12-05-2003 04:41 AM - edited 03-02-2019 12:10 PM
I have a dial scenario with a 3725, BRI and digital modems.
Everything works as I like it to, only the IP restricion of the dial in clients doesn't. It seems the download of the ACL is fine, too, RADIUS sends the AV-pair successfully to the IOS box:
*Apr 14 21:23:26.928: RADIUS(000000AD): sending
*Apr 14 21:23:26.928: RADIUS(000000AD): Send Access-Request to 192.168.10.52:164
5 id 21645/198, len 128
*Apr 14 21:23:26.928: RADIUS: authenticator 97 99 8D 56 FA 2E 28 F3 - 60 D2 6F
DD 6F 20 89 2E
*Apr 14 21:23:26.928: RADIUS: Framed-Protocol [7] 6 PPP
[1]
*Apr 14 21:23:26.928: RADIUS: User-Name [1] 11 "***"
*Apr 14 21:23:26.928: RADIUS: CHAP-Password [3] 19 *
*Apr 14 21:23:26.928: RADIUS: Calling-Station-Id [31] 13 "00319707***"
*Apr 14 21:23:26.932: RADIUS: Called-Station-Id [30] 6 "7055"
*Apr 14 21:23:26.932: RADIUS: NAS-Port [5] 6 70
*Apr 14 21:23:26.932: RADIUS: NAS-Port-Type [61] 6 Async
[0]
*Apr 14 21:23:26.932: RADIUS: Connect-Info [77] 29 "45333/28800 V90/V4
2bis/LAPM"
*Apr 14 21:23:26.932: RADIUS: Service-Type [6] 6 Framed
[2]
*Apr 14 21:23:26.932: RADIUS: NAS-IP-Address [4] 6 192.168.10.100
*Apr 14 21:23:26.952: RADIUS: Received from id 21645/198 192.168.10.52:1645, Acc
ess-Accept, len 158
*Apr 14 21:23:26.952: RADIUS: authenticator A1 00 4B 68 43 6C 4A FA - F4 6B 0B
A4 BE D9 F6 81
*Apr 14 21:23:26.952: RADIUS: Service-Type [6] 6 Framed
[2]
*Apr 14 21:23:26.952: RADIUS: Framed-Protocol [7] 6 PPP
[1]
*Apr 14 21:23:26.952: RADIUS: Vendor, Cisco [26] 53
*Apr 14 21:23:26.952: RADIUS: Cisco AVpair [1] 47 "ip:inacl#130=permi
t ip any host 192.168.20.18"
*Apr 14 21:23:26.952: RADIUS: Vendor, Cisco [26] 36
*Apr 14 21:23:26.952: RADIUS: Cisco AVpair [1] 30 "ip:inacl#130=deny
ip any any"
*Apr 14 21:23:26.952: RADIUS: Framed-IP-Address [8] 6 192.168.200.253
*Apr 14 21:23:26.952: RADIUS: Class [25] 31
*Apr 14 21:23:26.952: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 31 33 65 66
[CISCOACS:00013ef]
*Apr 14 21:23:26.952: RADIUS: 38 2F 63 30 61 38 30 61 36 34 2F 37 30
[8/c0a80a64/70]
*Apr 14 21:23:26.956: RADIUS(000000AD): Received from id 21645/198
*Apr 14 21:23:26.956: As70 PPP: Received LOGIN Response PASS
*Apr 14 21:23:26.956: As70 PPP: Phase is FORWARDING, Attempting Forward
*Apr 14 21:23:26.956: As70 PPP: Phase is AUTHENTICATING, Authenticated User
*Apr 14 21:23:26.956: As70 CHAP: O SUCCESS id 8 len 4
*Apr 14 21:23:26.956: As70 PPP: Phase is UP
IOS reports a successfully applied ACL as well:
RAS-Router#sh access-list
Extended IP access list Async70#1731 (per-user)
permit ip any host 192.168.20.18
deny ip any any
RAS-Router#
Yet, still the ping of the test user gets everywhere to the network. Am I missing something?
