Assigning IP address from RADIUS to Cisco PPTP users

up at 3.am up at 3.am
Wed May 27 18:28:43 CEST 2009 

FYI: Cisco TAC quickly found my config problem.  I took out:

aaa authorization network default if-authenticated

and replaced it with:

aaa authorization network default group radius local

and that did it.  Thanks for all of your suggestions!  Next up is to start 
defining pools and associating unix groups with them.

On Tue, 26 May 2009, up at 3.am wrote:

> On Wed, 27 May 2009, Vadim Ostranitsyn wrote:
>
>>   Hi!
>> 
>> On Tue, May 26, 2009 at 11:34:41AM -0400, up at 3.am wrote:
>>> Users are currently authenticating fine and getting assigned IPs from the
>>> IP pool as defined in the Cisco NAS.  However, I'd like to have a few,
>>> select users assigned static IPs from outside that pool, but the Cisco
>>> (2811) is simply ignoring the raddb/users file entry for that user and
>>> assigning an IP from the pool on the NAS.
>> [...]
>>> interface Virtual-Template1
>>>   ip unnumbered FastEthernet0/0
>>>   ip policy route-map VPN-Client
>>>   peer match aaa-pools
>>>   peer default ip address pool vpnpool
>>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>   Drop this line
>>
>>>   no keepalive
>>>   ppp encrypt mppe auto
>>>   ppp authentication pap chap ms-chap ms-chap-v2
>>> !
>>> ip local pool vpnpool 172.16.30.2 172.16.30.254
>>> ---------
>>> Here is the raddb/users file entry:
>>> ---------
>>> testuser        Service-Type == Framed-User
>>>                  Framed-Protocol == PPP,
>>>                  Framed-IP-Address = 172.16.1.2,
>>>                  Framed-IP-Netmask = 255.255.255.255,
>>>                  Framed-Compression = Van-Jacobson-TCP-IP
>> 
>> Cisco-AVPair = "ip:addr-pool=vpnpool"
>>
>>   Add line above to the DEFAULT user entry.
>> 
>> --
>
> Hi Vadim:
>
> This looked promising, but when I remove that line from my Cisco config, I 
> cannot log in at all.  It just says that it cannot negotiate a ppp connection 
> (Mac OS X)  The debug on radius looks fine (I can supply that again if 
> needed)).  Here is the verbose logging from my Mac's /var/log/ppp.log:
>
> Tue May 26 23:21:13 2009 : PPTP connecting to server '10.2.2.2' (10.2.2.2)
> ...
> Tue May 26 23:21:13 2009 : PPTP connection established.
> Tue May 26 23:21:13 2009 : using link 0
> Tue May 26 23:21:13 2009 : Using interface ppp0
> Tue May 26 23:21:13 2009 : Connect: ppp0 <--> socket[34:17]
> Tue May 26 23:21:13 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 
> 0xc916
> 6b8c> <pcomp> <accomp>]
> Tue May 26 23:21:13 2009 : rcvd [LCP ConfReq id=0x1 <auth pap> <magic 
> 0x3f29a7d2
>> ]
> Tue May 26 23:21:13 2009 : lcp_reqci: returning CONFACK.
> Tue May 26 23:21:13 2009 : sent [LCP ConfAck id=0x1 <auth pap> <magic 
> 0x3f29a7d2
>> ]
> Tue May 26 23:21:13 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 
> 0xc916
> 6b8c> <pcomp> <accomp>]
> Tue May 26 23:21:13 2009 : sent [LCP EchoReq id=0x0 magic=0xc9166b8c]
> Tue May 26 23:21:13 2009 : sent [PAP AuthReq id=0x1 user="testuser" 
> password=<
> hidden>]
> Tue May 26 23:21:13 2009 : rcvd [LCP EchoRep id=0x0 magic=0x3f29a7d2]
> Tue May 26 23:21:13 2009 : rcvd [PAP AuthAck id=0x1 ""]
> Tue May 26 23:21:13 2009 : PAP authentication succeeded
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 
> 0.0
> .0.0> <ms-dns3 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPV6CP ConfReq id=0x1 <addr 
> fe80::021e:c2ff:feb
> 5:8003>]
> Tue May 26 23:21:13 2009 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 
> 00 0
> 0 00 01
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfReq id=0x1 <addr 192.168.7.1>]
> Tue May 26 23:21:13 2009 : ipcp: returning Configure-ACK
> Tue May 26 23:21:13 2009 : sent [IPCP ConfAck id=0x1 <addr 192.168.7.1>]
> Tue May 26 23:21:13 2009 : rcvd [CCP ConfReq id=0x1]
> Tue May 26 23:21:13 2009 : Unsupported protocol 'Compression Control 
> Protocol' (
> 0x80fd) received
> Tue May 26 23:21:13 2009 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 04]
> Tue May 26 23:21:13 2009 : rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 
> 02 1
> e c2 ff fe b5 80 03]
> Tue May 26 23:21:13 2009 : rcvd [LCP ProtRej id=0x3 82 35 01 01 00 10 01 06 
> 00 0
> 0 00 01 02 06 00 00 00 01]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x1 <addr 0.0.0.0> <ms-dns3 
> 0.0
> .0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x2 <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x2 <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x3 <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x3 <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x4 <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x4 <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x5 <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x5 <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x6 <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x6 <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x7 <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x7 <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x8 <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x8 <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0x9 <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0x9 <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xa <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xa <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xb <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xb <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xc <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xc <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xd <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xd <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xe <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xe <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : sent [IPCP ConfReq id=0xf <addrs 0.0.0.0 0.0.0.0> 
> <ms
> -dns1 0.0.0.0>]
> Tue May 26 23:21:13 2009 : rcvd [IPCP ConfRej id=0xf <addrs 0.0.0.0 0.0.0.0>]
> Tue May 26 23:21:13 2009 : IPCP: Maximum Config-Requests exceeded
> Tue May 26 23:21:13 2009 : sent [LCP TermReq id=0x3 "No network protocols 
> runnin
> g"]
> Tue May 26 23:21:14 2009 : rcvd [LCP TermAck id=0x3]
> Tue May 26 23:21:14 2009 : Connection terminated.
> Tue May 26 23:21:14 2009 : PPTP disconnecting...
> Tue May 26 23:21:14 2009 : PPTP disconnected
>
> When I put 'peer default ip address pool vpnpool' back in the Cisco config, 
> it works again:
>
> Tue May 26 23:26:48 2009 : PPTP connecting to server '10.2.2.2' (10.2.2.2)
> ...
> Tue May 26 23:26:48 2009 : PPTP connection established.
> Tue May 26 23:26:48 2009 : using link 0
> Tue May 26 23:26:48 2009 : Using interface ppp0
> Tue May 26 23:26:48 2009 : Connect: ppp0 <--> socket[34:17]
> Tue May 26 23:26:48 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 
> 0x3b8a
> 3df8> <pcomp> <accomp>]
> Tue May 26 23:26:48 2009 : rcvd [LCP ConfReq id=0x1 <auth pap> <magic 
> 0x3f2ec37a
>> ]
> Tue May 26 23:26:48 2009 : lcp_reqci: returning CONFACK.
> Tue May 26 23:26:48 2009 : sent [LCP ConfAck id=0x1 <auth pap> <magic 
> 0x3f2ec37a>]
> Tue May 26 23:26:48 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 
> 0x3b8a
> 3df8> <pcomp> <accomp>]
> Tue May 26 23:26:48 2009 : sent [LCP EchoReq id=0x0 magic=0x3b8a3df8]
> Tue May 26 23:26:48 2009 : sent [PAP AuthReq id=0x1 user="testuser" 
> password=<hidden>]
> Tue May 26 23:26:48 2009 : rcvd [LCP EchoRep id=0x0 magic=0x3f2ec37a]
> Tue May 26 23:26:48 2009 : rcvd [PAP AuthAck id=0x1 ""]
> Tue May 26 23:26:48 2009 : PAP authentication succeeded
> Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 
> 0.0.0.0> <ms-dns3 0.0.0.0>]
> Tue May 26 23:26:48 2009 : sent [IPV6CP ConfReq id=0x1 <addr 
> fe80::021e:c2ff:feb5:8003>]
> Tue May 26 23:26:48 2009 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 
> 00 0
> 0 00 01
> Tue May 26 23:26:48 2009 : rcvd [IPCP ConfReq id=0x1 <addr 192.168.7.1>]
> Tue May 26 23:26:48 2009 : ipcp: returning Configure-ACK
> Tue May 26 23:26:48 2009 : sent [IPCP ConfAck id=0x1 <addr 192.168.7.1>]
> Tue May 26 23:26:48 2009 : rcvd [CCP ConfReq id=0x1]
> Tue May 26 23:26:48 2009 : Unsupported protocol 'Compression Control 
> Protocol' (0x80fd) received
> Tue May 26 23:26:48 2009 : sent [LCP ProtRej id=0x2 80 fd 01 01 00 04]
> Tue May 26 23:26:48 2009 : rcvd [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 
> 02 1
> e c2 ff fe b5 80 03]
> Tue May 26 23:26:48 2009 : rcvd [LCP ProtRej id=0x3 82 35 01 01 00 10 01 06 
> 00 0
> 0 00 01 02 06 00 00 00 01]
> Tue May 26 23:26:48 2009 : rcvd [IPCP ConfRej id=0x1 <ms-dns3 0.0.0.0>]
> Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x2 <addr 0.0.0.0> <ms-dns1 
> 0.0
> .0.0>]
> Tue May 26 23:26:48 2009 : rcvd [IPCP ConfNak id=0x2 <addr 172.16.30.9> 
> <ms-dns1
> 10.2.2.2>]
> Tue May 26 23:26:48 2009 : sent [IPCP ConfReq id=0x3 <addr 172.16.30.9> 
> <ms-dns1
> 10.2.2.2>]
> Tue May 26 23:26:48 2009 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.30.9> 
> <ms-dns1
> 10.2.2.2>]
> Tue May 26 23:26:48 2009 : ipcp: up
> Tue May 26 23:26:48 2009 : local  IP address 172.16.30.9
> Tue May 26 23:26:48 2009 : remote IP address 192.168.7.1
> Tue May 26 23:26:48 2009 : primary   DNS address 10.1.1.1
> Tue May 26 23:26:48 2009 : sent [IP data <src addr 172.16.30.9> <dst addr 
> 255.25
> 5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> 
> <parameter
> s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
> Tue May 26 23:26:51 2009 : sent [IP data <src addr 172.16.30.9> <dst addr 
> 255.25
> 5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> 
> <parameter
> s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
> Tue May 26 23:26:54 2009 : sent [IP data <src addr 172.16.30.9> <dst addr 
> 255.25
> 5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> 
> <parameter
> s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
> Tue May 26 23:26:57 2009 : sent [IP data <src addr 172.16.30.9> <dst addr 
> 255.25
> 5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> 
> <parameter
> s = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
> Tue May 26 23:27:00 2009 : sent [IP data <src addr 172.16.30.9> <dst addr 
> 255.25
> 5.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> 
> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
> Tue May 26 23:27:03 2009 : No DHCP server replied
> --------
>
> James Smallacombe		      PlantageNet, Inc. CEO and Janitor
> up at 3.am							    http://3.am
> =========================================================================
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am
=========================================================================

More information about the Freeradius-Users mailing list