03-05-2003 08:14 AM - edited 03-02-2019 05:35 AM
I am testing TAOS 12.0.25 for my AS5200s. Previously I was using some 11.3 version. I need to always do "per-user" based tunneling... Sometimes the tunnel is built based off of a prefix (seperated by /) and sometimes built based off the domain (seperated by @), and I need to do this logic on the RADIUS server, and have the AS5200 always send the entire username in all access requests. The new 12.0.25 code either fails with an authorization error or tries to send just the domain part of the username to build a tunnel. I've been stumped on this for a few days now.
Here is some debug exampling our 11.3 code:
*Feb 28 20:18:03: %LINK-3-UPDOWN: Interface Async12, changed state to up
01:18:03: AAA: parse name=Async12 idb type=10 tty=12
01:18:03: AAA: name=Async12 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=12 channel=0
01:18:03: AAA: parse name=Serial0:0 idb type=12 tty=-1
01:18:03: AAA: name=Serial0:0 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=0
01:18:03: AAA/AUTHEN: create_user (0x4302B0) user='dastest@l2f.das-testing.test.com' ruser='' port='Async12' rem_addr='6145551234/5678' authen_type=PAP service=PPP priv=1
01:18:03: AAA/AUTHEN/START (2348983305): port='Async12' list='' action=LOGIN service=PPP
01:18:03: AAA/AUTHEN/START (2348983305): using "default" list
01:18:03: AAA/AUTHEN/START (2348983305): Method=LOCAL
01:18:03: AAA/AUTHEN (2348983305): status = ERROR
01:18:03: AAA/AUTHEN/START (2348983305): Method=RADIUS
01:18:03: RADIUS: ustruct sharecount=1
01:18:03: RADIUS: Initial Transmit Async12 id 18 10.10.10.7:1645, Access-Request, len 120
01:18:03: Attribute 4 6 12345678
01:18:03: Attribute 5 6 0000000C
01:18:03: Attribute 61 6 00000000
01:18:03: Attribute 1 34 64617374
01:18:03: Attribute 30 6 37323835
01:18:03: Attribute 31 12 36313437
01:18:03: Attribute 2 18 7BD72FA6
01:18:03: Attribute 6 6 00000002
01:18:03: Attribute 7 6 00000001
01:18:03: RADIUS: Received from id 18 10.10.10.7:1645, Access-Accept, len 172
01:18:03: Attribute 6 6 00000005
01:18:03: Attribute 7 6 00000001
01:18:03: Attribute 26 36 00000009011E7670
01:18:03: Attribute 26 33 00000009011B7670
01:18:03: Attribute 26 32 00000009011A7670
01:18:03: Attribute 26 39 0000000901217670
01:18:03: RADIUS: saved authorization data for user 4302B0 at 473DFC
01:18:03: AAA/AUTHEN (2348983305): status = PASS
01:18:03: RADIUS: cisco AVPair "vpdn:tunnel-id=sr-l2f-client" not applied for lcp
01:18:03: RADIUS: cisco AVPair "vpdn:nas-password=potatos" not applied for lcp
01:18:03: RADIUS: cisco AVPair "vpdn:gw-password=potatos" not applied for lcp
01:18:03: RADIUS: cisco AVPair "vpdn:ip-addresses=10.10.10.1" not applied for lcp
01:18:03: sVPDN: Got DNIS string As12
01:18:03: As12 VPDN: Looking for tunnel -- l2f.das-testing.test.com --
01:18:03: AAA/AUTHEN: dup_user (0x428A78) user='dastest@l2f.das-testing.test.com' ruser='' port='Async12' rem_addr='6145551234/5678' authen_type=PAP service=LOGIN priv=0 source='AAA dup vpn'
01:18:03: RADIUS: cisco AVPair "vpdn:tunnel-id=sr-l2f-client"
01:18:03: RADIUS: cisco AVPair "vpdn:nas-password=potatos"
01:18:03: RADIUS: cisco AVPair "vpdn:gw-password=potatos"
01:18:03: RADIUS: cisco AVPair "vpdn:ip-addresses=10.10.10.1"
01:18:03: As12 VPDN: Get tunnel info for dastest@l2f.das-testing.test.com with NAS sr-l2f-client, IP 10.10.10.1
01:18:03: AAA/AUTHEN: free_user (0x428A78) user='dastest@l2f.das-testing.test.com' ruser='' port='Async12' rem_addr='6145551234/5678' authen_type=PAP service=LOGIN priv=0
01:18:03: As12 VPDN: Forward to address 10.10.10.1
01:18:03: As12 VPDN: Forwarding...
