06-02-2003 04:49 AM - edited 03-02-2019 07:48 AM
I am trying to configure my AS5350 to accept L2TP tunneling attributes from my Radius server. The 5350, acting as the LAC, is running IOS 12.12.2(15)T2. The Radius server is Vircom VOPRadius Professional Version 3.3. The LNS is a Cisco 4700 running IOS version.
The L2TP tunnel works fine when configured without Radius, but when the LAC is configured to accept attributes from Radius to build the tunnel, it keeps coming back with the messages, Tunnel-Type unsupported", and "Tunnel-Medium-Type unsupported."
We have configured the radius server to use Cisco VSA's, but no luck. Anyone else ever run in to this issue?
06-02-2003 08:28 AM
You need to configure the radius server to use the cisco av-pair attributes as described in the following url for tunnel
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/rad_attr.htm
Here is the best url which talks about the same attributes as well for LAC
If it still dosen't work, we need to see the debug for following on lac
debug radius
debug aaa authrization
debug aaa per
06-02-2003 10:28 AM
After reading the links you sent me, I noted that the command "vpdn tunnel authorization network" is possible key not mentioned in the other documentation I have read. However, my 5350 refused the comand while running 12.5(15T). I upgraded to 12.3, but it still will not accespt the command "vpdn tunnel...."
06-02-2003 11:25 AM
As mentioned in the last posting, we do not seem to have the ability to issue certain commands for vpdn functionality, even though the documentation suggests we are running the right version of IOS.
Here is the debug information you asked to see, and thank you for any help you can provide.
2003-06-02 15:19:21 842: *Jan 4 20:14:30.963: RADIUS: authenticator 74 F8 1D 87 5B 36 52 D7 - 19 55 66 DF 26 3D 76 F8
2003-06-02 15:19:21 843: *Jan 4 20:14:30.963: RADIUS: Framed-Protocol [7] 6 PPP [1]
2003-06-02 15:19:21 844: *Jan 4 20:14:30.963: RADIUS: User-Name [1] 16 "miket@dnet.com"
2003-06-02 15:19:21 845: *Jan 4 20:14:30.963: RADIUS: User-Password [2] 18 *
2003-06-02 15:19:21 846: *Jan 4 20:14:30.963: RADIUS: Calling-Station-Id [31] 12 "8285242922"
2003-06-02 15:19:21 847: *Jan 4 20:14:30.963: RADIUS: Called-Station-Id [30] 9 "3490713"
2003-06-02 15:19:21 848: *Jan 4 20:14:30.963: RADIUS: Vendor, Cisco [26] 17
2003-06-02 15:19:21 849: *Jan 4 20:14:30.963: RADIUS: cisco-nas-port [2] 11 "Async1/04"
2003-06-02 15:19:21 850: *Jan 4 20:14:30.963: RADIUS: NAS-Port [5] 6 220
2003-06-02 15:19:21 851: *Jan 4 20:14:30.963: RADIUS: NAS-Port-Type [61] 6 Async [0]
2003-06-02 15:19:21 852: *Jan 4 20:14:30.963: RADIUS: Service-Type [6] 6
2003-06-02 15:19:21 853: Framed [2]
2003-06-02 15:19:21 854: *Jan 4 20:14:30.963: RADIUS: NAS-IP-Address [4] 6 208.247.48.28
2003-06-02 15:19:21 855: *Jan 4 20:14:30.983: RADIUS: Received from id 21645/15 208.247.48.29:1645, Access-Accept, len 116
2003-06-02 15:19:21 856: *Jan 4 20:14:30.983: RADIUS: authenticator D6 B5 73 B2 0F 40 3F 60 - 29 CB AA 3C 59 7E 2C 88
2003-06-02 15:19:21 857: *Jan 4 20:14:30.983: RADIUS: Service-Type [6] 6 Framed [2]
2003-06-02 15:19:21 858: *Jan 4 20:14:30.983: RADIUS: Framed-Protocol [7] 6 PPP [1]
2003-06-02 15:19:21 859: *Jan 4 20:14:30.983: RADIUS: Framed-IP-Address [8] 6 255.255.255.254
2003-06-02 15:19:21 860: *Jan 4 20:14:30.983: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255
2003-06-02 15:19:21 861: *Jan 4 20:14:30.983: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
2003-06-02 15:19:21 862: *Jan 4 20:14:30.983: RADIUS: Port-Limit [62] 6 1
2003-06-02 15:19:21 863: *Jan 4 20:14:30.983: RADIUS: Idle-Timeout [28] 6 900
2003-06-02 15:19:21 864: *Jan 4 20:14:30.983: RADIUS: Session-Timeout [27] 6 28800
2003-06-02 15:19:21 865: *Jan 4 20:14:30.983: RADIUS: Vendor, Cisco [26] 12
2003-06-02 15:19:21 866: *Jan 4 20:14:30.983: RADIUS: Unsupported [64] 6
2003-06-02 15:19:21 867: *Jan 4 20:14:30.983: RADIUS: 4C 32 54 50 [L2TP]
2003-06-02 15:19:21 868: *Jan 4 20:14:30.983: RADIUS: Vendor, Cisco [26] 10
2003-06-02 15:19:21 869: *Jan 4 20:14:30.983: RADIUS: Unsupported [65] 4