I use ACS 3.2 with RADIUS authorization. The AV-pair 26/9/1 is configured with
ip:inacl#130=permit ip any host 192.168.20.18
ip:inacl#130=deny ip any any
Running IOS is 12.2(13)T5
(virtual profile seems to be applied automatically here)
Thanks for your hints.
Toni
12-05-2003 12:22 PM
Toni,
It looks as though the RADIUS server was successful in building the access list, but I'm not sure if it was successfully applied to the interface. With the call up, do a "show ip interface async x" and see if there is an inbound access list applied to the interface. If not, you will need to add another AV-pair in RADIUS to apply the ACL.
HTH,
Mark
12-06-2003 07:46 AM
Hello,
not sure if this applies to you, but the access list must be preconfigured on the Cisco NAS. Per-user access lists do not currently work with ISDN interfaces.
Regards,
Georg
12-08-2003 05:51 AM
Georg, I believe it *must* work, RADIUS and IOS are made for this deployment.
What I discovered is that I'm missing the virtual-template int. At the moment I'm using a dialer int. to terminate L3, but maybe this is not necessary/required?
What we want to do is to clone a VA int for our per-user config, and from 12.2, IOS should detect automatically if we want to use per-user int config (virtual profile).
See my current config, maybe that helps:
hostname RAS-Router
!
aaa new-model
!
!
aaa authentication login default group radius
aaa authentication login backdoor local
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
!
async-bootp dns-server 192.168.20.19 192.168.160.11
async-bootp nbns-server 192.168.20.19 192.168.160.11
!
interface BRI1/0
no ip address
encapsulation ppp
isdn switch-type basic-net3
isdn incoming-voice modem
no cdp enable
ppp authentication chap
ppp multilink
!
interface BRI1/1
no ip address
encapsulation ppp
isdn switch-type basic-net3
isdn incoming-voice modem
no cdp enable
ppp authentication chap
ppp multilink
!
interface BRI1/2
no ip address
encapsulation ppp
isdn switch-type basic-net3
isdn incoming-voice modem
no cdp enable
ppp authentication chap
ppp multilink
!
interface BRI1/3
no ip address
encapsulation ppp
isdn switch-type basic-net3
isdn incoming-voice modem
no cdp enable
ppp authentication chap
ppp multilink
!
interface Group-Async1
no ip address
encapsulation ppp
dialer in-band
dialer pool-member 1
async mode dedicated
no peer default ip address
no keepalive
ppp authentication chap
ppp multilink
group-range 65 76
!
interface Dialer1
ip unnumbered FastEthernet0/0
encapsulation ppp
dialer pool 1
dialer idle-timeout 900
dialer-group 1
autodetect encapsulation v120
no cdp enable
ppp authentication chap
ppp multilink
!
dialer-list 1 protocol ip permit
radius-server host x.x.x.52 auth-port 1645 acct-port 1646 key xxxx
!
line 65 76
flush-at-activation
modem Dialin
transport input all
12-15-2003 06:41 AM
Please, can somebody provide me with an answer of what I'm missing in my config/concept? I still can't restrict IP access of dial-in users successfully.
Do I need virtual-template and virtual-profile commands with 12.2 at all?
12-16-2003 01:59 AM
The problem is solved.
The config was missing the virtual-template interface and the 'virtual-profile virtual-template' command.
That's why the calls did not terminate on a VA int. but on the async directly and therefore the per-user config didn't get applied properly.
The dialer int was not required for my setup, so I removed it.
01-26-2004 02:31 PM
I am interested by your configuration, since I want to do similar thing, and I have some difficulties to get precise infos about th av-pair coding inside ACS 3.2 ;
could you, please, write down your IOS correct config, and associated ACS definitions, here after ?
thanks in advance
01-27-2004 12:31 AM
Hi Joel
See attachment for the router config.
The AV-pair 26/9/1 for IP filtering in my case looks the following. In ACS 3.2 it's located in the user or group setup under "Cisco IOS/PIX RADIUS Attributes".
ip:inacl#130=permit ip any host 192.168.20.18
ip:inacl#130=deny ip any any
Happy filtering...
Toni
01-27-2004 01:35 PM
Hi Toni,
thanks for your help ;
at this time, I have a basic pb (I guess) with the Radius server ;
I can't authenticate my user againt the ACS :
here is an extract of debug trace, that shows the Access-Request and Access-Accept exchanges that let suppose my NAS router and the ACS server can, at least, understand each other ;
but this trace also shows the following recurring message (after each NAS/ACS dialog - 3 tries, each time a user connects) :
RADIUS: Response (6) failed decrypt
here is the trace extract :
=================================================
Jan 27 18:15:56: AAA/AUTHEN/PPP (00000B0F): Pick method list 'default'
Jan 27 18:15:56: As36 PPP: Sent CHAP LOGIN Request to AAA
Jan 27 18:15:56: RADIUS/ENCODE: Attribute has no value set for AAA attribute clid
Jan 27 18:15:56: RADIUS/ENCODE(00000B0F): Unsupported AAA attribute parent-interface
Jan 27 18:15:56: RADIUS/ENCODE(00000B0F): Unsupported AAA attribute parent-interface-type
Jan 27 18:15:56: RADIUS/ENCODE(00000B0F): acct_session_id: 25
Jan 27 18:15:56: RADIUS(00000B0F): sending
Jan 27 18:15:56: RADIUS: Send to unknown id 6 10.176.4.87:1645, Access-Request, len 83
Jan 27 18:15:56: RADIUS: authenticator 59 01 52 15 58 93 4A 8B - 4F 58 7D C8 01 A5 15 25
Jan 27 18:15:56: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jan 27 18:15:56: RADIUS: User-Name [1] 8 "radius"
Jan 27 18:15:56: RADIUS: CHAP-Password [3] 19 *
Jan 27 18:15:56: RADIUS: Called-Station-Id [30] 6 "8999"
Jan 27 18:15:56: RADIUS: NAS-Port [5] 6 36
Jan 27 18:15:56: RADIUS: NAS-Port-Type [61] 6 Async [0]
Jan 27 18:15:56: RADIUS: Service-Type [6] 6 Framed [2]
Jan 27 18:15:56: RADIUS: NAS-IP-Address [4] 6 10.176.44.56
Jan 27 18:16:00: As36 EVT: Packet [44] 0 0x616603C0
Jan 27 18:16:00: As36 CHAP: I RESPONSE id 29 len 27 from "radius"
Jan 27 18:16:00: As36 CHAP: Ignoring Additional Response
Jan 27 18:16:01: RADIUS: Retransmit to (10.176.4.87:1645,1646) for id 6
Jan 27 18:16:02: RADIUS: Received from id 6 10.176.4.87:1645, Access-Accept, len 69
Jan 27 18:16:02: RADIUS: authenticator 77 23 25 28 E7 E7 81 02 - BC AB 92 05 5E 23 9A 98
Jan 27 18:16:02: RADIUS: Service-Type [6] 6 Framed [2]
Jan 27 18:16:02: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jan 27 18:16:02: RADIUS: Framed-IP-Address [8] 6 10.176.41.81
Jan 27 18:16:02: RADIUS: Class [25] 31
Jan 27 18:16:02: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 33 36 [CISCOACS:0000036]
Jan 27 18:16:02: RADIUS: 36 2F 30 61 62 30 32 63 33 38 2F [6/0ab02c38/]
Jan 27 18:16:02: RADIUS: Response (6) failed decrypt
Jan 27 18:16:04: As36 EVT: Packet [44] 0 0x6142A484
Jan 27 18:16:04: As36 CHAP: I RESPONSE id 29 len 27 from "radius"
Jan 27 18:16:04: As36 CHAP: Ignoring Additional Response
Jan 27 18:16:06: As36 AUTH: Timeout 1
Jan 27 18:16:06: RADIUS: Retransmit to (10.176.4.87:1645,1646) for id 6
Jan 27 18:16:06: RADIUS: Received from id 6 10.176.4.87:1645, Access-Accept, len 69
Jan 27 18:16:06: RADIUS: authenticator 19 C8 15 88 94 06 83 E4 - 91 A2 17 D4 C3 A1 C1 17
Jan 27 18:16:06: RADIUS: Service-Type [6] 6 Framed [2]
Jan 27 18:16:06: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jan 27 18:16:06: RADIUS: Framed-IP-Address [8] 6 10.176.41.81
Jan 27 18:16:06: RADIUS: Class [25] 31
Jan 27 18:16:06: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 33 36 [CISCOACS:0000036]
Jan 27 18:16:06: RADIUS: 37 2F 30 61 62 30 32 63 33 38 2F [7/0ab02c38/]
Jan 27 18:16:06: RADIUS: Response (6) failed decrypt
Jan 27 18:16:08: As36 EVT: Packet [44] 0 0x616600EC
Jan 27 18:16:08: As36 CHAP: I RESPONSE id 29 len 27 from "radius"
Jan 27 18:16:08: As36 CHAP: Ignoring Additional Response
Jan 27 18:16:11: RADIUS: Retransmit to (10.176.4.87:1645,1646) for id 6
Jan 27 18:16:11: RADIUS: Received from id 6 10.176.4.87:1645, Access-Accept, len 69
Jan 27 18:16:11: RADIUS: authenticator 75 A9 B2 1E 13 4B 35 8F - 1F 68 12 B7 25 A3 2E 92
Jan 27 18:16:11: RADIUS: Service-Type [6] 6 Framed [2]
Jan 27 18:16:11: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jan 27 18:16:11: RADIUS: Framed-IP-Address [8] 6 10.176.41.81
Jan 27 18:16:11: RADIUS: Class [25] 31
Jan 27 18:16:11: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 33 36 [CISCOACS:0000036]
Jan 27 18:16:11: RADIUS: 38 2F 30 61 62 30 32 63 33 38 2F [8/0ab02c38/]
Jan 27 18:16:11: RADIUS: Response (6) failed decrypt
Jan 27 18:16:12: As36 EVT: Packet [44] 0 0x616603C0
Jan 27 18:16:12: As36 CHAP: I RESPONSE id 29 len 27 from "radius"
Jan 27 18:16:12: As36 CHAP: Ignoring Additional Response
Jan 27 18:16:16: As36 EVT: Packet [44] 0 0x6142A484
Jan 27 18:16:16: As36 CHAP: I RESPONSE id 29 len 27 from "radius"
Jan 27 18:16:16: As36 CHAP: Ignoring Additional Response
Jan 27 18:16:16: As36 AUTH: Timeout 2
Jan 27 18:16:16: RADIUS: Tried all servers.
Jan 27 18:16:16: RADIUS: No valid server found. Trying any viable server
Jan 27 18:16:16: RADIUS: Tried all servers.
Jan 27 18:16:16: RADIUS: No response from (10.176.4.87:1645,1646) for id 6
Jan 27 18:16:16: RADIUS/DECODE: parse response no app start; FAIL
Jan 27 18:16:16: RADIUS/DECODE: parse response; FAIL
Jan 27 18:16:16: AAA/LOCAL/LOGIN(00000B0F): user radius not found
Jan 27 18:16:16: AAA/LOCAL/LOGIN(00000B0F): CHAP
Jan 27 18:16:16: AAA/LOCAL/LOGIN(00000B0F): failover
Jan 27 18:16:16: As36 PPP: Received LOGIN Response from AAA = FAIL
Jan 27 18:16:16: As36 CHAP: O FAILURE id 29 len 26 msg is "Authentication failure"
Jan 27 18:16:16: As36 PPP: Phase is TERMINATING
====================================================
(I don't use ACL, up to now)
If you have an idea, thanks in advance
02-03-2004 02:43 AM
Problem of the "Response failed decrypt" message solved by coding the radius key parameter directly in the specific radius-server host xxxx key xxxx IOS command,
instead of in the global radius-server key IOS command ;
(by the way, it is to be noted that receiving the access-accept message from the AAA Server does not prove the keys are identical and well taken into account on both sides (AAA client and AAA server)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: