Re: L2TP and RADIUS

jimb · ‎06-02-2003

I am trying to configure my AS5350 to accept L2TP tunneling attributes from my Radius server. The 5350, acting as the LAC, is running IOS 12.12.2(15)T2. The Radius server is Vircom VOPRadius Professional Version 3.3. The LNS is a Cisco 4700 running IOS version.

The L2TP tunnel works fine when configured without Radius, but when the LAC is configured to accept attributes from Radius to build the tunnel, it keeps coming back with the messages, Tunnel-Type unsupported", and "Tunnel-Medium-Type unsupported."

We have configured the radius server to use Cisco VSA's, but no luck. Anyone else ever run in to this issue?

tepatel · ‎06-02-2003

You need to configure the radius server to use the cisco av-pair attributes as described in the following url for tunnel

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/rad_attr.htm

Here is the best url which talks about the same attributes as well for LAC

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122b/122b_15/ftunauth.htm#1030523

If it still dosen't work, we need to see the debug for following on lac

debug radius

debug aaa authrization

debug aaa per

jimb · ‎06-02-2003

After reading the links you sent me, I noted that the command "vpdn tunnel authorization network" is possible key not mentioned in the other documentation I have read. However, my 5350 refused the comand while running 12.5(15T). I upgraded to 12.3, but it still will not accespt the command "vpdn tunnel...."

jimb · ‎06-02-2003

As mentioned in the last posting, we do not seem to have the ability to issue certain commands for vpdn functionality, even though the documentation suggests we are running the right version of IOS.

Here is the debug information you asked to see, and thank you for any help you can provide.

2003-06-02 15:19:21 842: *Jan 4 20:14:30.963: RADIUS: authenticator 74 F8 1D 87 5B 36 52 D7 - 19 55 66 DF 26 3D 76 F8

2003-06-02 15:19:21 843: *Jan 4 20:14:30.963: RADIUS: Framed-Protocol [7] 6 PPP [1]

2003-06-02 15:19:21 844: *Jan 4 20:14:30.963: RADIUS: User-Name [1] 16 "miket@dnet.com"

2003-06-02 15:19:21 845: *Jan 4 20:14:30.963: RADIUS: User-Password [2] 18 *

2003-06-02 15:19:21 846: *Jan 4 20:14:30.963: RADIUS: Calling-Station-Id [31] 12 "8285242922"

2003-06-02 15:19:21 847: *Jan 4 20:14:30.963: RADIUS: Called-Station-Id [30] 9 "3490713"

2003-06-02 15:19:21 848: *Jan 4 20:14:30.963: RADIUS: Vendor, Cisco [26] 17

2003-06-02 15:19:21 849: *Jan 4 20:14:30.963: RADIUS: cisco-nas-port [2] 11 "Async1/04"

2003-06-02 15:19:21 850: *Jan 4 20:14:30.963: RADIUS: NAS-Port [5] 6 220

2003-06-02 15:19:21 851: *Jan 4 20:14:30.963: RADIUS: NAS-Port-Type [61] 6 Async [0]

2003-06-02 15:19:21 852: *Jan 4 20:14:30.963: RADIUS: Service-Type [6] 6

2003-06-02 15:19:21 853: Framed [2]

2003-06-02 15:19:21 854: *Jan 4 20:14:30.963: RADIUS: NAS-IP-Address [4] 6 208.247.48.28

2003-06-02 15:19:21 855: *Jan 4 20:14:30.983: RADIUS: Received from id 21645/15 208.247.48.29:1645, Access-Accept, len 116

2003-06-02 15:19:21 856: *Jan 4 20:14:30.983: RADIUS: authenticator D6 B5 73 B2 0F 40 3F 60 - 29 CB AA 3C 59 7E 2C 88

2003-06-02 15:19:21 857: *Jan 4 20:14:30.983: RADIUS: Service-Type [6] 6 Framed [2]

2003-06-02 15:19:21 858: *Jan 4 20:14:30.983: RADIUS: Framed-Protocol [7] 6 PPP [1]

2003-06-02 15:19:21 859: *Jan 4 20:14:30.983: RADIUS: Framed-IP-Address [8] 6 255.255.255.254

2003-06-02 15:19:21 860: *Jan 4 20:14:30.983: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255

2003-06-02 15:19:21 861: *Jan 4 20:14:30.983: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]

2003-06-02 15:19:21 862: *Jan 4 20:14:30.983: RADIUS: Port-Limit [62] 6 1

2003-06-02 15:19:21 863: *Jan 4 20:14:30.983: RADIUS: Idle-Timeout [28] 6 900

2003-06-02 15:19:21 864: *Jan 4 20:14:30.983: RADIUS: Session-Timeout [27] 6 28800

2003-06-02 15:19:21 865: *Jan 4 20:14:30.983: RADIUS: Vendor, Cisco [26] 12

2003-06-02 15:19:21 866: *Jan 4 20:14:30.983: RADIUS: Unsupported [64] 6

2003-06-02 15:19:21 867: *Jan 4 20:14:30.983: RADIUS: 4C 32 54 50 [L2TP]

2003-06-02 15:19:21 868: *Jan 4 20:14:30.983: RADIUS: Vendor, Cisco [26] 10

2003-06-02 15:19:21 869: *Jan 4 20:14:30.983: RADIUS: Unsupported [65] 4

2003-06-02 15:19:21 870: *Jan 4 20:14:30.983: RADIUS: 49 50 [IP]

2003-06-02 15:19:21 871: *Jan 4 20:14:30.983: RADIUS: Vendor, Cisco [26] 12

2003-06-02 15:19:21 872: *Jan 4 20:14:30.983: RADIUS: Unsupported [67] 6

2003-06-02 15:19:21 873: *Jan 4 20:14:30.983: RADIUS: D0 F7 30 2D [??0-]

2003-06-02 15:19:21 874: *Jan 4 20:14:30.987: RADIUS: Vendor, Cisco [26] 14

2003-06-02 15:19:21 875: *Jan 4 20:14:30.987: RADIUS: Unsupported [69] 8

2003-06-02 15:19:21 876: *Jan 4 20:14:30.987: RADIUS: 74 65 73 74 65 72 [tester]

2003-06-02 15:19:21 877: *Jan 4 20:14:30.987: RADIUS(00000006): Received from id 21645/15

2003-06-02 15:19:21 878: *Jan 4 20:14:30.987: RADIUS/DECODE: unsupported cisco VSA 64; IGNORE

2003-06-02 15:19:21 879: *Jan 4 20:14:30.987: RADIUS/DECODE: unsupported cisco VSA 65; IGNORE

2003-06-02 15:19:21 880: *Jan 4 20:14:30.987: RADIUS/DECODE: unsupported cisco VSA 67; IGNORE

2003-06-02 15:19:21 881: *Jan 4 20:14:30.987: RADIUS/DECODE: unsupported cisco VSA 69; IGNORE

2003-06-02 15:19:21 882: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: service-type

2003-06-02 15:19:21 883: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: Framed-Protocol

2003-06-02 15:19:21 884: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: addr

2003-06-02 15:19:21 885: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: netmask

2003-06-02 15:19:21 886: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: link-compression:Peruser

2003-06-02 15:19:21 887: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: Port-Limit

2003-06-02 15:19:21 888: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: idletime:Peruser

2003-06-02 15:19:21 889: *Jan 4 20:14:30.987: As1/04 PPP/AAA: Check Attr: timeout:Peruser

2003-06-02 15:19:21 890: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/LCP: Process Author

2003-06-02 15:19:21 891: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/LCP: Process Attr: link-compression

2003-06-02 15:19:21 892: *Jan 4 20:14:30.987: AAA/AUTHOR: Processing PerUser AV link-compression

2003-06-02 15:19:21 893: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/LCP: Process Attr: idletime

2003-06-02 15:19:21 894: *Jan 4 20:14:30.987: AAA/AUTHOR: Processing PerUser AV idletime

2003-06-02 15:19:21 895: *Jan 4 20:14:30.987: As1/04 AAA/PER-USER: PPP idletimeout 900

2003-06-02 15:19:21 896: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/LCP: Process Attr: timeout

2003-06-02 15:19:21 897: *Jan 4 20:14:30.987: AAA/AUTHOR: Processing PerUser AV timeout

2003-06-02 15:19:21 898: *Jan 4 20:14:30.987: As1/04 AAA/PER-USER: session timeout 28800 seconds

2003-06-02 15:19:21 899: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/IPCP: FSM authorization not needed

2003-06-02 15:19:21 900: *Jan 4 20:14:30.987: As1/04 AAA/AUTHOR/FSM: We can start IPCP

2003-06-02 15:19:21 901: *Jan 4 20:14:30.987: AAA/PER-USER: mode = interface; command = [ip tcp header-compression

2003-06-02 15:19:21 902: ]

2003-06-02 15:19:21 903: *Jan 4 20:14:30.987: AAA/PER-USER: line = [ip tcp header-compression]

2003-06-02 15:19:21 904: *Jan 4 20:14:30.995: RADIUS(00000006): Using existing nas_port 220

2003-06-02 15:19:21 905: *Jan 4 20:14:30.995: RADIUS(00000006): Config NAS IP: 0.0.0.0

2003-06-02 15:19:21 906: *Jan 4 20:14:30.995: RADIUS(00000006): sending

2003-06-02 15:19:21 907: *Jan 4 20:14:30.995: RADIUS/ENCODE: Best Local IP-Address 208.247.48.28 for Radius-Server 208.247.48.29

2003-06-02 15:19:21 908: *Jan 4 20:14:30.995: RADIUS(00000006): Send Accounting-Request to 208.247.48.29:1646 id 21645/16, len 193

2003-06-02 15:19:21 909: *Jan 4 20:14:30.995: RADIUS: authenticator 7B DB DB 4A E5 B5 BB 68 - 97 00 2B B6 6A 9B A9 86

2003-06-02 15:19:21 910: *Jan 4 20:14:30.995: RADIUS: Acct-Session-Id [44] 10 "00000006"

2003-06-02 15:19:16 707: *Jan 4 20:14:25.907: RADIUS: Unsupported [64] 6

2003-06-02 15:19:16 708: *Jan 4 20:14:25.907: RADIUS: 4C 32 54 50 [L2TP]

2003-06-02 15:19:16 709: *Jan 4 20:14:25.907: RADIUS: Vendor, Cisco [26] 10

2003-06-02 15:19:16 710: *Jan 4 20:14:25.907: RADIUS: Unsupported [65] 4

2003-06-02 15:19:16 711: *Jan 4 20:14:25.907: RADIUS: 49 50 [IP]

2003-06-02 15:19:16 712: *Jan 4 20:14:25.907: RADIUS: Vendor, Cisco [26] 12

2003-06-02 15:19:16 713: *Jan 4 20:14:25.907: RADIUS: Unsupported [67] 6

2003-06-02 15:19:16 714: *Jan 4 20:14:25.907: RADIUS: D0 F7 30 2D [??0-]

2003-06-02 15:19:16 715: *Jan 4 20:14:25.907: RADIUS: Vendor, Cisco [26] 14

2003-06-02 15:19:16 716: *Jan 4 20:14:25.907: RADIUS: Unsupported [69] 8

2003-06-02 15:19:16 717: *Jan 4 20:14:25.907: RADIUS: 74 65 73 74 65 72 [tester]

2003-06-02 15:19:16 718: *Jan 4 20:14:25.907: RADIUS(00000005): Received from id 21645/11

2003-06-02 15:19:16 719: *Jan 4 20:14:25.907: RADIUS/DECODE: unsupported cisco VSA 64; IGNORE

2003-06-02 15:19:16 720: *Jan 4 20:14:25.907: RADIUS/DECODE: unsupported cisco VSA 65; IGNORE

2003-06-02 15:19:16 721: *Jan 4 20:14:25.907: RADIUS/DECODE: unsupported cisco VSA 67; IGNORE

2003-06-02 15:19:16 722: *Jan 4 20:14:25.907: RADIUS/DECODE: unsupported cisco VSA 69; IGNORE

2003-06-02 15:19:16 723: *Jan 4 20:14:25.907: As1/03 PPP/AAA: Check Attr: service-type

2003-06-02 15:19:16 724: *Jan 4 20:14:25.907: As1/03 PPP/AAA: Check Attr: Framed-Protocol

2003-06-02 15:19:16 725: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: addr

2003-06-02 15:19:16 726: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: netmask

2003-06-02 15:19:16 727: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: link-compression:Peruser

2003-06-02 15:19:16 728: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: Port-Limit

2003-06-02 15:19:16 729: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: idletime:Peruser

2003-06-02 15:19:16 730: *Jan 4 20:14:25.911: As1/03 PPP/AAA: Check Attr: timeout:Peruser

2003-06-02 15:19:16 731: *Jan 4 20:14:25.911: As1/03 AAA/AUTHOR/LCP: Process Author

2003-06-02 15:19:16 732: *Jan 4 20:14:25.911: As1/03 AAA/AUTHOR/LCP: Process Attr: link-compression

2003-06-02 15:19:16 733: *Jan 4 20:14:25.911: AAA/AUTHOR: Processing PerUser AV link-compression

2003-06-02 15:19:16 734: *Jan 4 20:14:25.911: As1/03 AAA/AUTHOR/LCP: Process Attr: idletime

2003-06-02 15:19:16 735: *Jan 4 20:14:25.911: AAA/AUTHOR: Processing PerUser AV idletime

2003-06-02 15:19:16 736: *Jan 4 20:14:25.911: As1/03

tepatel · ‎06-02-2003

As you can see that LCA should send the domain name like dnet.com as a username and radius server should respond with the tunnel attributes based on that domain name. Instead, LAC is sending the whole username so i think the LAC is not configured correctly.

Also we are getting lots of unsupported attributes like VSA 64, 65, 67 and 69. So i think the radius server is not configured to authenticate the domain name and send the proper tunnel attributs using cisco av-pair.

Now to fix both the issues, Here is the link which has sample config on LAC getting tunnel attributes etc from TACACS server.

http://www.cisco.com/warp/public/793/access_dial/3.html

I do know that you don't have tacacs but based on that you can get the config idea on as5350 and radius.

jimb · ‎06-03-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Thank you for your continued interest in helping resolve this issue. Your expertise is greatly appreaciated

According to all of the documentation I have read, including the links I received from you, the LAC, when working with a radius server to build an L2TP Tunnel, is configured to talk to the radius server, and vpdn is enabled. The following entries have been made on the LAC:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

aaa new-model

!

aaa authentication login default local

aaa authentication login CONSOLE none

aaa authentication ppp default if-needed group radius

aaa authorization network default group radius

aaa accounting network default start-stop group radius

aaa session-id common

radius-server host 10.1.1.29 auth-port 1645 acct-port 1646

radius-server key 7 -- moderator edit -- *********************************

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

radius-server vsa send authentication

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

We also enabled vpdn. I believe we are properly configred on the LAC side, but I will be glad to email you a copy of our LAC and LNS configs.

As for Radius, we do seem to have a problem with the VSA's. The following info has been entered into our Radius Dictonary file:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

# VENDOR Attributes

# Define Vendor-IDs and structure of initial part of vendor specific

# attribute where:

# vtype=Vendor-specific attribute value type

VENDOR_CODE CISCO 9

# CISCO VSA's for L2TP

VSA CISCO Tunnel-Type 64 string

VSA CISCO Tunnel-Medium-Type 65 string

VSA CISCO Tunnel-Server-Endpoint 67 ipaddr

VSA CISCO Tunnel-Password 69 string

VSA CISCO Tunnel-Assignment-ID 82 string

VSA CISCO Tunnel-Client-Auth-Id 90 string

VSA CISCO Tunnel-Client-Auth-Id 91 string

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

The following entries were made in the Radius profile file. (Dnetspare is the hostname of the LAC):

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Profile="l2tpuser"

-- moderator edit -- dnet.com Password = "**********" Service-Type = outbound

Tunnel-Type = L2TP

Tunnel-Medium-Type = IP

Tunnel-Server-Endpoint = "10.1.1.3"

Tunnel-Assignment-ID = "dnetspare"

Tunnel-Client-Auth-ID = "dnetspare"

Tunnel-Password = -- moderator edit -- "*********"

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Can you tell me specifically what attributes and or VA pairs I need to make this work? There seems to be some inconsistancy between documents I read on TAC's web site. I can send you copies of our dictinary and profile files, as well as router configs if if you have a few minutes and want too look them over. We use VOPradius from Vircom, Version 3.3

tepatel · ‎06-04-2003

Here is the best url which talks about exactly that "Configuring Layer 2 Tunnel Protocol Authentication with RADIUS" with stage by stage troubleshooting.

http://www.cisco.com/warp/public/480/l2tprad.html

See if that helps.

jimb · ‎06-05-2003

Thank you for the link. It appears that either our profile or dictionary file are not correctly configured. Unfortunately, this article only mentions MERIT radius. We run Vircom's VOP Radius proffesional 3.0, and though we hae tried several combinations to get the LAC to accept the atrributes the best we get is the response indicated in the debug to follow this post. Has anyone out there ever set up VOP Radius for L2TP with Cisco?

The following posts contain the current set up in VOP Radius for VSA and the profile.

jimb · ‎06-05-2003

VOP Radius Dictionary Entries:

# CISCO VSA's for L2TP

VSA CISCO Tunnel-Type x string

VSA CISCO Tunnel-Medium-Type x string

VSA CISCO Tunnel-Server-Endpoint x ipaddr

VSA CISCO Tunnel-Password x string

VSA CISCO Tunnel-Assignment-ID x string

VSA CISCO Tunnel-Client-Auth-Id x string

#CISCO TUNNEL VALUES

VALUE CISCO Tunnel-Type L2TP 1

VALUE CISCO Tunnel-Medium-Type IP 1

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

VOP Radius Profiles entries:

# VOP PRRS Radius Profiles Text File

#

# For more information on the syntax of this file, see this URL:

# xxxxxxxxxxxx

#

#Profile="DEFAULT"

# Port-Limit = 1

#

Profile="l2tp"

dnet.com password="xxxxxxxxxx" Service-Type=Outbound

Tunnel-Type = l2tp

tunnel-Medium-type = ip

Tunnel-Server-Endpoint = 192.168.1.1

Tunnel-Client-Auth-Id="xxxxxxxxxxxx"

Tunnel-Password = "xxxxxxxxxx"

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

jimb · ‎06-05-2003

Because the debug information excceeds the posting limit, I will break it up into parts.

Part 1:

2003-06-05 11:20:58 201688: *Jan 7 16:15:59.422: RADIUS: Vendor, Cisco [26] 14

2003-06-05 11:20:58 201689: *Jan 7 16:15:59.422: RADIUS: Unsupported [69] 8

2003-06-05 11:20:58 201690: *Jan 7 16:15:59.422: RADIUS: 74 65 73 74 65 72 [tester]

2003-06-05 11:20:58 201691: *Jan 7 16:15:59.422: RADIUS(0000057D): Received from id 21664/158

2003-06-05 11:20:58 201692: *Jan 7 16:15:59.422: RADIUS/DECODE: unsupported cisco VSA 64; IGNORE

2003-06-05 11:20:58 201693: *Jan 7 16:15:59.422: RADIUS/DECODE: unsupported cisco VSA 65; IGNORE

2003-06-05 11:20:58 201694: *Jan 7 16:15:59.422: RADIUS/DECODE: unsupported cisco VSA 67; IGNORE

2003-06-05 11:20:58 201695: *Jan 7 16:15:59.422: RADIUS/DECODE: unsupported cisco VSA 90; IGNORE

2003-06-05 11:20:58 201696: *Jan 7 16:15:59.422: RADIUS/DECODE: unsupported cisco VSA 69; IGNORE

2003-06-05 11:20:58 201697: *Jan 7 16:15:59.422: As1/29 PPP/AAA: Check Attr: service-type

2003-06-05 11:20:58 201698: *Jan 7 16:15:59.422: As1/29 PPP/AAA: Check Attr: Framed-Protocol

2003-06-05 11:20:58 201699: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: addr

2003-06-05 11:20:58 201700: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: netmask

2003-06-05 11:20:58 201701: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: link-compression:Peruser

2003-06-05 11:20:58 201702: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: Port-Limit

2003-06-05 11:20:58 201703: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: idletime:Peruser

2003-06-05 11:20:58 201704: *Jan 7 16:15:59.426: As1/29 PPP/AAA: Check Attr: timeout:Peruser

2003-06-05 11:20:58 201705: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/LCP: Process Author

2003-06-05 11:20:58 201706: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/LCP: Process Attr: link-compression

2003-06-05 11:20:58 201707: *Jan 7 16:15:59.426: AAA/AUTHOR: Processing PerUser AV link-compression

2003-06-05 11:20:58 201708: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/LCP: Process Attr: idletime

2003-06-05 11:20:58 201709: *Jan 7 16:15:59.426: AAA/AUTHOR: Processing PerUser AV idletime

2003-06-05 11:20:58 201710: *Jan 7 16:15:59.426: As1/29 AAA/PER-USER: PPP idletimeout 900

2003-06-05 11:20:58 201711: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/LCP: Process Attr: timeout

2003-06-05 11:20:58 201712: *Jan 7 16:15:59.426: AAA/AUTHOR: Processing PerUser AV timeout

2003-06-05 11:20:58 201713: *Jan 7 16:15:59.426: As1/29 AAA/PER-USER: session timeout 28800 seconds

2003-06-05 11:20:58 201714: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/IPCP: FSM authorization not needed

2003-06-05 11:20:58 201715: *Jan 7 16:15:59.426: As1/29 AAA/AUTHOR/FSM: We can start IPCP

2003-06-05 11:20:58 201716: *Jan 7 16:15:59.426: AAA/PER-USER: mode = interface; command = [ip tcp header-compression

2003-06-05 11:20:58 201717: ]

2003-06-05 11:20:58 201718: *Jan 7 16:15:59.426: AAA/PER-USER: line = [ip tcp header-compression]

jimb · ‎06-05-2003

debug part 2"

2003-06-05 11:20:58 201718: *Jan 7 16:15:59.426: AAA/PER-USER: line = [ip tcp header-compression]

2003-06-05 11:20:58 201719: *Jan 7 16:15:59.430: RADIUS(0000057D): Using existing nas_port 245

2003-06-05 11:20:58 201720: *Jan 7 16:15:59.430: RADIUS(0000057D): Config NAS IP: 0.0.0.0

2003-06-05 11:20:58 201721: *Jan 7 16:15:59.430: RADIUS(0000057D): sending

2003-06-05 11:20:58 201722: *Jan 7 16:15:59.430: RADIUS/ENCODE: Best Local IP-Address 208.247.48.28 for Radius-Server 208.247.48.29

2003-06-05 11:20:58 201723: *Jan 7 16:15:59.430: RADIUS(0000057D): Send Accounting-Request to 208.247.48.29:1646 id 21664/159, len 144

2003-06-05 11:20:58 201724: *Jan 7 16:15:59.434: RADIUS: authenticator A7 B7 3F AB 11 E5 D9 23 - 3B 96 EA 65 BC F8 BC 4C

2003-06-05 11:20:58 201725: *Jan 7 16:15:59.434: RADIUS: Acct-Session-Id [44] 10 "00000950"

2003-06-05 11:20:58 201726: *Jan 7 16:15:59.434: RADIUS: Framed-Protocol [7] 6 PPP [1]

2003-06-05 11:20:58 201727: *Jan 7 16:15:59.434: RADIUS: Acct-Authentic [45] 6 RADIUS [1]

2003-06-05 11:20:58 201728: *Jan 7 16:15:59.434: RADIUS: User-Name [1] 16 "miket@dnet.com"

2003-06-05 11:20:58 201729: *Jan 7 16:15:59.434: RADIUS: Acct-Status-Type [40] 6 Start [1]

2003-06-05 11:20:58 201730: *Jan 7 16:15:59.434: RADIUS: Calling-Station-Id [31] 12 "8285242922"

2003-06-05 11:20:58 201731: *Jan 7 16:15:59.434: RADIUS: Called-Station-Id [30] 9 "3490713"

2003-06-05 11:20:58 201732: *Jan 7 16:15:59.434: RADIUS: NAS-Port [5] 6 245

2003-06-05 11:20:58 201733: *Jan 7 16:15:59.434: RADIUS: NAS-Port-Type [61] 6 Async [0]

2003-06-05 11:20:58 201734: *Jan 7 16:15:59.434: RADIUS: Connect-Info [77] 29 "50667/28800 V90/V42bis/LAPM"

2003-06-05 11:20:58 201735: *Jan 7 16:15:59.434: RADIUS: Service-Type [6] 6 Framed [2]

2003-06-05 11:20:58 201736: *Jan 7 16:15:59.434: RADIUS: NAS-IP-Address [4] 6 208.247.48.28

2003-06-05 11:20:58 201737: *Jan 7 16:15:59.434: RADIUS: Acct-Delay-Time [41] 6 0

2003-06-05 11:20:58 201738: *Jan 7 16:15:59.446: RADIUS: Received from id 21664/159 208.247.48.29:1646, Accounting-response, len 20

2003-06-05 11:20:58 201739: *Jan 7 16:15:59.446: RADIUS: authenticator 9F 2F F2 3A D1 F1 44 AE - 79 1B B5 DA 0B 2B 40 60

2003-06-05 11:20:58 201740: *Jan 7 16:15:59.510: As1/29 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0

2003-06-05 11:20:58 201741: *Jan 7 16:15:59.510: As1/29 AAA/AUTHOR/IPCP: No remote address; FIP = Use configured pool, if available

2003-06-05 11:20:58 201742: *Jan 7 16:15:59.510: As1/29 AAA/AUTHOR/IPCP: Processing AV addr

2003-06-05 11:20:58 201743: *Jan 7 16:15:59.510: As1/29 AAA/AUTHOR/IPCP: Processing AV netmask

2003-06-05 11:20:58 201744: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: Authorization succeeded

2003-06-05 11:20:58 201745: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0

2003-06-05 11:20:58 201746: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: no author-info for primary dns

2003-06-05 11:20:59 201747: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: no author-info for primary wins

2003-06-05 11:20:59 201748: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: no author-info for seconday dns

2003-06-05 11:20:59 201749: *Jan 7 16:15:59.514: As1/29 AAA/AUTHOR/IPCP: no author-info for seconday wins

2003-06-05 11:20:59 201750: *Jan 7 16:15:59.590: As1/29 AAA/AUTHOR/IPCP: no author-info for primary dns

2003-06-05 11:20:59 201751: *Jan 7 16:15:59.590: As1/29 AAA/AUTHOR/IPCP: no author-info for seconday dns

2003-06-05 11:20:59 201752: *Jan 7 16:15:59.670: As1/29 AAA/AUTHOR/IPCP: no author-info for primary dns

2003-06-05 11:20:59 201753: *Jan 7 16:15:59.670: As1/29 AAA/AUTHOR/IPCP: no author-info for seconday dns

2003-06-05 11:20:58 201624: *Jan 7 16:15:59.382: RADIUS: AAA Unsupported [152] 9

2003-06-05 11:20:58 201625: *Jan 7 16:15:59.382: RADIUS: 41 73 79 6E 63 31 2F [Async1/]

jimb · ‎06-05-2003

Debug part 3:

2003-06-05 11:20:58 201626: *Jan 7 16:15:59.382: RADIUS(0000057D): Storing nasport 245 in rad_db

2003-06-05 11:20:58 201627: *Jan 7 16:15:59.382: RADIUS(0000057D): Config NAS IP: 0.0.0.0

2003-06-05 11:20:58 201628: *Jan 7 16:15:59.382: RADIUS/ENCODE(0000057D): acct_session_id: 2384

2003-06-05 11:20:58 201629: *Jan 7 16:15:59.382: RADIUS(0000057D): sending

2003-06-05 11:20:58 201630: *Jan 7 16:15:59.382: RADIUS/ENCODE: Best Local IP-Address 208.247.48.28 for Radius-Server 208.247.48.29

2003-06-05 11:20:58 201631: *Jan 7 16:15:59.382: RADIUS(0000057D): Send Access-Request to 208.247.48.29:1645 id 21664/157, len 93

2003-06-05 11:20:58 201632: *Jan 7 16:15:59.382: RADIUS: authenticator 93 49 B3 05 06 F3 FF B7 - A9 07 44 18 5E F8 4B FC

2003-06-05 11:20:58 201633: *Jan 7 16:15:59.382: RADIUS: User-Name [1] 10 "dnet.com"

2003-06-05 11:20:58 201634: *Jan 7 16:15:59.382: RADIUS: User-Password [2] 18 *

2003-06-05 11:20:58 201635: *Jan 7 16:15:59.382: RADIUS: Calling-Station-Id [31] 12 "8285242922"

2003-06-05 11:20:58 201636: *Jan 7 16:15:59.382: RADIUS: Called-Station-Id [30] 9 "3490713"

2003-06-05 11:20:58 201637: *Jan 7 16:15:59.382: RADIUS: NAS-Port [5] 6 245

2003-06-05 11:20:58 201638: *Jan 7 16:15:59.382: RADIUS: NAS-Port-Type [61] 6 Async [0]

2003-06-05 11:20:58 201639: *Jan 7 16:15:59.382: RADIUS: Service-Type [6] 6 Outbound [5]

2003-06-05 11:20:58 201640: *Jan 7 16:15:59.382: RADIUS: NAS-IP-Address [4] 6 208.247.48.28

2003-06-05 11:20:58 201641: *Jan 7 16:15:59.394: RADIUS: Received from id 21664/157 208.247.48.29:1645, Access-Reject, len 46

2003-06-05 11:20:58 201642: *Jan 7 16:15:59.394: RADIUS: authenticator F0 C7 CC 5F 3E 77 62 A8 - 6D 82 93 56 01 B8 AD 0A

2003-06-05 11:20:58 201643: *Jan 7 16:15:59.394: RADIUS: Reply-Message [18] 26

2003-06-05 11:20:58 201644: *Jan 7 16:15:59.394: RADIUS: 49 6E 76 61 6C 69 64 20 55 73 65 72 49 44 2F 50 [Invalid UserID/P]

2003-06-05 11:20:58 201645: *Jan 7 16:15:59.398: RADIUS: 61 73 73 77 6F 72 64 21 [assword!]

2003-06-05 11:20:58 201646: *Jan 7 16:15:59.398: RADIUS(0000057D): Received from id 21664/157

2003-06-05 11:20:58 201647: *Jan 7 16:15:59.398: RADIUS/DECODE: Reply-Message fragments, 24, total 24 bytes

2003-06-05 11:20:58 201648: *Jan 7 16:15:59.398: RADIUS: AAA Unsupported [152] 9

2003-06-05 11:20:58 201649: *Jan 7 16:15:59.398: RADIUS: 41 73 79 6E 63 31 2F [Async1/]

2003-06-05 11:20:58 201650: *Jan 7 16:15:59.398: RADIUS(0000057D): Using existing nas_port 245

2003-06-05 11:20:58 201651: *Jan 7 16:15:59.398: RADIUS(0000057D): Config NAS IP: 0.0.0.0

2003-06-05 11:20:58 201652: *Jan 7 16:15:59.398: RADIUS/ENCODE(0000057D): acct_session_id: 2384

2003-06-05 11:20:58 201653: *Jan 7 16:15:59.398: RADIUS(0000057D): sending

2003-06-05 11:20:58 201654: *Jan 7 16:15:59.398: RADIUS/ENCODE: Best Local IP-Address 208.247.48.28 for Radius-Server 208.247.48.29

2003-06-05 11:20:58 201655: *Jan 7 16:15:59.398: RADIUS(0000057D): Send Access-Request to 208.247.48.29:1645 id 21664/158, len 105

2003-06-05 11:20:58 201656: *Jan 7 16:15:59.398: RADIUS: authenticator 93 49 B3 05 06 F3 FF B7 - A9 07 44 18 5E F8 4B FC

2003-06-05 11:20:58 201657: *Jan 7 16:15:59.398: RADIUS: Framed-Protocol [7] 6 PPP [1]

2003-06-05 11:20:58 201658: *Jan 7 16:15:59.398: RADIUS: User-Name [1] 16 "miket@dnet.com"

2003-06-05 11:20:58 201659: *Jan 7 16:15:59.398: RADIUS: User-Password [2] 18 *

2003-06-05 11:20:58 201660: *Jan 7 16:15:59.398: RADIUS: Calling-Station-Id [31] 12 "8285242922"

2003-06-05 11:20:58 201661: *Jan 7 16:15:59.398: RADIUS: Called-Station-Id [30] 9 "3490713"

2003-06-05 11:20:58 201662: *Jan 7 16:15:59.398: RADIUS: NAS-Port [5] 6 245

2003-06-05 11:20:58 201663: *Jan 7 16:15:59.398: RADIUS: NAS-Port-Type [61] 6 Async [0]

2003-06-05 11:20:58 201664: *Jan 7 16:15:59.398: RADIUS: Service-Type [6] 6 Framed [2]

2003-06-05 11:20:58 201665: *Jan 7 16:15:59.398: RADIUS: NAS-IP-Address [4] 6 208.247.48.28

2003-06-05 11:20:58 201666: *Jan 7 16:15:59.418: RADIUS: Received from id 21664/158 208.247.48.29:1645, Access-Accept, len 133

2003-06-05 11:20:58 201667: *Jan 7 16:15:59.418: RADIUS: authenticator 10 30 F0 C6 D7 3A 8F 0E - 84 3C 18 F6 C7 8D 0A D0

2003-06-05 11:20:58 201668: *Jan 7 16:15:59.418: RADIUS: Service-Type [6] 6 Framed [2]

2003-06-05 11:20:58 201669: *Jan 7 16:15:59.418: RADIUS: Framed-Protocol [7] 6 PPP [1]

2003-06-05 11:20:58 201670: *Jan 7 16:15:59.418: RADIUS: Framed-IP-Address [8] 6 255.255.255.254

2003-06-05 11:20:58 201671: *Jan 7 16:15:59.418: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255

2003-06-05 11:20:58 201672: *Jan 7 16:15:59.418: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]

2003-06-05 11:20:58 201673: *Jan 7 16:15:59.418: RADIUS: Port-Limit [62] 6 1

2003-06-05 11:20:58 201674: *Jan 7 16:15:59.418: RADIUS: Idle-Timeout [28] 6 900

2003-06-05 11:20:58 201675: *Jan 7 16:15:59.418: RADIUS: Session-Timeout [27] 6 28800

2003-06-05 11:20:58 201676: *Jan 7 16:15:59.422: RADIUS: Vendor, Cisco [26] 12

2003-06-05 11:20:58 201677: *Jan 7 16:15:59.422: RADIUS: Unsupported [64] 6

2003-06-05 11:20:58 201678: *Jan 7 16:15:59.422: RADIUS: 6C 32 74 70 [l2tp]

2003-06-05 11:20:58 201679: *Jan 7 16:15:59.422: RADIUS: Vendor, Cisco [26] 10

2003-06-05 11:20:58 201680: *Jan 7 16:15:59.422: RADIUS: Unsupported [65] 4

2003-06-05 11:20:58 201681: *Jan 7 16:15:59.422: RADIUS: 69 70 [ip]

2003-06-05 11:20:58 201682: *Jan 7 16:15:59.422: RADIUS: Vendor, Cisco [26] 12

2003-06-05 11:20:58 201683: *Jan 7 16:15:59.422: RADIUS: Unsupported [67] 6

2003-06-05 11:20:58 201684: *Jan 7 16:15:59.422: RADIUS: D0 F7 30 2D [??0-]

2003-06-05 11:20:58 201685: *Jan 7 16:15:59.422: RADIUS: Vendor, Cisco [26] 17

2003-06-05 11:20:58 201686: *Jan 7 16:15:59.422: RADIUS: Unsupported [90] 11

2003-06-05 11:20:58 201687: *Jan 7 16:15:59.422: RADIUS: 64 6E 65 74 73 70 61 72 65 [dnetspare]

2003-06-05 11:20:58 201623: *Jan 7 16:15:59.382: AAA/AUTHOR (0x57D): Pick method list 'default'

jimb · ‎06-05-2003

DISREGUARD THIS MORNING'S POSTS!!!

VOPradius is now configured and is passing the AVPairs, but the LAC is not building the tunnel. All I saw on configuring the LAC to work with radius was "vdpn enable." Did I miss something?

What is strange, is that CISCO boxes from our wholesaler work with these attributes in place.

Part of the dubug:

2003-06-05 17:12:04 6415: *Jan 7 22:07:01.395: RADIUS: NAS-IP-Address [4] 6 208.247.48.28

2003-06-05 17:12:04 6416: *Jan 7 22:07:01.451: RADIUS: Received from id 21645/206 208.247.48.29:1645, Access-Accept, len 233

2003-06-05 17:12:04 6417: *Jan 7 22:07:01.451: RADIUS: authenticator C8 42 00 1D 20 0B 85 D3 - 88 AB 60 7C C1 D0 42 1C

2003-06-05 17:12:04 6418: *Jan 7 22:07:01.451: RADIUS: Service-Type [6] 6 Framed [2]

2003-06-05 17:12:04 6419: *Jan 7 22:07:01.451: RADIUS: Framed-Protocol [7] 6 PPP [1]

2003-06-05 17:12:04 6420: *Jan 7 22:07:01.451: RADIUS: Framed-IP-Address [8] 6 255.255.255.254

2003-06-05 17:12:04 6421: *Jan 7 22:07:01.451: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255

2003-06-05 17:12:04 6422: *Jan 7 22:07:01.451: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]

2003-06-05 17:12:04 6423: *Jan 7 22:07:01.451: RADIUS: Port-Limit [62] 6 1

2003-06-05 17:12:04 6424: *Jan 7 22:07:01.451: RADIUS: Idle-Timeout [28] 6 900

2003-06-05 17:12:04 6425: *Jan 7 22:07:01.451: RADIUS: Session-Timeout [27] 6 28800

2003-06-05 17:12:04 6426: *Jan 7 22:07:01.451: RADIUS: Vendor, Cisco [26] 28

2003-06-05 17:12:04 6427: *Jan 7 22:07:01.451: RADIUS: Cisco AVpair [1] 22 "vpdn:tunnel-id=user"

2003-06-05 17:12:04 6428: *Jan 7 22:07:01.451: RADIUS: Vendor, Cisco [26] 29

2003-06-05 17:12:04 6429: *Jan 7 22:07:01.451: RADIUS: Cisco AVpair [1] 23 "vpdn:tunnel-type=l2tp"

2003-06-05 17:12:04 6430: *Jan 7 22:07:01.451: RADIUS: Vendor, Cisco [26] 34

2003-06-05 17:12:04 6431: *Jan 7 22:07:01.451: RADIUS: Cisco AVpair [1] 28 "vpdn:tunnel-medium-type=IP"

2003-06-05 17:12:04 6432: *Jan 7 22:07:01.451: RADIUS: Vendor, Cisco [26] 39

2003-06-05 17:12:04 6433: *Jan 7 22:07:01.451: RADIUS: Cisco AVpair [1] 33 "vpdn:ip-addresses=10.1.1.1"

2003-06-05 17:12:04 6434: *Jan 7 22:07:01.451: RADIUS: Vendor, Cisco [26] 35

2003-06-05 17:12:04 6435: *Jan 7 22:07:01.451: RADIUS: Cisco AVpair [1] 29 "vpdn:tunnel-password=xxxx"

jimb · ‎06-10-2003

We resolved this issue for Cisco LAC to Cisco LNS via VOPradius from Vircom.

In the dictionary file for VOP the vendor code for Cisco is 9.

Dictonary entry for VOP: " VSA CISCO CISCO-AVPAIR 1 string"

Profiles File for VOP:

Profile="l2tp"

dnet.com password="cisco" Service-Type=Outbound

CISCO-AVPAIR="VPDN:Tunnel-Type=l2tp"

CISCO-AVPAIR="Tunnel-Medium-Type=IP"

CISCO-AVPAIR="Tunnel-Server-Endpoint="x.x.x.x"

CISCO-AVPAIR="Tunnel-Password=PASSWORD"

On the LAC make sure you have the command "vpdn authen-before-forward" entered after you enable VPDN. This command is NOT well documented. In fact, I only found it under the release notes for IOS 12.2 All other config examples I found on Cisco's site imply that enabling VPDN is sufficient, but without the vpdn authen-before-forward" command we could not get it to work.

Now... does anyone know how to get a Cisco LNS to accept VSA attributes from an Ascend NAS?