2003-06-02 15:19:21 870: *Jan 4 20:14:30.983: RADIUS: 49 50 [IP]
2003-06-02 15:19:21 871: *Jan 4 20:14:30.983: RADIUS: Vendor, Cisco [26] 12
2003-06-02 15:19:21 872: *Jan 4 20:14:30.983: RADIUS: Unsupported [67] 6
2003-06-02 15:19:21 873: *Jan 4 20:14:30.983: RADIUS: D0 F7 30 2D [??0-]
2003-06-02 15:19:21 874: *Jan 4 20:14:30.987: RADIUS: Vendor, Cisco [26] 14
2003-06-02 15:19:21 875: *Jan 4 20:14:30.987: RADIUS: Unsupported [69] 8
2003-06-02 15:19:21 876: *Jan 4 20:14:30.987: RADIUS: 74 65 73 74 65 72 [tester]
2003-06-02 15:19:21 877: *Jan 4 20:14:30.987: RADIUS(00000006): Received from id 21645/15
2003-06-02 15:19:21 878: *Jan 4 20:14:30.987: RADIUS/DECODE: unsupported cisco VSA 64; IGNORE
2003-06-02 15:19:21 879: *Jan 4 20:14:30.987: RADIUS/DECODE: unsupported cisco VSA 65; IGNORE
2003-06-02 15:19:21 880: *Jan 4 20:14:30.987: RADIUS/DECODE: unsupported cisco VSA 67; IGNORE
2003-06-02 15:19:21 881: *Jan 4 20:14:30.987: RADIUS/DECODE: unsupported cisco VSA 69; IGNORE
2003-06-02 15:19:21 882: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: service-type
2003-06-02 15:19:21 883: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: Framed-Protocol
2003-06-02 15:19:21 884: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: addr
2003-06-02 15:19:21 885: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: netmask
2003-06-02 15:19:21 886: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: link-compression:Peruser
2003-06-02 15:19:21 887: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: Port-Limit
2003-06-02 15:19:21 888: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: idletime:Peruser
2003-06-02 15:19:21 889: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: timeout:Peruser
2003-06-02 15:19:21 890: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/LCP: Process Author
2003-06-02 15:19:21 891: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/LCP: Process Attr: link-compression
2003-06-02 15:19:21 892: *Jan 4 20:14:30.987: AAA/AUTHOR: Processing PerUser AV link-compression
2003-06-02 15:19:21 893: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/LCP: Process Attr: idletime
2003-06-02 15:19:21 894: *Jan 4 20:14:30.987: AAA/AUTHOR: Processing PerUser AV idletime
2003-06-02 15:19:21 895: *Jan 4 20:14:30.987: As1/04 AAA/PER-USER: PPP idletimeout 900
2003-06-02 15:19:21 896: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/LCP: Process Attr: timeout
2003-06-02 15:19:21 897: *Jan 4 20:14:30.987: AAA/AUTHOR: Processing PerUser AV timeout
2003-06-02 15:19:21 898: *Jan 4 20:14:30.987: As1/04 AAA/PER-USER: session timeout 28800 seconds
2003-06-02 15:19:21 899: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/IPCP: FSM authorization not needed
2003-06-02 15:19:21 900: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/FSM: We can start IPCP
2003-06-02 15:19:21 901: *Jan 4 20:14:30.987: AAA/PER-USER: mode = interface; command = [ip tcp header-compression
2003-06-02 15:19:21 902: ]
2003-06-02 15:19:21 903: *Jan 4 20:14:30.987: AAA/PER-USER: line = [ip tcp header-compression]
2003-06-02 15:19:21 904: *Jan 4 20:14:30.995: RADIUS(00000006): Using existing nas_port 220
2003-06-02 15:19:21 905: *Jan 4 20:14:30.995: RADIUS(00000006): Config NAS IP: 0.0.0.0
2003-06-02 15:19:21 906: *Jan 4 20:14:30.995: RADIUS(00000006): sending
2003-06-02 15:19:21 907: *Jan 4 20:14:30.995: RADIUS/ENCODE: Best Local IP-Address 208.247.48.28 for Radius-Server 208.247.48.29
2003-06-02 15:19:21 908: *Jan 4 20:14:30.995: RADIUS(00000006): Send Accounting-Request to 208.247.48.29:1646 id 21645/16, len 193
2003-06-02 15:19:21 909: *Jan 4 20:14:30.995: RADIUS: authenticator 7B DB DB 4A E5 B5 BB 68 - 97 00 2B B6 6A 9B A9 86
2003-06-02 15:19:21 910: *Jan 4 20:14:30.995: RADIUS: Acct-Session-Id [44] 10 "00000006"
2003-06-02 15:19:16 707: *Jan 4 20:14:25.907: RADIUS: Unsupported [64] 6
2003-06-02 15:19:16 708: *Jan 4 20:14:25.907: RADIUS: 4C 32 54 50 [L2TP]
2003-06-02 15:19:16 709: *Jan 4 20:14:25.907: RADIUS: Vendor, Cisco [26] 10
2003-06-02 15:19:16 710: *Jan 4 20:14:25.907: RADIUS: Unsupported [65] 4
2003-06-02 15:19:16 711: *Jan 4 20:14:25.907: RADIUS: 49 50 [IP]
2003-06-02 15:19:16 712: *Jan 4 20:14:25.907: RADIUS: Vendor, Cisco [26] 12
2003-06-02 15:19:16 713: *Jan 4 20:14:25.907: RADIUS: Unsupported [67] 6
2003-06-02 15:19:16 714: *Jan 4 20:14:25.907: RADIUS: D0 F7 30 2D [??0-]
2003-06-02 15:19:16 715: *Jan 4 20:14:25.907: RADIUS: Vendor, Cisco [26] 14
2003-06-02 15:19:16 716: *Jan 4 20:14:25.907: RADIUS: Unsupported [69] 8
2003-06-02 15:19:16 717: *Jan 4 20:14:25.907: RADIUS: 74 65 73 74 65 72 [tester]
2003-06-02 15:19:16 718: *Jan 4 20:14:25.907: RADIUS(00000005): Received from id 21645/11
2003-06-02 15:19:16 719: *Jan 4 20:14:25.907: RADIUS/DECODE: unsupported cisco VSA 64; IGNORE
2003-06-02 15:19:16 720: *Jan 4 20:14:25.907: RADIUS/DECODE: unsupported cisco VSA 65; IGNORE
2003-06-02 15:19:16 721: *Jan 4 20:14:25.907: RADIUS/DECODE: unsupported cisco VSA 67; IGNORE
2003-06-02 15:19:16 722: *Jan 4 20:14:25.907: RADIUS/DECODE: unsupported cisco VSA 69; IGNORE
2003-06-02 15:19:16 723: *Jan 4 20:14:25.907: As1/03 PPP/AAA: Check Attr: service-type
2003-06-02 15:19:16 724: *Jan 4 20:14:25.907: As1/03 PPP/AAA: Check Attr: Framed-Protocol
2003-06-02 15:19:16 725: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: addr
2003-06-02 15:19:16 726: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: netmask
2003-06-02 15:19:16 727: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: link-compression:Peruser
2003-06-02 15:19:16 728: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: Port-Limit
2003-06-02 15:19:16 729: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: idletime:Peruser
2003-06-02 15:19:16 730: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: timeout:Peruser
2003-06-02 15:19:16 731: *Jan 4 20:14:25.911: As1/03 AAA/AUTHOR/LCP: Process Author
2003-06-02 15:19:16 732: *Jan 4 20:14:25.911: As1/03 AAA/AUTHOR/LCP: Process Attr: link-compression
2003-06-02 15:19:16 733: *Jan 4 20:14:25.911: AAA/AUTHOR: Processing PerUser AV link-compression
2003-06-02 15:19:16 734: *Jan 4 20:14:25.911: As1/03 AAA/AUTHOR/LCP: Process Attr: idletime
2003-06-02 15:19:16 735: *Jan 4 20:14:25.911: AAA/AUTHOR: Processing PerUser AV idletime
2003-06-02 15:19:16 736: *Jan 4 20:14:25.911: As1/03
06-02-2003 08:05 PM
As you can see that LCA should send the domain name like dnet.com as a username and radius server should respond with the tunnel attributes based on that domain name. Instead, LAC is sending the whole username so i think the LAC is not configured correctly.
Also we are getting lots of unsupported attributes like VSA 64, 65, 67 and 69. So i think the radius server is not configured to authenticate the domain name and send the proper tunnel attributs using cisco av-pair.
Now to fix both the issues, Here is the link which has sample config on LAC getting tunnel attributes etc from TACACS server.
http://www.cisco.com/warp/public/793/access_dial/3.html
I do know that you don't have tacacs but based on that you can get the config idea on as5350 and radius.
06-03-2003 01:04 PM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
Thank you for your continued interest in helping resolve this issue. Your expertise is greatly appreaciated
According to all of the documentation I have read, including the links I received from you, the LAC, when working with a radius server to build an L2TP Tunnel, is configured to talk to the radius server, and vpdn is enabled. The following entries have been made on the LAC:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
aaa new-model
!
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
aaa session-id common
radius-server host 10.1.1.29 auth-port 1645 acct-port 1646
radius-server key 7 -- moderator edit -- *********************************
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
radius-server vsa send authentication
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
We also enabled vpdn. I believe we are properly configred on the LAC side, but I will be glad to email you a copy of our LAC and LNS configs.
As for Radius, we do seem to have a problem with the VSA's. The following info has been entered into our Radius Dictonary file:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# VENDOR Attributes
# Define Vendor-IDs and structure of initial part of vendor specific
# attribute where:
# vtype=Vendor-specific attribute value type
VENDOR_CODE CISCO 9
# CISCO VSA's for L2TP
VSA CISCO Tunnel-Type 64 string
VSA CISCO Tunnel-Medium-Type 65 string
VSA CISCO Tunnel-Server-Endpoint 67 ipaddr
VSA CISCO Tunnel-Password 69 string
VSA CISCO Tunnel-Assignment-ID 82 string
VSA CISCO Tunnel-Client-Auth-Id 90 string
VSA CISCO Tunnel-Client-Auth-Id 91 string
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
The following entries were made in the Radius profile file. (Dnetspare is the hostname of the LAC):
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Profile="l2tpuser"
-- moderator edit -- dnet.com Password = "**********" Service-Type = outbound
Tunnel-Type = L2TP
Tunnel-Medium-Type = IP
Tunnel-Server-Endpoint = "10.1.1.3"
Tunnel-Assignment-ID = "dnetspare"
Tunnel-Client-Auth-ID = "dnetspare"
Tunnel-Password = -- moderator edit -- "*********"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Can you tell me specifically what attributes and or VA pairs I need to make this work? There seems to be some inconsistancy between documents I read on TAC's web site. I can send you copies of our dictinary and profile files, as well as router configs if if you have a few minutes and want too look them over. We use VOPradius from Vircom, Version 3.3
06-04-2003 09:32 AM
Here is the best url which talks about exactly that "Configuring Layer 2 Tunnel Protocol Authentication with RADIUS" with stage by stage troubleshooting.
http://www.cisco.com/warp/public/480/l2tprad.html
See if that helps.
06-05-2003 07:03 AM
Thank you for the link. It appears that either our profile or dictionary file are not correctly configured. Unfortunately, this article only mentions MERIT radius. We run Vircom's VOP Radius proffesional 3.0, and though we hae tried several combinations to get the LAC to accept the atrributes the best we get is the response indicated in the debug to follow this post. Has anyone out there ever set up VOP Radius for L2TP with Cisco?
The following posts contain the current set up in VOP Radius for VSA and the profile.
06-05-2003 07:09 AM
VOP Radius Dictionary Entries:
# CISCO VSA's for L2TP
VSA CISCO Tunnel-Type x string
VSA CISCO Tunnel-Medium-Type x string
VSA CISCO Tunnel-Server-Endpoint x ipaddr
VSA CISCO Tunnel-Password x string
VSA CISCO Tunnel-Assignment-ID x string
VSA CISCO Tunnel-Client-Auth-Id x string
VSA CISCO Tunnel-Client-Auth-Id x string
#CISCO TUNNEL VALUES
VALUE CISCO Tunnel-Type L2TP 1
VALUE CISCO Tunnel-Medium-Type IP 1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
VOP Radius Profiles entries:
# VOP PRRS Radius Profiles Text File
#
# For more information on the syntax of this file, see this URL:
# xxxxxxxxxxxx
#
#Profile="DEFAULT"
# Port-Limit = 1
#
Profile="l2tp"
dnet.com password="xxxxxxxxxx" Service-Type=Outbound
Tunnel-Type = l2tp
tunnel-Medium-type = ip
Tunnel-Server-Endpoint = 192.168.1.1
Tunnel-Client-Auth-Id="xxxxxxxxxxxx"
Tunnel-Password = "xxxxxxxxxx"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
06-05-2003 07:18 AM
Because the debug information excceeds the posting limit, I will break it up into parts.
Part 1:
2003-06-05 11:20:58 201688: *Jan 7 16:15:59.422: RADIUS: Vendor, Cisco [26] 14
2003-06-05 11:20:58 201689: *Jan 7 16:15:59.422: RADIUS: Unsupported [69] 8
2003-06-05 11:20:58 201690: *Jan 7 16:15:59.422: RADIUS: 74 65 73 74 65 72 [tester]
2003-06-05 11:20:58 201691: *Jan 7 16:15:59.422: RADIUS(0000057D): Received from id 21664/158
2003-06-05 11:20:58 201692: *Jan 7 16:15:59.422: RADIUS/DECODE: unsupported cisco VSA 64; IGNORE
2003-06-05 11:20:58 201693: *Jan 7 16:15:59.422: RADIUS/DECODE: unsupported cisco VSA 65; IGNORE
2003-06-05 11:20:58 201694: *Jan 7 16:15:59.422: RADIUS/DECODE: unsupported cisco VSA 67; IGNORE
2003-06-05 11:20:58 201695: *Jan 7 16:15:59.422: RADIUS/DECODE: unsupported cisco VSA 90; IGNORE
2003-06-05 11:20:58 201696: *Jan 7 16:15:59.422: RADIUS/DECODE: unsupported cisco VSA 69; IGNORE
2003-06-05 11:20:58 201697: *Jan 7 16:15:59.422: As1/29 PPP/AAA: Check Attr: service-type
2003-06-05 11:20:58 201698: *Jan 7 16:15:59.422: As1/29 PPP/AAA: Check Attr: Framed-Protocol
2003-06-05 11:20:58 201699: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: addr
2003-06-05 11:20:58 201700: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: netmask
2003-06-05 11:20:58 201701: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: link-compression:Peruser
2003-06-05 11:20:58 201702: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: Port-Limit
2003-06-05 11:20:58 201703: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: idletime:Peruser
2003-06-05 11:20:58 201704: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: timeout:Peruser
2003-06-05 11:20:58 201705: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/LCP: Process Author
2003-06-05 11:20:58 201706: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/LCP: Process Attr: link-compression
2003-06-05 11:20:58 201707: *Jan 7 16:15:59.426: AAA/AUTHOR: Processing PerUser AV link-compression
2003-06-05 11:20:58 201708: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/LCP: Process Attr: idletime
2003-06-05 11:20:58 201709: *Jan 7 16:15:59.426: AAA/AUTHOR: Processing PerUser AV idletime
2003-06-05 11:20:58 201710: *Jan 7 16:15:59.426: As1/29 AAA/PER-USER: PPP idletimeout 900
2003-06-05 11:20:58 201711: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/LCP: Process Attr: timeout
2003-06-05 11:20:58 201712: *Jan 7 16:15:59.426: AAA/AUTHOR: Processing PerUser AV timeout
2003-06-05 11:20:58 201713: *Jan 7 16:15:59.426: As1/29 AAA/PER-USER: session timeout 28800 seconds
2003-06-05 11:20:58 201714: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/IPCP: FSM authorization not needed
2003-06-05 11:20:58 201715: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/FSM: We can start IPCP
2003-06-05 11:20:58 201716: *Jan 7 16:15:59.426: AAA/PER-USER: mode = interface; command = [ip tcp header-compression
2003-06-05 11:20:58 201717: ]
2003-06-05 11:20:58 201718: *Jan 7 16:15:59.426: AAA/PER-USER: line = [ip tcp header-compression]
06-05-2003 07:19 AM
debug part 2"
2003-06-05 11:20:58 201718: *Jan 7 16:15:59.426: AAA/PER-USER: line = [ip tcp header-compression]
2003-06-05 11:20:58 201719: *Jan 7 16:15:59.430: RADIUS(0000057D): Using existing nas_port 245
2003-06-05 11:20:58 201720: *Jan 7 16:15:59.430: RADIUS(0000057D): Config NAS IP: 0.0.0.0
2003-06-05 11:20:58 201721: *Jan 7 16:15:59.430: RADIUS(0000057D): sending
2003-06-05 11:20:58 201722: *Jan 7 16:15:59.430: RADIUS/ENCODE: Best Local IP-Address 208.247.48.28 for Radius-Server 208.247.48.29
2003-06-05 11:20:58 201723: *Jan 7 16:15:59.430: RADIUS(0000057D): Send Accounting-Request to 208.247.48.29:1646 id 21664/159, len 144
2003-06-05 11:20:58 201724: *Jan 7 16:15:59.434: RADIUS: authenticator A7 B7 3F AB 11 E5 D9 23 - 3B 96 EA 65 BC F8 BC 4C
2003-06-05 11:20:58 201725: *Jan 7 16:15:59.434: RADIUS: Acct-Session-Id [44] 10 "00000950"
2003-06-05 11:20:58 201726: *Jan 7 16:15:59.434: RADIUS: Framed-Protocol [7] 6 PPP [1]
2003-06-05 11:20:58 201727: *Jan 7 16:15:59.434: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
2003-06-05 11:20:58 201728: *Jan 7 16:15:59.434: RADIUS: User-Name [1] 16 "miket@dnet.com"
2003-06-05 11:20:58 201729: *Jan 7 16:15:59.434: RADIUS: Acct-Status-Type [40] 6 Start [1]
2003-06-05 11:20:58 201730: *Jan 7 16:15:59.434: RADIUS: Calling-Station-Id [31] 12 "8285242922"
2003-06-05 11:20:58 201731: *Jan 7 16:15:59.434: RADIUS: Called-Station-Id [30] 9 "3490713"
2003-06-05 11:20:58 201732: *Jan 7 16:15:59.434: RADIUS: NAS-Port [5] 6 245
2003-06-05 11:20:58 201733: *Jan 7 16:15:59.434: RADIUS: NAS-Port-Type [61] 6 Async [0]
2003-06-05 11:20:58 201734: *Jan 7 16:15:59.434: RADIUS: Connect-Info [77] 29 "50667/28800 V90/V42bis/LAPM"
2003-06-05 11:20:58 201735: *Jan 7 16:15:59.434: RADIUS: Service-Type [6] 6 Framed [2]
2003-06-05 11:20:58 201736: *Jan 7 16:15:59.434: RADIUS: NAS-IP-Address [4] 6 208.247.48.28
2003-06-05 11:20:58 201737: *Jan 7 16:15:59.434: RADIUS: Acct-Delay-Time [41] 6 0
2003-06-05 11:20:58 201738: *Jan 7 16:15:59.446: RADIUS: Received from id 21664/159 208.247.48.29:1646, Accounting-response, len 20
2003-06-05 11:20:58 201739: *Jan 7 16:15:59.446: RADIUS: authenticator 9F 2F F2 3A D1 F1 44 AE - 79 1B B5 DA 0B 2B 40 60
2003-06-05 11:20:58 201740: *Jan 7 16:15:59.510: As1/29 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0
2003-06-05 11:20:58 201741: *Jan 7 16:15:59.510: As1/29 AAA/AUTHOR/IPCP: No remote address; FIP = Use configured pool, if available
2003-06-05 11:20:58 201742: *Jan 7 16:15:59.510: As1/29 AAA/AUTHOR/IPCP: Processing AV addr
2003-06-05 11:20:58 201743: *Jan 7 16:15:59.510: As1/29 AAA/AUTHOR/IPCP: Processing AV netmask
2003-06-05 11:20:58 201744: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: Authorization succeeded
2003-06-05 11:20:58 201745: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0
2003-06-05 11:20:58 201746: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: no author-info for primary dns
2003-06-05 11:20:59 201747: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: no author-info for primary wins
2003-06-05 11:20:59 201748: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: no author-info for seconday dns
2003-06-05 11:20:59 201749: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: no author-info for seconday wins
2003-06-05 11:20:59 201750: *Jan 7 16:15:59.590: As1/29 AAA/AUTHOR/IPCP: no author-info for primary dns
2003-06-05 11:20:59 201751: *Jan 7 16:15:59.590: As1/29 AAA/AUTHOR/IPCP: no author-info for seconday dns
2003-06-05 11:20:59 201752: *Jan 7 16:15:59.670: As1/29 AAA/AUTHOR/IPCP: no author-info for primary dns
2003-06-05 11:20:59 201753: *Jan 7 16:15:59.670: As1/29 AAA/AUTHOR/IPCP: no author-info for seconday dns
2003-06-05 11:20:58 201624: *Jan 7 16:15:59.382: RADIUS: AAA Unsupported [152] 9
2003-06-05 11:20:58 201625: *Jan 7 16:15:59.382: RADIUS: 41 73 79 6E 63 31 2F [Async1/]
06-05-2003 07:20 AM
Debug part 3:
2003-06-05 11:20:58 201626: *Jan 7 16:15:59.382: RADIUS(0000057D): Storing nasport 245 in rad_db
2003-06-05 11:20:58 201627: *Jan 7 16:15:59.382: RADIUS(0000057D): Config NAS IP: 0.0.0.0
2003-06-05 11:20:58 201628: *Jan 7 16:15:59.382: RADIUS/ENCODE(0000057D): acct_session_id: 2384
2003-06-05 11:20:58 201629: *Jan 7 16:15:59.382: RADIUS(0000057D): sending
2003-06-05 11:20:58 201630: *Jan 7 16:15:59.382: RADIUS/ENCODE: Best Local IP-Address 208.247.48.28 for Radius-Server 208.247.48.29
2003-06-05 11:20:58 201631: *Jan 7 16:15:59.382: RADIUS(0000057D): Send Access-Request to 208.247.48.29:1645 id 21664/157, len 93
2003-06-05 11:20:58 201632: *Jan 7 16:15:59.382: RADIUS: authenticator 93 49 B3 05 06 F3 FF B7 - A9 07 44 18 5E F8 4B FC
2003-06-05 11:20:58 201633: *Jan 7 16:15:59.382: RADIUS: User-Name [1] 10 "dnet.com"
2003-06-05 11:20:58 201634: *Jan 7 16:15:59.382: RADIUS: User-Password [2] 18 *
2003-06-05 11:20:58 201635: *Jan 7 16:15:59.382: RADIUS: Calling-Station-Id [31] 12 "8285242922"
2003-06-05 11:20:58 201636: *Jan 7 16:15:59.382: RADIUS: Called-Station-Id [30] 9 "3490713"
2003-06-05 11:20:58 201637: *Jan 7 16:15:59.382: RADIUS: NAS-Port [5] 6 245
2003-06-05 11:20:58 201638: *Jan 7 16:15:59.382: RADIUS: NAS-Port-Type [61] 6 Async [0]
2003-06-05 11:20:58 201639: *Jan 7 16:15:59.382: RADIUS: Service-Type [6] 6 Outbound [5]
2003-06-05 11:20:58 201640: *Jan 7 16:15:59.382: RADIUS: NAS-IP-Address [4] 6 208.247.48.28
2003-06-05 11:20:58 201641: *Jan 7 16:15:59.394: RADIUS: Received from id 21664/157 208.247.48.29:1645, Access-Reject, len 46
2003-06-05 11:20:58 201642: *Jan 7 16:15:59.394: RADIUS: authenticator F0 C7 CC 5F 3E 77 62 A8 - 6D 82 93 56 01 B8 AD 0A
2003-06-05 11:20:58 201643: *Jan 7 16:15:59.394: RADIUS: Reply-Message [18] 26
2003-06-05 11:20:58 201644: *Jan 7 16:15:59.394: RADIUS: 49 6E 76 61 6C 69 64 20 55 73 65 72 49 44 2F 50 [Invalid UserID/P]
2003-06-05 11:20:58 201645: *Jan 7 16:15:59.398: RADIUS: 61 73 73 77 6F 72 64 21 [assword!]
2003-06-05 11:20:58 201646: *Jan 7 16:15:59.398: RADIUS(0000057D): Received from id 21664/157
2003-06-05 11:20:58 201647: *Jan 7 16:15:59.398: RADIUS/DECODE: Reply-Message fragments, 24, total 24 bytes
2003-06-05 11:20:58 201648: *Jan 7 16:15:59.398: RADIUS: AAA Unsupported [152] 9
2003-06-05 11:20:58 201649: *Jan 7 16:15:59.398: RADIUS: 41 73 79 6E 63 31 2F [Async1/]
2003-06-05 11:20:58 201650: *Jan 7 16:15:59.398: RADIUS(0000057D): Using existing nas_port 245
2003-06-05 11:20:58 201651: *Jan 7 16:15:59.398: RADIUS(0000057D): Config NAS IP: 0.0.0.0
2003-06-05 11:20:58 201652: *Jan 7 16:15:59.398: RADIUS/ENCODE(0000057D): acct_session_id: 2384
2003-06-05 11:20:58 201653: *Jan 7 16:15:59.398: RADIUS(0000057D): sending
2003-06-05 11:20:58 201654: *Jan 7 16:15:59.398: RADIUS/ENCODE: Best Local IP-Address 208.247.48.28 for Radius-Server 208.247.48.29
2003-06-05 11:20:58 201655: *Jan 7 16:15:59.398: RADIUS(0000057D): Send Access-Request to 208.247.48.29:1645 id 21664/158, len 105
2003-06-05 11:20:58 201656: *Jan 7 16:15:59.398: RADIUS: authenticator 93 49 B3 05 06 F3 FF B7 - A9 07 44 18 5E F8 4B FC
2003-06-05 11:20:58 201657: *Jan 7 16:15:59.398: RADIUS: Framed-Protocol [7] 6 PPP [1]
2003-06-05 11:20:58 201658: *Jan 7 16:15:59.398: RADIUS: User-Name [1] 16 "miket@dnet.com"
2003-06-05 11:20:58 201659: *Jan 7 16:15:59.398: RADIUS: User-Password [2] 18 *
2003-06-05 11:20:58 201660: *Jan 7 16:15:59.398: RADIUS: Calling-Station-Id [31] 12 "8285242922"
2003-06-05 11:20:58 201661: *Jan 7 16:15:59.398: RADIUS: Called-Station-Id [30] 9 "3490713"
2003-06-05 11:20:58 201662: *Jan 7 16:15:59.398: RADIUS: NAS-Port [5] 6 245
2003-06-05 11:20:58 201663: *Jan 7 16:15:59.398: RADIUS: NAS-Port-Type [61] 6 Async [0]
2003-06-05 11:20:58 201664: *Jan 7 16:15:59.398: RADIUS: Service-Type [6] 6 Framed [2]
2003-06-05 11:20:58 201665: *Jan 7 16:15:59.398: RADIUS: NAS-IP-Address [4] 6 208.247.48.28
2003-06-05 11:20:58 201666: *Jan 7 16:15:59.418: RADIUS: Received from id 21664/158 208.247.48.29:1645, Access-Accept, len 133
2003-06-05 11:20:58 201667: *Jan 7 16:15:59.418: RADIUS: authenticator 10 30 F0 C6 D7 3A 8F 0E - 84 3C 18 F6 C7 8D 0A D0
2003-06-05 11:20:58 201668: *Jan 7 16:15:59.418: RADIUS: Service-Type [6] 6 Framed [2]
2003-06-05 11:20:58 201669: *Jan 7 16:15:59.418: RADIUS: Framed-Protocol [7] 6 PPP [1]
2003-06-05 11:20:58 201670: *Jan 7 16:15:59.418: RADIUS: Framed-IP-Address [8] 6 255.255.255.254
2003-06-05 11:20:58 201671: *Jan 7 16:15:59.418: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255
2003-06-05 11:20:58 201672: *Jan 7 16:15:59.418: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
2003-06-05 11:20:58 201673: *Jan 7 16:15:59.418: RADIUS: Port-Limit [62] 6 1
2003-06-05 11:20:58 201674: *Jan 7 16:15:59.418: RADIUS: Idle-Timeout [28] 6 900
2003-06-05 11:20:58 201675: *Jan 7 16:15:59.418: RADIUS: Session-Timeout [27] 6 28800
2003-06-05 11:20:58 201676: *Jan 7 16:15:59.422: RADIUS: Vendor, Cisco [26] 12
2003-06-05 11:20:58 201677: *Jan 7 16:15:59.422: RADIUS: Unsupported [64] 6
2003-06-05 11:20:58 201678: *Jan 7 16:15:59.422: RADIUS: 6C 32 74 70 [l2tp]
2003-06-05 11:20:58 201679: *Jan 7 16:15:59.422: RADIUS: Vendor, Cisco [26] 10
2003-06-05 11:20:58 201680: *Jan 7 16:15:59.422: RADIUS: Unsupported [65] 4
2003-06-05 11:20:58 201681: *Jan 7 16:15:59.422: RADIUS: 69 70 [ip]
2003-06-05 11:20:58 201682: *Jan 7 16:15:59.422: RADIUS: Vendor, Cisco [26] 12
2003-06-05 11:20:58 201683: *Jan 7 16:15:59.422: RADIUS: Unsupported [67] 6
2003-06-05 11:20:58 201684: *Jan 7 16:15:59.422: RADIUS: D0 F7 30 2D [??0-]
2003-06-05 11:20:58 201685: *Jan 7 16:15:59.422: RADIUS: Vendor, Cisco [26] 17
2003-06-05 11:20:58 201686: *Jan 7 16:15:59.422: RADIUS: Unsupported [90] 11
2003-06-05 11:20:58 201687: *Jan 7 16:15:59.422: RADIUS: 64 6E 65 74 73 70 61 72 65 [dnetspare]
2003-06-05 11:20:58 201623: *Jan 7 16:15:59.382: AAA/AUTHOR (0x57D): Pick method list 'default'
06-05-2003 01:12 PM
DISREGUARD THIS MORNING'S POSTS!!!
VOPradius is now configured and is passing the AVPairs, but the LAC is not building the tunnel. All I saw on configuring the LAC to work with radius was "vdpn enable." Did I miss something?
What is strange, is that CISCO boxes from our wholesaler work with these attributes in place.
Part of the dubug:
2003-06-05 17:12:04 6415: *Jan 7 22:07:01.395: RADIUS: NAS-IP-Address [4] 6 208.247.48.28
2003-06-05 17:12:04 6416: *Jan 7 22:07:01.451: RADIUS: Received from id 21645/206 208.247.48.29:1645, Access-Accept, len 233
2003-06-05 17:12:04 6417: *Jan 7 22:07:01.451: RADIUS: authenticator C8 42 00 1D 20 0B 85 D3 - 88 AB 60 7C C1 D0 42 1C
2003-06-05 17:12:04 6418: *Jan 7 22:07:01.451: RADIUS: Service-Type [6] 6 Framed [2]
2003-06-05 17:12:04 6419: *Jan 7 22:07:01.451: RADIUS: Framed-Protocol [7] 6 PPP [1]
2003-06-05 17:12:04 6420: *Jan 7 22:07:01.451: RADIUS: Framed-IP-Address [8] 6 255.255.255.254
2003-06-05 17:12:04 6421: *Jan 7 22:07:01.451: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255
2003-06-05 17:12:04 6422: *Jan 7 22:07:01.451: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
2003-06-05 17:12:04 6423: *Jan 7 22:07:01.451: RADIUS: Port-Limit [62] 6 1
2003-06-05 17:12:04 6424: *Jan 7 22:07:01.451: RADIUS: Idle-Timeout [28] 6 900
2003-06-05 17:12:04 6425: *Jan 7 22:07:01.451: RADIUS: Session-Timeout [27] 6 28800
2003-06-05 17:12:04 6426: *Jan 7 22:07:01.451: RADIUS: Vendor, Cisco [26] 28
2003-06-05 17:12:04 6427: *Jan 7 22:07:01.451: RADIUS: Cisco AVpair [1] 22 "vpdn:tunnel-id=user"
2003-06-05 17:12:04 6428: *Jan 7 22:07:01.451: RADIUS: Vendor, Cisco [26] 29
2003-06-05 17:12:04 6429: *Jan 7 22:07:01.451: RADIUS: Cisco AVpair [1] 23 "vpdn:tunnel-type=l2tp"
2003-06-05 17:12:04 6430: *Jan 7 22:07:01.451: RADIUS: Vendor, Cisco [26] 34
2003-06-05 17:12:04 6431: *Jan 7 22:07:01.451: RADIUS: Cisco AVpair [1] 28 "vpdn:tunnel-medium-type=IP"
2003-06-05 17:12:04 6432: *Jan 7 22:07:01.451: RADIUS: Vendor, Cisco [26] 39
2003-06-05 17:12:04 6433: *Jan 7 22:07:01.451: RADIUS: Cisco AVpair [1] 33 "vpdn:ip-addresses=10.1.1.1"
2003-06-05 17:12:04 6434: *Jan 7 22:07:01.451: RADIUS: Vendor, Cisco [26] 35
2003-06-05 17:12:04 6435: *Jan 7 22:07:01.451: RADIUS: Cisco AVpair [1] 29 "vpdn:tunnel-password=xxxx"
06-10-2003 12:44 PM
We resolved this issue for Cisco LAC to Cisco LNS via VOPradius from Vircom.
In the dictionary file for VOP the vendor code for Cisco is 9.
Dictonary entry for VOP: " VSA CISCO CISCO-AVPAIR 1 string"
Profiles File for VOP:
Profile="l2tp"
dnet.com password="cisco" Service-Type=Outbound
CISCO-AVPAIR="VPDN:Tunnel-Type=l2tp"
CISCO-AVPAIR="Tunnel-Medium-Type=IP"
CISCO-AVPAIR="Tunnel-Server-Endpoint="x.x.x.x"
CISCO-AVPAIR="Tunnel-Password=PASSWORD"
On the LAC make sure you have the command "vpdn authen-before-forward" entered after you enable VPDN. This command is NOT well documented. In fact, I only found it under the release notes for IOS 12.2 All other config examples I found on Cisco's site imply that enabling VPDN is sufficient, but without the vpdn authen-before-forward" command we could not get it to work.
Now... does anyone know how to get a Cisco LNS to accept VSA attributes from an Ascend NAS?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: