Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

l2f vpdn AS5200

I am testing TAOS 12.0.25 for my AS5200s. Previously I was using some 11.3 version. I need to always do "per-user" based tunneling... Sometimes the tunnel is built based off of a prefix (seperated by /) and sometimes built based off the domain (seperated by @), and I need to do this logic on the RADIUS server, and have the AS5200 always send the entire username in all access requests. The new 12.0.25 code either fails with an authorization error or tries to send just the domain part of the username to build a tunnel. I've been stumped on this for a few days now.

Here is some debug exampling our 11.3 code:

*Feb 28 20:18:03: %LINK-3-UPDOWN: Interface Async12, changed state to up

01:18:03: AAA: parse name=Async12 idb type=10 tty=12

01:18:03: AAA: name=Async12 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=12 channel=0

01:18:03: AAA: parse name=Serial0:0 idb type=12 tty=-1

01:18:03: AAA: name=Serial0:0 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=0

01:18:03: AAA/AUTHEN: create_user (0x4302B0) user='dastest@l2f.das-testing.test.com' ruser='' port='Async12' rem_addr='6145551234/5678' authen_type=PAP service=PPP priv=1

01:18:03: AAA/AUTHEN/START (2348983305): port='Async12' list='' action=LOGIN service=PPP

01:18:03: AAA/AUTHEN/START (2348983305): using "default" list

01:18:03: AAA/AUTHEN/START (2348983305): Method=LOCAL

01:18:03: AAA/AUTHEN (2348983305): status = ERROR

01:18:03: AAA/AUTHEN/START (2348983305): Method=RADIUS

01:18:03: RADIUS: ustruct sharecount=1

01:18:03: RADIUS: Initial Transmit Async12 id 18 10.10.10.7:1645, Access-Request, len 120

01:18:03: Attribute 4 6 12345678

01:18:03: Attribute 5 6 0000000C

01:18:03: Attribute 61 6 00000000

01:18:03: Attribute 1 34 64617374

01:18:03: Attribute 30 6 37323835

01:18:03: Attribute 31 12 36313437

01:18:03: Attribute 2 18 7BD72FA6

01:18:03: Attribute 6 6 00000002

01:18:03: Attribute 7 6 00000001

01:18:03: RADIUS: Received from id 18 10.10.10.7:1645, Access-Accept, len 172

01:18:03: Attribute 6 6 00000005

01:18:03: Attribute 7 6 00000001

01:18:03: Attribute 26 36 00000009011E7670

01:18:03: Attribute 26 33 00000009011B7670

01:18:03: Attribute 26 32 00000009011A7670

01:18:03: Attribute 26 39 0000000901217670

01:18:03: RADIUS: saved authorization data for user 4302B0 at 473DFC

01:18:03: AAA/AUTHEN (2348983305): status = PASS

01:18:03: RADIUS: cisco AVPair "vpdn:tunnel-id=sr-l2f-client" not applied for lcp

01:18:03: RADIUS: cisco AVPair "vpdn:nas-password=potatos" not applied for lcp

01:18:03: RADIUS: cisco AVPair "vpdn:gw-password=potatos" not applied for lcp

01:18:03: RADIUS: cisco AVPair "vpdn:ip-addresses=10.10.10.1" not applied for lcp

01:18:03: sVPDN: Got DNIS string As12

01:18:03: As12 VPDN: Looking for tunnel -- l2f.das-testing.test.com --

01:18:03: AAA/AUTHEN: dup_user (0x428A78) user='dastest@l2f.das-testing.test.com' ruser='' port='Async12' rem_addr='6145551234/5678' authen_type=PAP service=LOGIN priv=0 source='AAA dup vpn'

01:18:03: RADIUS: cisco AVPair "vpdn:tunnel-id=sr-l2f-client"

01:18:03: RADIUS: cisco AVPair "vpdn:nas-password=potatos"

01:18:03: RADIUS: cisco AVPair "vpdn:gw-password=potatos"

01:18:03: RADIUS: cisco AVPair "vpdn:ip-addresses=10.10.10.1"

01:18:03: As12 VPDN: Get tunnel info for dastest@l2f.das-testing.test.com with NAS sr-l2f-client, IP 10.10.10.1

01:18:03: AAA/AUTHEN: free_user (0x428A78) user='dastest@l2f.das-testing.test.com' ruser='' port='Async12' rem_addr='6145551234/5678' authen_type=PAP service=LOGIN priv=0

01:18:03: As12 VPDN: Forward to address 10.10.10.1

01:18:03: As12 VPDN: Forwarding...

01:18:03: AAA: parse name=Async12 idb type=10 tty=12

01:18:03: AAA: name=Async12 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=12 channel=0

01:18:03: AAA: parse name=Serial0:0 idb type=12 tty=-1

01:18:03: AAA: name=Serial0:0 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=0

01:18:03: AAA/AUTHEN: create_user (0x461ABC) user='dastest@l2f.das-testing.test.com' ruser='' port='Async12' rem_addr='6145551234/5678' authen_type=CHAP service=PPP priv=1

01:18:03: AAA/AUTHEN: free_user (0x4302B0) user='dastest@l2f.das-testing.test.com' ruser='' port='Async12' rem_addr='6145551234/5678' authen_type=PAP service=PPP priv=1

01:18:03: As12 VPDN: Bind interface direction=1

01:18:03: As12 VPDN: dastest@l2f.das-testing.test.com is forwarded

When I load 12.0.25, it no longer works. It complains about Authorization.

*Feb 28 19:20:07: %LINK-3-UPDOWN: Interface Async1, changed state to up

00:20:07: AAA: parse name=Async1 idb type=10 tty=1

00:20:07: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=1 channel=0

00:20:07: AAA: parse name=Serial0:0 idb type=12 tty=-1

00:20:07: AAA: name=Serial0:0 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=0

00:20:07: AAA/AUTHEN: create_user (0x4FC58C) user='dastest@l2f.das-testing.test.com' ruser='' port='Async1' rem_addr='6145551234/5678' authen_type=PAP service=PPP priv=1

00:20:07: AAA/AUTHEN/START (1750370569): port='Async1' list='' action=LOGIN service=PPP

00:20:07: AAA/AUTHEN/START (1750370569): using "default" list

00:20:07: AAA/AUTHEN/START (1750370569): Method=LOCAL

00:20:07: AAA/AUTHEN (1750370569): status = ERROR

00:20:07: AAA/AUTHEN/START (1750370569): Method=RADIUS

00:20:07: RADIUS: ustruct sharecount=1

00:20:07: RADIUS: Initial Transmit Async1 id 0 10.10.10.7:1645, Access-Request, len 120

00:20:07: Attribute 4 6 12345678

00:20:07: Attribute 5 6 00000001

00:20:07: Attribute 61 6 00000000

00:20:07: Attribute 1 34 64617374

00:20:07: Attribute 30 6 37323835

00:20:07: Attribute 31 12 36313437

00:20:07: Attribute 2 18 2B7AB89B

00:20:07: Attribute 6 6 00000002

00:20:07: Attribute 7 6 00000001

00:20:07: RADIUS: Received from id 0 10.10.10.7:1645, Access-Accept, len 172

00:20:07: Attribute 6 6 00000005

00:20:07: Attribute 7 6 00000001

00:20:07: Attribute 26 36 00000009011E7670

00:20:07: Attribute 26 33 00000009011B7670

00:20:07: Attribute 26 32 00000009011A7670

00:20:07: Attribute 26 39 0000000901217670

00:20:07: RADIUS: saved authorization data for user 4FC58C at 518120

00:20:07: AAA/AUTHEN (1750370569): status = PASS

00:20:07: RADIUS: cisco AVPair "vpdn:tunnel-id=sr-l2f-client" not applied for lcp

00:20:07: RADIUS: cisco AVPair "vpdn:nas-password=potatos" not applied for lcp

00:20:07: RADIUS: cisco AVPair "vpdn:gw-password=potatos" not applied for lcp

00:20:08: RADIUS: cisco AVPair "vpdn:ip-addresses=10.10.10.1" not applied for lcp

00:20:08: RADIUS: no appropriate authorization type for user.

00:20:08: AAA/AUTHEN: free_user (0x4FC58C) user='dastest@l2f.das-testing.test.com' ruser='' port='Async1' rem_addr='6145551234/5678' authen_type=PAP service=PPP priv=1

*Feb 28 19:20:08: %ISDN-6-DISCONNECT: Interface Serial0:0 disconnected from unknown , call lasted 24 seconds

00:20:09: isdn_Call_disconnect()

I would like to get the above working. What do I need to add to RADIUS Access-Accept to get the user "authorized"?

(p.s., if i turn off the config line "aaa authorization network default radius", the user is authorized for LCP and the tunneling attributes I already sent are ignored, the 5200 then goes on to send a RADIUS request with just the domain trying to authenticate the domain for a tunnel. This is not what I want, I want it to use the tunnel information I already sent in the users access accept packet. Domain based tunnel building is not an option for me.)

Here is my configuration:

!

version 12.0

no service pad

service timestamps debug uptime

service timestamps log datetime localtime

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname test-beta-das-2

!

boot system flash

logging buffered 4096 warnings

aaa new-model

aaa authentication login default local radius

aaa authentication ppp default local radius

aaa authorization exec default local

aaa authorization network default radius

aaa accounting update newinfo

aaa accounting network default start-stop radius

enable secret level 5 5 x

enable secret 5 x

!

username projects password 7 x

username stackq password 7 x

username ppptest password 7 x

ip subnet-zero

no ip finger

ip telnet source-interface Ethernet0

ip tftp source-interface Ethernet0

ip domain-name compuserve.com

ip name-server 10.10.10.5

ip name-server 10.10.10.6

ip address-pool local

multilink virtual-template 1

!

sgbp group stackq

sgbp member test-beta-das-1 10.10.10.2

vpdn enable

vpdn authen-before-forward

vpdn search-order domain

vty-async

vty-async header-compression passive

vty-async ppp authentication pap chap

vty-async keepalive 0

isdn switch-type primary-dms100

clock timezone est -5

clock summer-time edt recurring 1 Sun Apr 0:00 last Sun Oct 0:00

!

!

controller T1 0

framing esf

clock source line primary

linecode b8zs

pri-group timeslots 1-24

description Ameritech PRI Lead

!

controller T1 1

framing esf

clock source line secondary

linecode b8zs

pri-group timeslots 1-24

description MCI

!

!

interface Ethernet0

ip address 10.10.10.3 255.255.255.0

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

!

interface Virtual-Template1

ip unnumbered Ethernet0

no ip directed-broadcast

ip tcp header-compression passive

no snmp trap link-status

ppp authentication pap chap

ppp multilink

!

interface Serial0

no ip address

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

shutdown

no fair-queue

!

interface Serial1

no ip address

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

shutdown

!

interface Serial0:23

ip unnumbered Ethernet0

no ip directed-broadcast

encapsulation ppp

no ip route-cache

ip tcp header-compression passive

no keepalive

dialer idle-timeout 1800

dialer-group 1

autodetect encapsulation ppp v120

no snmp trap link-status

isdn switch-type primary-dms100

isdn tei-negotiation first-call

isdn incoming-voice modem

peer default ip address pool default

no fair-queue

no cdp enable

ppp authentication pap chap

ppp multilink

!

interface Serial1:23

ip unnumbered Ethernet0

no ip directed-broadcast

encapsulation ppp

no ip route-cache

ip tcp header-compression passive

no keepalive

dialer idle-timeout 1800

dialer-group 1

autodetect encapsulation ppp v120

no snmp trap link-status

isdn switch-type primary-dms100

isdn tei-negotiation first-call

isdn incoming-voice modem

peer default ip address pool default

no fair-queue

no cdp enable

ppp authentication pap chap callin

ppp multilink

!

interface Group-Async1

ip unnumbered Ethernet0

no ip directed-broadcast

encapsulation ppp

ip tcp header-compression passive

no ip mroute-cache

async mode dedicated

no snmp trap link-status

peer default ip address pool default

no fair-queue

no cdp enable

ppp authentication pap chap

ppp multilink

group-range 1 48

!

ip local pool default 10.10.11.1 10.10.11.63

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.254

!

ip radius source-interface Ethernet0

logging history critical

logging source-interface Ethernet0

dialer-list 1 protocol ip permit

!

snmp-server community x RW

snmp-server trap-source Ethernet0

snmp-server location lab

snmp-server contact eng

snmp-server chassis-id test-beta-das-2

radius-server host 10.10.10.7 auth-port 1645 acct-port 1646

radius-server key x

banner motd ^C

Router test-beta-das-2

^C

privilege controller level 5 loopback

privilege controller level 15 linecode

privilege controller level 5 shutdown

privilege controller level 5 no loopback

privilege controller level 15 no linecode

privilege controller level 5 no shutdown

privilege controller level 5 no

privilege line level 5 monitor

privilege line level 5 modem bad

privilege line level 5 modem shutdown

privilege line level 5 modem

privilege line level 5 no monitor

privilege line level 5 no modem bad

privilege line level 5 no modem shutdown

privilege line level 5 no modem

privilege line level 5 no

privilege interface level 15 loopback

privilege interface level 15 no loopback

privilege interface level 0 no

privilege configure level 5 line

privilege configure level 5 interface

privilege configure level 5 controller

privilege exec level 5 write

privilege exec level 5 ping

privilege exec level 5 configure terminal

privilege exec level 5 configure

privilege exec level 5 undebug isdn q931

privilege exec level 5 undebug isdn q921

privilege exec level 5 undebug isdn

privilege exec level 5 undebug ppp authentication

privilege exec level 5 undebug ppp error

privilege exec level 5 undebug ppp negotiation

privilege exec level 5 undebug ppp multilink events

privilege exec level 5 undebug ppp multilink

privilege exec level 5 undebug ppp

privilege exec level 5 undebug aaa accounting

privilege exec level 5 undebug aaa authorization

privilege exec level 5 undebug aaa authentication

privilege exec level 5 undebug aaa

privilege exec level 5 undebug all

privilege exec level 5 undebug

privilege exec level 5 test modem back-to-back

privilege exec level 5 test modem

privilege exec level 5 test

privilege exec level 5 terminal monitor

privilege exec level 5 terminal modem bad

privilege exec level 5 terminal modem shutdown

privilege exec level 5 terminal modem

privilege exec level 5 terminal no monitor

privilege exec level 5 terminal no modem bad

privilege exec level 5 terminal no modem shutdown

privilege exec level 5 terminal no modem

privilege exec level 5 terminal no

privilege exec level 5 terminal

privilege exec level 5 show isdn

privilege exec level 0 show accounting

privilege exec level 5 show running-config

privilege exec level 5 show configuration

privilege exec level 5 show

privilege exec level 5 debug isdn q931

privilege exec level 5 debug isdn q921

privilege exec level 5 debug isdn

privilege exec level 5 debug ppp authentication

privilege exec level 5 debug ppp error

privilege exec level 5 debug ppp negotiation

privilege exec level 5 debug ppp multilink events

privilege exec level 5 debug ppp multilink

privilege exec level 5 debug ppp

privilege exec level 5 debug aaa accounting

privilege exec level 5 debug aaa authorization

privilege exec level 5 debug aaa authentication

privilege exec level 5 debug aaa

privilege exec level 5 debug all

privilege exec level 5 debug

privilege exec level 5 clear modem counters

privilege exec level 5 clear modem

privilege exec level 5 clear line

privilege exec level 5 clear counters

privilege exec level 5 clear

!

line con 0

exec-timeout 0 0

transport input none

line 1 48

session-timeout 30

exec-timeout 0 0

modem Dialin

transport input all

line aux 0

line vty 0 4

session-timeout 30

exec-timeout 0 0

password 7 x

line vty 5 52

session-timeout 30

exec-timeout 0 0

timeout login response 300

!

end

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: l2f vpdn AS5200

That is a bug in the ios. There is a internal bug CSCds52755 (as it was seen during testing) filed for the same issue.

I hate to say that but you need to upgrade to the 12.1.5T or later or 12.1 mainline.

4 REPLIES
Cisco Employee

Re: l2f vpdn AS5200

"vpdn authen-before-forward" will make the LAC to send the whole username including domain name to aaa server and you need to configure aaa server to return correct per user based tunnel information.

Now in your config, you have that but no need for "vpdn search-order domain" command.

So with ""vpdn authen-before-forward" you need to set the aaa to send per-user based tunnel attributes to LAC.

Community Member

Re: l2f vpdn AS5200

You say I need to configure the aaa server (RADIUS in my case) to return correct per-user based tunnel information.

I have already configured the RADIUS server and it works on 11.3 as my above debug illustrates, for per-user based tunneling.

With the same 5200 configuration, moving to IOS 12.0.25, and the same RADIUS profile, it fails with an error message about authorization, as my above debug illustrates. I have tried removing the "vpdn search-order domain" line but it still fails and the debug output remains the same.

I can't find documentation about how the RADIUS profile needs to change when moving from 11.3 to 12.0.25. This is the RADIUS profile I am using:

dastest@l2f.das-testing.test.com Auth-Type = Local, Password = "x"

Service-Type = Outbound-User,

Framed-Protocol = PPP,

Cisco-AVPair = "vpdn:tunnel-id=sr-l2f-client",

Cisco-AVPair = "vpdn:nas-password=potatos",

Cisco-AVPair = "vpdn:gw-password=potatos",

Cisco-AVPair = "vpdn:ip-addresses=10.10.10.1"

Once again, I repeat everything works on my 11.3 ios, but fails on 12.0.25. I cant find documentation regarding what needs changed in the radius profile to prevent the cisco error about authorization.

+ralph

Cisco Employee

Re: l2f vpdn AS5200

That is a bug in the ios. There is a internal bug CSCds52755 (as it was seen during testing) filed for the same issue.

I hate to say that but you need to upgrade to the 12.1.5T or later or 12.1 mainline.

Community Member

Re: l2f vpdn AS5200

I tested 12.1.18 and the per-user authentication once again works. Thanks for the help identifying that it is a bug and in what code it is fixed in.

117
Views
0
Helpful
4
Replies
CreatePlease to create content