no keepalive
>> ppp encrypt mppe auto
>> ppp authentication pap chap ms-chap ms-chap-v2
>> !
>> ip local pool vpnpool 172.16.30.2 172.16.30.254
>> ---------
>> Here is the raddb/users file entry:
>> ---------
>> testuser Service-Type == Framed-User
>> Framed-Protocol == PPP,
>> Framed-IP-Address = 172.16.1.2,
>> Framed-IP-Netmask = 255.255.255.255,
>> Framed-Compression = Van-Jacobson-TCP-IP
>
> Cisco-AVPair = "ip:addr-pool=vpnpool"
>
> Add line above to the DEFAULT user entry.
>
> --
Hi Vadim:
This looked promising, but when I remove that line from my Cisco config, I
cannot log in at all. It just says that it cannot negotiate a ppp
connection (Mac OS X) The debug on radius looks fine (I can supply that
again if needed)). Here is the verbose logging from my Mac's
/var/log/ppp.log:
Tue May 26 23:21:13 2009 : PPTP connecting to server '10.2.2.2'
(10.2.2.2)
...
Tue May 26 23:21:13 2009 : PPTP connection established.
Tue May 26 23:21:13 2009 : using link 0
Tue May 26 23:21:13 2009 : Using interface ppp0
Tue May 26 23:21:13 2009 : Connect: ppp0 <--> socket[34:17]
Tue May 26 23:21:13 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0xc916
6b8c> <pcomp> <accomp>]
Tue May 26 23:21:13 2009 : rcvd [LCP ConfReq id=0x1 <auth pap> <magic
0x3f29a7d2
>]
Tue May 26 23:21:13 2009 : lcp_reqci: returning CONFACK.
Tue May 26 23:21:13 2009 : sent [LCP ConfAck id=0x1 <auth pap> <magic
0x3f29a7d2
>]
Tue May 26 23:21:13 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0xc916
6b8c> <pcomp> <accomp>]
Tue May 26 23:21:13 2009 : sent [LCP EchoReq id=0x0 magic=0xc9166b8c]
Tue May 26 23:21:13 2009 : sent [PAP AuthReq id=0x1 user="testuser"
password=<
hidden>]
Tue May 26 23:21:13 2009 : rcvd [LCP EchoRep id=0x0 magic=0x3f29a7d2]
Tue May 26 23:21:13 2009 : rcvd [PAP AuthAck id=0x1 ""]
Tue May 26 23:21:13 2009 : PAP authentication succeeded
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>
<ms-dns1 0.0
.0.0> <ms-dns3 0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPV6CP ConfReq id=0x1 <addr
fe80::021e:c2ff:feb
5:8003>]
Tue May 26 23:21:13 2009 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02
06 00 0
0 00 01
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfReq id=0x1 <addr 192.168.7.1>]
Tue May 26 23:21:13 2009 : ipcp: returning Configure-ACK
Tue May 26 23:21:13 2009 : sent [IPCP ConfAck id=0x1 <addr 192.168.7.1>]
Tue May 26 23:21:13 2009 : rcvd [CCP ConfReq id=0x1]
Tue May 26 23:21:13 2009 : Unsupported protocol 'Compression Control
Protocol' (
0x80fd) received
Tue May 26 23:21:13 2009 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 04]
Tue May 26 23:21:13 2009 : rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01
0a 02 1
e c2 ff fe b5 80 03]
Tue May 26 23:21:13 2009 : rcvd [LCP ProtRej id=0x3 82 35 01 01 00 10 01
06 00 0
0 00 01 02 06 00 00 00 01]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x1 <addr 0.0.0.0>
<ms-dns3 0.0
.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x2 <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x2 <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x3 <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x3 <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x4 <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x4 <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x5 <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x5 <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x6 <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x6 <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x7 <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x7 <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x8 <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x8 <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x9 <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x9 <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xa <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xa <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xb <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xb <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xc <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xc <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xd <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xd <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xe <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xe <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xf <addrs 0.0.0.0
0.0.0.0> <ms
-dns1 0.0.0.0>]
Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xf <addrs 0.0.0.0
0.0.0.0>]
Tue May 26 23:21:13 2009 : IPCP: Maximum Config-Requests exceeded
Tue May 26 23:21:13 2009 : sent [LCP TermReq id=0x3 "No network protocols
runnin
g"]
Tue May 26 23:21:14 2009 : rcvd [LCP TermAck id=0x3]
Tue May 26 23:21:14 2009 : Connection terminated.
Tue May 26 23:21:14 2009 : PPTP disconnecting...
Tue May 26 23:21:14 2009 : PPTP disconnected
When I put 'peer default ip address pool vpnpool' back in the Cisco
config, it works again:
Tue May 26 23:26:48 2009 : PPTP connecting to server '10.2.2.2'
(10.2.2.2)
...
Tue May 26 23:26:48 2009 : PPTP connection established.
Tue May 26 23:26:48 2009 : using link 0
Tue May 26 23:26:48 2009 : Using interface ppp0
Tue May 26 23:26:48 2009 : Connect: ppp0 <--> socket[34:17]
Tue May 26 23:26:48 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic
0x3b8a
3df8> <pcomp> <accomp>]
Tue May 26 23:26:48 2009 : rcvd [LCP ConfReq id=0x1 <auth pap> <magic
0x3f2ec37a
>]
Tue May 26 23:26:48 2009 : lcp_reqci: returning CONFACK.
Tue May 26 23:26:48 2009 : sent [LCP ConfAck id=0x1 <auth pap> <magic
0x3f2ec37a>]
Tue May 26 23:26:48 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic
0x3b8a
3df8> <pcomp> <accomp>]
Tue May 26 23:26:48 2009 : sent [LCP EchoReq id=0x0 magic=0x3b8a3df8]
Tue May 26 23:26:48 2009 : sent [PAP AuthReq id=0x1 user="testuser"
password=<hidden>]
Tue May 26 23:26:48 2009 : rcvd [LCP EchoRep id=0x0 magic=0x3f2ec37a]
Tue May 26 23:26:48 2009 : rcvd [PAP AuthAck id=0x1 ""]
Tue May 26 23:26:48 2009 : PAP authentication succeeded
Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>
<ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue May 26 23:26:48 2009 : sent [IPV6CP ConfReq id=0x1 <addr
fe80::021e:c2ff:feb5:8003>]
Tue May 26 23:26:48 2009 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02
06 00 0
0 00 01
Tue May 26 23:26:48 2009 : rcvd [IPCP ConfReq id=0x1 <addr 192.168.7.1>]
Tue May 26 23:26:48 2009 : ipcp: returning Configure-ACK
Tue May 26 23:26:48 2009 : sent [IPCP ConfAck id=0x1 <addr 192.168.7.1>]
Tue May 26 23:26:48 2009 : rcvd [CCP ConfReq id=0x1]
Tue May 26 23:26:48 2009 : Unsupported protocol 'Compression Control
Protocol' (0x80fd) received
Tue May 26 23:26:48 2009 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 04]
Tue May 26 23:26:48 2009 : rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01
0a 02 1
e c2 ff fe b5 80 03]
Tue May 26 23:26:48 2009 : rcvd [LCP ProtRej id=0x3 82 35 01 01 00 10 01
06 00 0
0 00 01 02 06 00 00 00 01]
Tue May 26 23:26:48 2009 : rcvd [IPCP ConfRej id=0x1 <ms-dns3 0.0.0.0>]
Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>
<ms-dns1 0.0
.0.0>]
Tue May 26 23:26:48 2009 : rcvd [IPCP ConfNak id=0x2 <addr 172.16.30.9>
<ms-dns1
10.2.2.2>]
Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x3 <addr 172.16.30.9>
<ms-dns1
10.2.2.2>]
Tue May 26 23:26:48 2009 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.30.9>
<ms-dns1
10.2.2.2>]
Tue May 26 23:26:48 2009 : ipcp: up
Tue May 26 23:26:48 2009 : local IP address 172.16.30.9
Tue May 26 23:26:48 2009 : remote IP address 192.168.7.1
Tue May 26 23:26:48 2009 : primary DNS address 10.1.1.1
Tue May 26 23:26:48 2009 : sent [IP data <src addr 172.16.30.9> <dst addr
255.25
5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000>
<parameter
s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue May 26 23:26:51 2009 : sent [IP data <src addr 172.16.30.9> <dst addr
255.25
5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000>
<parameter
s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue May 26 23:26:54 2009 : sent [IP data <src addr 172.16.30.9> <dst addr
255.25
5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000>
<parameter
s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue May 26 23:26:57 2009 : sent [IP data <src addr 172.16.30.9> <dst addr
255.25
5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000>
<parameter
s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue May 26 23:27:00 2009 : sent [IP data <src addr 172.16.30.9> <dst addr
255.25
5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000>
<parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue May 26 23:27:03 2009 : No DHCP server replied
--------
James Smallacombe PlantageNet, Inc. CEO and Janitor
up at 3.am http://3.am
=========================================================================
More information about the Freeradius-Users
mailing list