01:18:03: AAA: parse name=Async12 idb type=10 tty=12
01:18:03: AAA: name=Async12 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=12 channel=0
01:18:03: AAA: parse name=Serial0:0 idb type=12 tty=-1
01:18:03: AAA: name=Serial0:0 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=0
01:18:03: AAA/AUTHEN: create_user (0x461ABC) user='dastest@l2f.das-testing.test.com' ruser='' port='Async12' rem_addr='6145551234/5678' authen_type=CHAP service=PPP priv=1
01:18:03: AAA/AUTHEN: free_user (0x4302B0) user='dastest@l2f.das-testing.test.com' ruser='' port='Async12' rem_addr='6145551234/5678' authen_type=PAP service=PPP priv=1
01:18:03: As12 VPDN: Bind interface direction=1
01:18:03: As12 VPDN: dastest@l2f.das-testing.test.com is forwarded
When I load 12.0.25, it no longer works. It complains about Authorization.
*Feb 28 19:20:07: %LINK-3-UPDOWN: Interface Async1, changed state to up
00:20:07: AAA: parse name=Async1 idb type=10 tty=1
00:20:07: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=1 channel=0
00:20:07: AAA: parse name=Serial0:0 idb type=12 tty=-1
00:20:07: AAA: name=Serial0:0 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=0
00:20:07: AAA/AUTHEN: create_user (0x4FC58C) user='dastest@l2f.das-testing.test.com' ruser='' port='Async1' rem_addr='6145551234/5678' authen_type=PAP service=PPP priv=1
00:20:07: AAA/AUTHEN/START (1750370569): port='Async1' list='' action=LOGIN service=PPP
00:20:07: AAA/AUTHEN/START (1750370569): using "default" list
00:20:07: AAA/AUTHEN/START (1750370569): Method=LOCAL
00:20:07: AAA/AUTHEN (1750370569): status = ERROR
00:20:07: AAA/AUTHEN/START (1750370569): Method=RADIUS
00:20:07: RADIUS: ustruct sharecount=1
00:20:07: RADIUS: Initial Transmit Async1 id 0 10.10.10.7:1645, Access-Request, len 120
00:20:07: Attribute 4 6 12345678
00:20:07: Attribute 5 6 00000001
00:20:07: Attribute 61 6 00000000
00:20:07: Attribute 1 34 64617374
00:20:07: Attribute 30 6 37323835
00:20:07: Attribute 31 12 36313437
00:20:07: Attribute 2 18 2B7AB89B
00:20:07: Attribute 6 6 00000002
00:20:07: Attribute 7 6 00000001
00:20:07: RADIUS: Received from id 0 10.10.10.7:1645, Access-Accept, len 172
00:20:07: Attribute 6 6 00000005
00:20:07: Attribute 7 6 00000001
00:20:07: Attribute 26 36 00000009011E7670
00:20:07: Attribute 26 33 00000009011B7670
00:20:07: Attribute 26 32 00000009011A7670
00:20:07: Attribute 26 39 0000000901217670
00:20:07: RADIUS: saved authorization data for user 4FC58C at 518120
00:20:07: AAA/AUTHEN (1750370569): status = PASS
00:20:07: RADIUS: cisco AVPair "vpdn:tunnel-id=sr-l2f-client" not applied for lcp
00:20:07: RADIUS: cisco AVPair "vpdn:nas-password=potatos" not applied for lcp
00:20:07: RADIUS: cisco AVPair "vpdn:gw-password=potatos" not applied for lcp
00:20:08: RADIUS: cisco AVPair "vpdn:ip-addresses=10.10.10.1" not applied for lcp
00:20:08: RADIUS: no appropriate authorization type for user.
00:20:08: AAA/AUTHEN: free_user (0x4FC58C) user='dastest@l2f.das-testing.test.com' ruser='' port='Async1' rem_addr='6145551234/5678' authen_type=PAP service=PPP priv=1
*Feb 28 19:20:08: %ISDN-6-DISCONNECT: Interface Serial0:0 disconnected from unknown , call lasted 24 seconds
00:20:09: isdn_Call_disconnect()
I would like to get the above working. What do I need to add to RADIUS Access-Accept to get the user "authorized"?
(p.s., if i turn off the config line "aaa authorization network default radius", the user is authorized for LCP and the tunneling attributes I already sent are ignored, the 5200 then goes on to send a RADIUS request with just the domain trying to authenticate the domain for a tunnel. This is not what I want, I want it to use the tunnel information I already sent in the users access accept packet. Domain based tunnel building is not an option for me.)
Here is my configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname test-beta-das-2
!
boot system flash
logging buffered 4096 warnings
aaa new-model
aaa authentication login default local radius
aaa authentication ppp default local radius
aaa authorization exec default local
aaa authorization network default radius
aaa accounting update newinfo
aaa accounting network default start-stop radius
enable secret level 5 5 x
enable secret 5 x
!
username projects password 7 x
username stackq password 7 x
username ppptest password 7 x
ip subnet-zero
no ip finger
ip telnet source-interface Ethernet0
ip tftp source-interface Ethernet0
ip domain-name compuserve.com
ip name-server 10.10.10.5
ip name-server 10.10.10.6
ip address-pool local
multilink virtual-template 1
!
sgbp group stackq
sgbp member test-beta-das-1 10.10.10.2
vpdn enable
vpdn authen-before-forward
vpdn search-order domain
vty-async
vty-async header-compression passive
vty-async ppp authentication pap chap
vty-async keepalive 0
isdn switch-type primary-dms100
clock timezone est -5
clock summer-time edt recurring 1 Sun Apr 0:00 last Sun Oct 0:00
!
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
description Ameritech PRI Lead
!
controller T1 1
framing esf
clock source line secondary
linecode b8zs
pri-group timeslots 1-24
description MCI
!
!
interface Ethernet0
ip address 10.10.10.3 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
!
interface Virtual-Template1
ip unnumbered Ethernet0
no ip directed-broadcast
ip tcp header-compression passive
no snmp trap link-status
ppp authentication pap chap
ppp multilink
!
interface Serial0
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
!
interface Serial1
no ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial0:23
ip unnumbered Ethernet0
no ip directed-broadcast
encapsulation ppp
no ip route-cache
ip tcp header-compression passive
no keepalive
dialer idle-timeout 1800
dialer-group 1
autodetect encapsulation ppp v120
no snmp trap link-status
isdn switch-type primary-dms100
isdn tei-negotiation first-call
isdn incoming-voice modem
peer default ip address pool default
no fair-queue
no cdp enable
ppp authentication pap chap
ppp multilink
!
interface Serial1:23
ip unnumbered Ethernet0
no ip directed-broadcast
encapsulation ppp
no ip route-cache
ip tcp header-compression passive
no keepalive
dialer idle-timeout 1800
dialer-group 1
autodetect encapsulation ppp v120
no snmp trap link-status
isdn switch-type primary-dms100
isdn tei-negotiation first-call
isdn incoming-voice modem
peer default ip address pool default
no fair-queue
no cdp enable
ppp authentication pap chap callin
ppp multilink
!
interface Group-Async1
ip unnumbered Ethernet0
no ip directed-broadcast
encapsulation ppp
ip tcp header-compression passive
no ip mroute-cache
async mode dedicated
no snmp trap link-status
peer default ip address pool default
no fair-queue
no cdp enable
ppp authentication pap chap
ppp multilink
group-range 1 48
!
ip local pool default 10.10.11.1 10.10.11.63
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.254
!
ip radius source-interface Ethernet0
logging history critical
logging source-interface Ethernet0
dialer-list 1 protocol ip permit
!
snmp-server community x RW
snmp-server trap-source Ethernet0
snmp-server location lab
snmp-server contact eng
snmp-server chassis-id test-beta-das-2
radius-server host 10.10.10.7 auth-port 1645 acct-port 1646
radius-server key x
banner motd ^C
Router test-beta-das-2
^C
privilege controller level 5 loopback
privilege controller level 15 linecode
privilege controller level 5 shutdown
privilege controller level 5 no loopback
privilege controller level 15 no linecode
privilege controller level 5 no shutdown
privilege controller level 5 no
privilege line level 5 monitor
privilege line level 5 modem bad
privilege line level 5 modem shutdown
privilege line level 5 modem
privilege line level 5 no monitor
privilege line level 5 no modem bad
privilege line level 5 no modem shutdown
privilege line level 5 no modem
privilege line level 5 no
privilege interface level 15 loopback
privilege interface level 15 no loopback
privilege interface level 0 no
privilege configure level 5 line
privilege configure level 5 interface
privilege configure level 5 controller
privilege exec level 5 write
privilege exec level 5 ping
privilege exec level 5 configure terminal
privilege exec level 5 configure
privilege exec level 5 undebug isdn q931
privilege exec level 5 undebug isdn q921
privilege exec level 5 undebug isdn
privilege exec level 5 undebug ppp authentication
privilege exec level 5 undebug ppp error
privilege exec level 5 undebug ppp negotiation
privilege exec level 5 undebug ppp multilink events
privilege exec level 5 undebug ppp multilink
privilege exec level 5 undebug ppp
privilege exec level 5 undebug aaa accounting
privilege exec level 5 undebug aaa authorization
privilege exec level 5 undebug aaa authentication
privilege exec level 5 undebug aaa
privilege exec level 5 undebug all
privilege exec level 5 undebug
privilege exec level 5 test modem back-to-back
privilege exec level 5 test modem
privilege exec level 5 test
privilege exec level 5 terminal monitor
privilege exec level 5 terminal modem bad
privilege exec level 5 terminal modem shutdown
privilege exec level 5 terminal modem
privilege exec level 5 terminal no monitor
privilege exec level 5 terminal no modem bad
privilege exec level 5 terminal no modem shutdown
privilege exec level 5 terminal no modem
privilege exec level 5 terminal no
privilege exec level 5 terminal
privilege exec level 5 show isdn
privilege exec level 0 show accounting
privilege exec level 5 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 5 debug isdn q931
privilege exec level 5 debug isdn q921
privilege exec level 5 debug isdn
privilege exec level 5 debug ppp authentication
privilege exec level 5 debug ppp error
privilege exec level 5 debug ppp negotiation
privilege exec level 5 debug ppp multilink events
privilege exec level 5 debug ppp multilink
privilege exec level 5 debug ppp
privilege exec level 5 debug aaa accounting
privilege exec level 5 debug aaa authorization
privilege exec level 5 debug aaa authentication
privilege exec level 5 debug aaa
privilege exec level 5 debug all
privilege exec level 5 debug
privilege exec level 5 clear modem counters
privilege exec level 5 clear modem
privilege exec level 5 clear line
privilege exec level 5 clear counters
privilege exec level 5 clear
!
line con 0
exec-timeout 0 0
transport input none
line 1 48
session-timeout 30
exec-timeout 0 0
modem Dialin
transport input all
line aux 0
line vty 0 4
session-timeout 30
exec-timeout 0 0
password 7 x
line vty 5 52
session-timeout 30
exec-timeout 0 0
timeout login response 300
!
end
Solved! Go to Solution.
03-05-2003 03:48 PM
That is a bug in the ios. There is a internal bug CSCds52755 (as it was seen during testing) filed for the same issue.
I hate to say that but you need to upgrade to the 12.1.5T or later or 12.1 mainline.
03-05-2003 09:28 AM
"vpdn authen-before-forward" will make the LAC to send the whole username including domain name to aaa server and you need to configure aaa server to return correct per user based tunnel information.
Now in your config, you have that but no need for "vpdn search-order domain" command.
So with ""vpdn authen-before-forward" you need to set the aaa to send per-user based tunnel attributes to LAC.
03-05-2003 01:03 PM
You say I need to configure the aaa server (RADIUS in my case) to return correct per-user based tunnel information.
I have already configured the RADIUS server and it works on 11.3 as my above debug illustrates, for per-user based tunneling.
With the same 5200 configuration, moving to IOS 12.0.25, and the same RADIUS profile, it fails with an error message about authorization, as my above debug illustrates. I have tried removing the "vpdn search-order domain" line but it still fails and the debug output remains the same.
I can't find documentation about how the RADIUS profile needs to change when moving from 11.3 to 12.0.25. This is the RADIUS profile I am using:
dastest@l2f.das-testing.test.com Auth-Type = Local, Password = "x"
Service-Type = Outbound-User,
Framed-Protocol = PPP,
Cisco-AVPair = "vpdn:tunnel-id=sr-l2f-client",
Cisco-AVPair = "vpdn:nas-password=potatos",
Cisco-AVPair = "vpdn:gw-password=potatos",
Cisco-AVPair = "vpdn:ip-addresses=10.10.10.1"
Once again, I repeat everything works on my 11.3 ios, but fails on 12.0.25. I cant find documentation regarding what needs changed in the radius profile to prevent the cisco error about authorization.
+ralph
03-05-2003 03:48 PM
That is a bug in the ios. There is a internal bug CSCds52755 (as it was seen during testing) filed for the same issue.
I hate to say that but you need to upgrade to the 12.1.5T or later or 12.1 mainline.
03-06-2003 01:27 PM
I tested 12.1.18 and the per-user authentication once again works. Thanks for the help identifying that it is a bug and in what code it is fixed in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide