03-29-2004 07:33 PM - edited 03-10-2019 07:43 AM
I am configuring a 5350 to work with a RADIUS server. The 5350 sends an Access Request and receives the access request, as seen below. But it is not parsing proper values in my TCL script variables. I have configured the NAS using Cisco manuals: aaa authorization, vsa etc are all enabled as shown below. What is it that I am missing or not doing properly.
Any pointers / help will be highly appreciated
Naveed
All IP and identifiable info sanitized. The sanitized configuration info is attached for reference.
21:10:18: RADIUS(00000048): Storing nasport 0 in rad_db
21:10:18: RADIUS(00000048): Config NAS IP: 0.0.0.0
21:10:18: RADIUS/ENCODE(00000048): acct_session_id: 98
21:10:18: RADIUS(00000048): sending
21:10:18: RADIUS/ENCODE: Best Local IP-Address 222.222.222.22 for Radius-Server 222.x.x.x
21:10:18: RADIUS(00000048): Send Access-Request to 222.222.222.222:1812 id 21645/7
4, len 211
21:10:18: RADIUS: authenticator C7 AE ED E4 B2 BB AF FC - 62 CD 39 78 FB 6A 45
6E
21:10:18: RADIUS: User-Name [1] 12 "1234567890"
21:10:18: RADIUS: User-Password [2] 18 *
21:10:18: RADIUS: Vendor, Cisco [26] 56
21:10:18: RADIUS: Conf-Id [24] 50 "h323-conf-id=AD47C155 BFC611D3
8050E329 E47CB85B"
21:10:18: RADIUS: Vendor, Cisco [26] 37
21:10:18: RADIUS: Cisco AVpair [1] 31 "h323-ivr-out=transactionID:26"
21:10:18: RADIUS: Calling-Station-Id [31] 12 "1234567890"
21:10:18: RADIUS: NAS-Port-Type [61] 6 Async [0]
21:10:18: RADIUS: Vendor, Cisco [26] 20
21:10:18: RADIUS: cisco-nas-port [2] 14 "ISDN 3/0:D:1"
21:10:18: RADIUS: NAS-Port [5] 6 0
21:10:18: RADIUS: Calling-Station-Id [31] 12 "1234567890"
21:10:18: RADIUS: Service-Type [6] 6 Login [1]
21:10:18: RADIUS: NAS-IP-Address [4] 6 222.x.x.22
21:10:18: RADIUS: Received from id 21645/74 222.222.222.222:1812, Access-Accept, l
en 71
21:10:18: RADIUS: authenticator E1 B0 04 C6 5D 73 96 D5 - 72 03 81 65 A2 54 16
42
21:10:18: RADIUS: Vendor, Cisco [26] 9
21:10:18: RADIUS: h323-return-code [103] 3 "0"
21:10:18: RADIUS: Vendor, Cisco [26] 9
21:10:18: RADIUS: h323-currency [110] 3 "1"
21:10:18: RADIUS: Vendor, Cisco [26] 9
21:10:18: RADIUS: h323-billing-model [109] 3 "0"
21:10:18: RADIUS: Vendor, Cisco [26] 9
21:10:18: RADIUS: h323-preferred-lang[107] 3 "1"
21:10:18: RADIUS: Vendor, Cisco [26] 15
21:10:18: RADIUS: h323-credit-amount [101] 9 "20.0000"
21:10:18: RADIUS(00000048): Received from id 21645/74
21:10:18: RADIUS/DECODE: parse VSA parts error
21:10:18: RADIUS/DECODE: convert VSA string; FAIL
21:10:18: RADIUS/DECODE: decoder; FAIL
21:10:18: RADIUS/DECODE: attribute h323-return-code; FAIL
21:10:18: RADIUS/DECODE: cisco VSA type 103; FAIL
21:10:18: RADIUS/DECODE: VSA; FAIL
21:10:18: RADIUS/DECODE: decoder; FAIL
21:10:18: RADIUS/DECODE: attribute Vendor-Specific; FAIL
21:10:18: RADIUS/DECODE: parse response op decode; FAIL
21:10:18: RADIUS/DECODE: parse response; FAIL
21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:
h323-return-code = 0
21:10:18:
21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:
h323-currency =
21:10:18:
21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:
h323-billing-model =
21:10:18:
21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:
h323-preferred-lang =
21:10:18:
21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:
h323-credit-amount =
21:10:18:
21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:
03-30-2004 04:25 PM
Looks like you have configured the return attributes incorrectly, as IOS should parse these no problem. I see the following from your debug output:
21:10:18: RADIUS: Vendor, Cisco [26] 9
21:10:18: RADIUS: h323-return-code [103] 3 "0"
21:10:18: RADIUS: Vendor, Cisco [26] 9
21:10:18: RADIUS: h323-currency [110] 3 "1"
21:10:18: RADIUS: Vendor, Cisco [26] 9
21:10:18: RADIUS: h323-billing-model [109] 3 "0"
21:10:18: RADIUS: Vendor, Cisco [26] 9
21:10:18: RADIUS: h323-preferred-lang[107] 3 "1"
21:10:18: RADIUS: Vendor, Cisco [26] 15
21:10:18: RADIUS: h323-credit-amount [101] 9 "20.0000"
meaning you set the values for these attributes to 0, 1, 0, 1, 20.0000 respectively. However, for h323 Av pairs specifically, the actual attribute return values should not just be the value, but be the attribute name and the value.
For example, a working debug on my router here shows the following:
Nov 29 101409 RADIUS Vendor, Cisco [26] 26
Nov 29 101409 RADIUS h323-return-code [103] 20 "h323-return-code=0"
Nov 29 101409 RADIUS Vendor, Cisco [26] 30
Nov 29 101409 RADIUS h323-preferred-lang[107] 24 "h323-preferred-lang=en"
Nov 29 101409 RADIUS Vendor, Cisco [26] 34
Nov 29 101409 RADIUS h323-credit-amount [101] 28 "h323-credit-amount=-180.26"
Nov 29 101409 RADIUS Vendor, Cisco [26] 23
Nov 29 101409 RADIUS h323-billing-model [109] 17 "billing-model=0"
Nov 29 101409 RADIUS Vendor, Cisco [26] 25
Nov 29 101409 RADIUS h323-currency [110] 19 "currency-type=USD"
See how the attribute value as defined on my Radius server for h323-return-code is "h323-return-code=0", as opposed to just "0" like you have defined. Never been sure why you have to do it this way, it's just the way the IOS coders implemented it.
The documentation is not overly clear on this, but this is how IOS expects to see the attributes. See http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/vsaig3.htm#146580 for details, and the debug output near the bottom to see how the attributes are set.
04-05-2004 09:35 PM
Thanks. It did fix my problem.
Naveed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide