Restricting dial user access through CSACS

tgrundbacher · ‎12-05-2003

I have a dial scenario with a 3725, BRI and digital modems.

Everything works as I like it to, only the IP restricion of the dial in clients doesn't. It seems the download of the ACL is fine, too, RADIUS sends the AV-pair successfully to the IOS box:

*Apr 14 21:23:26.928: RADIUS(000000AD): sending

*Apr 14 21:23:26.928: RADIUS(000000AD): Send Access-Request to 192.168.10.52:164

5 id 21645/198, len 128

*Apr 14 21:23:26.928: RADIUS: authenticator 97 99 8D 56 FA 2E 28 F3 - 60 D2 6F

DD 6F 20 89 2E

*Apr 14 21:23:26.928: RADIUS: Framed-Protocol [7] 6 PPP

[1]

*Apr 14 21:23:26.928: RADIUS: User-Name [1] 11 "***"

*Apr 14 21:23:26.928: RADIUS: CHAP-Password [3] 19 *

*Apr 14 21:23:26.928: RADIUS: Calling-Station-Id [31] 13 "00319707***"

*Apr 14 21:23:26.932: RADIUS: Called-Station-Id [30] 6 "7055"

*Apr 14 21:23:26.932: RADIUS: NAS-Port [5] 6 70

*Apr 14 21:23:26.932: RADIUS: NAS-Port-Type [61] 6 Async

[0]

*Apr 14 21:23:26.932: RADIUS: Connect-Info [77] 29 "45333/28800 V90/V4

2bis/LAPM"

*Apr 14 21:23:26.932: RADIUS: Service-Type [6] 6 Framed

[2]

*Apr 14 21:23:26.932: RADIUS: NAS-IP-Address [4] 6 192.168.10.100

*Apr 14 21:23:26.952: RADIUS: Received from id 21645/198 192.168.10.52:1645, Acc

ess-Accept, len 158

*Apr 14 21:23:26.952: RADIUS: authenticator A1 00 4B 68 43 6C 4A FA - F4 6B 0B

A4 BE D9 F6 81

*Apr 14 21:23:26.952: RADIUS: Service-Type [6] 6 Framed

[2]

*Apr 14 21:23:26.952: RADIUS: Framed-Protocol [7] 6 PPP

[1]

*Apr 14 21:23:26.952: RADIUS: Vendor, Cisco [26] 53

*Apr 14 21:23:26.952: RADIUS: Cisco AVpair [1] 47 "ip:inacl#130=permi

t ip any host 192.168.20.18"

*Apr 14 21:23:26.952: RADIUS: Vendor, Cisco [26] 36

*Apr 14 21:23:26.952: RADIUS: Cisco AVpair [1] 30 "ip:inacl#130=deny

ip any any"

*Apr 14 21:23:26.952: RADIUS: Framed-IP-Address [8] 6 192.168.200.253

*Apr 14 21:23:26.952: RADIUS: Class [25] 31

*Apr 14 21:23:26.952: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 31 33 65 66

[CISCOACS:00013ef]

*Apr 14 21:23:26.952: RADIUS: 38 2F 63 30 61 38 30 61 36 34 2F 37 30

[8/c0a80a64/70]

*Apr 14 21:23:26.956: RADIUS(000000AD): Received from id 21645/198

*Apr 14 21:23:26.956: As70 PPP: Received LOGIN Response PASS

*Apr 14 21:23:26.956: As70 PPP: Phase is FORWARDING, Attempting Forward

*Apr 14 21:23:26.956: As70 PPP: Phase is AUTHENTICATING, Authenticated User

*Apr 14 21:23:26.956: As70 CHAP: O SUCCESS id 8 len 4

*Apr 14 21:23:26.956: As70 PPP: Phase is UP

IOS reports a successfully applied ACL as well:

RAS-Router#sh access-list

Extended IP access list Async70#1731 (per-user)

permit ip any host 192.168.20.18

deny ip any any

RAS-Router#

Yet, still the ping of the test user gets everywhere to the network. Am I missing something?

I use ACS 3.2 with RADIUS authorization. The AV-pair 26/9/1 is configured with

ip:inacl#130=permit ip any host 192.168.20.18

ip:inacl#130=deny ip any any

Running IOS is 12.2(13)T5

(virtual profile seems to be applied automatically here)

Thanks for your hints.

Toni

mark-obrien · ‎12-05-2003

Toni,

It looks as though the RADIUS server was successful in building the access list, but I'm not sure if it was successfully applied to the interface. With the call up, do a "show ip interface async x" and see if there is an inbound access list applied to the interface. If not, you will need to add another AV-pair in RADIUS to apply the ACL.

HTH,

Mark

Georg Pauwen · ‎12-06-2003

Hello,

not sure if this applies to you, but the access list must be preconfigured on the Cisco NAS. Per-user access lists do not currently work with ISDN interfaces.

Regards,

Georg

tgrundbacher · ‎12-08-2003

Georg, I believe it *must* work, RADIUS and IOS are made for this deployment.

What I discovered is that I'm missing the virtual-template int. At the moment I'm using a dialer int. to terminate L3, but maybe this is not necessary/required?

What we want to do is to clone a VA int for our per-user config, and from 12.2, IOS should detect automatically if we want to use per-user int config (virtual profile).

See my current config, maybe that helps:

hostname RAS-Router

!

aaa new-model

!

aaa authentication login default group radius

aaa authentication login backdoor local

aaa authentication ppp default group radius

aaa authorization network default group radius

aaa accounting network default start-stop group radius

!

async-bootp dns-server 192.168.20.19 192.168.160.11

async-bootp nbns-server 192.168.20.19 192.168.160.11

!

interface BRI1/0

no ip address

encapsulation ppp

isdn switch-type basic-net3

isdn incoming-voice modem

no cdp enable

ppp authentication chap

ppp multilink

!

interface BRI1/1

no ip address

encapsulation ppp

isdn switch-type basic-net3

isdn incoming-voice modem

no cdp enable

ppp authentication chap

ppp multilink

!

interface BRI1/2

no ip address

encapsulation ppp

isdn switch-type basic-net3

isdn incoming-voice modem

no cdp enable

ppp authentication chap

ppp multilink

!

interface BRI1/3

no ip address

encapsulation ppp

isdn switch-type basic-net3

isdn incoming-voice modem

no cdp enable

ppp authentication chap

ppp multilink

!

interface Group-Async1

no ip address

encapsulation ppp

dialer in-band

dialer pool-member 1

async mode dedicated

no peer default ip address

no keepalive

ppp authentication chap

ppp multilink

group-range 65 76

!

interface Dialer1

ip unnumbered FastEthernet0/0

encapsulation ppp

dialer pool 1

dialer idle-timeout 900

dialer-group 1

autodetect encapsulation v120

no cdp enable

ppp authentication chap

ppp multilink

!

dialer-list 1 protocol ip permit

radius-server host x.x.x.52 auth-port 1645 acct-port 1646 key xxxx

!

line 65 76

flush-at-activation

modem Dialin

transport input all

tgrundbacher · ‎12-15-2003

Please, can somebody provide me with an answer of what I'm missing in my config/concept? I still can't restrict IP access of dial-in users successfully.

Do I need virtual-template and virtual-profile commands with 12.2 at all?

tgrundbacher · ‎12-16-2003

The problem is solved.

The config was missing the virtual-template interface and the 'virtual-profile virtual-template' command.

That's why the calls did not terminate on a VA int. but on the async directly and therefore the per-user config didn't get applied properly.

The dialer int was not required for my setup, so I removed it.

guillerm · ‎01-26-2004

I am interested by your configuration, since I want to do similar thing, and I have some difficulties to get precise infos about th av-pair coding inside ACS 3.2 ;

could you, please, write down your IOS correct config, and associated ACS definitions, here after ?

thanks in advance

tgrundbacher · ‎01-27-2004

Hi Joel

See attachment for the router config.

The AV-pair 26/9/1 for IP filtering in my case looks the following. In ACS 3.2 it's located in the user or group setup under "Cisco IOS/PIX RADIUS Attributes".

ip:inacl#130=permit ip any host 192.168.20.18

ip:inacl#130=deny ip any any

Happy filtering...

Toni

guillerm · ‎01-27-2004

Hi Toni,

thanks for your help ;

at this time, I have a basic pb (I guess) with the Radius server ;

I can't authenticate my user againt the ACS :

here is an extract of debug trace, that shows the Access-Request and Access-Accept exchanges that let suppose my NAS router and the ACS server can, at least, understand each other ;

but this trace also shows the following recurring message (after each NAS/ACS dialog - 3 tries, each time a user connects) :

RADIUS: Response (6) failed decrypt

here is the trace extract :

=================================================

Jan 27 18:15:56: AAA/AUTHEN/PPP (00000B0F): Pick method list 'default'

Jan 27 18:15:56: As36 PPP: Sent CHAP LOGIN Request to AAA

Jan 27 18:15:56: RADIUS/ENCODE: Attribute has no value set for AAA attribute clid

Jan 27 18:15:56: RADIUS/ENCODE(00000B0F): Unsupported AAA attribute parent-interface

Jan 27 18:15:56: RADIUS/ENCODE(00000B0F): Unsupported AAA attribute parent-interface-type

Jan 27 18:15:56: RADIUS/ENCODE(00000B0F): acct_session_id: 25

Jan 27 18:15:56: RADIUS(00000B0F): sending

Jan 27 18:15:56: RADIUS: Send to unknown id 6 10.176.4.87:1645, Access-Request, len 83

Jan 27 18:15:56: RADIUS: authenticator 59 01 52 15 58 93 4A 8B - 4F 58 7D C8 01 A5 15 25

Jan 27 18:15:56: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jan 27 18:15:56: RADIUS: User-Name [1] 8 "radius"

Jan 27 18:15:56: RADIUS: CHAP-Password [3] 19 *

Jan 27 18:15:56: RADIUS: Called-Station-Id [30] 6 "8999"

Jan 27 18:15:56: RADIUS: NAS-Port [5] 6 36

Jan 27 18:15:56: RADIUS: NAS-Port-Type [61] 6 Async [0]

Jan 27 18:15:56: RADIUS: Service-Type [6] 6 Framed [2]

Jan 27 18:15:56: RADIUS: NAS-IP-Address [4] 6 10.176.44.56

Jan 27 18:16:00: As36 EVT: Packet [44] 0 0x616603C0

Jan 27 18:16:00: As36 CHAP: I RESPONSE id 29 len 27 from "radius"

Jan 27 18:16:00: As36 CHAP: Ignoring Additional Response

Jan 27 18:16:01: RADIUS: Retransmit to (10.176.4.87:1645,1646) for id 6

Jan 27 18:16:02: RADIUS: Received from id 6 10.176.4.87:1645, Access-Accept, len 69

Jan 27 18:16:02: RADIUS: authenticator 77 23 25 28 E7 E7 81 02 - BC AB 92 05 5E 23 9A 98

Jan 27 18:16:02: RADIUS: Service-Type [6] 6 Framed [2]

Jan 27 18:16:02: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jan 27 18:16:02: RADIUS: Framed-IP-Address [8] 6 10.176.41.81

Jan 27 18:16:02: RADIUS: Class [25] 31

Jan 27 18:16:02: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 33 36 [CISCOACS:0000036]

Jan 27 18:16:02: RADIUS: 36 2F 30 61 62 30 32 63 33 38 2F [6/0ab02c38/]

Jan 27 18:16:02: RADIUS: Response (6) failed decrypt

Jan 27 18:16:04: As36 EVT: Packet [44] 0 0x6142A484

Jan 27 18:16:04: As36 CHAP: I RESPONSE id 29 len 27 from "radius"

Jan 27 18:16:04: As36 CHAP: Ignoring Additional Response

Jan 27 18:16:06: As36 AUTH: Timeout 1

Jan 27 18:16:06: RADIUS: Retransmit to (10.176.4.87:1645,1646) for id 6

Jan 27 18:16:06: RADIUS: Received from id 6 10.176.4.87:1645, Access-Accept, len 69

Jan 27 18:16:06: RADIUS: authenticator 19 C8 15 88 94 06 83 E4 - 91 A2 17 D4 C3 A1 C1 17

Jan 27 18:16:06: RADIUS: Service-Type [6] 6 Framed [2]

Jan 27 18:16:06: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jan 27 18:16:06: RADIUS: Framed-IP-Address [8] 6 10.176.41.81

Jan 27 18:16:06: RADIUS: Class [25] 31

Jan 27 18:16:06: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 33 36 [CISCOACS:0000036]

Jan 27 18:16:06: RADIUS: 37 2F 30 61 62 30 32 63 33 38 2F [7/0ab02c38/]

Jan 27 18:16:06: RADIUS: Response (6) failed decrypt

Jan 27 18:16:08: As36 EVT: Packet [44] 0 0x616600EC

Jan 27 18:16:08: As36 CHAP: I RESPONSE id 29 len 27 from "radius"

Jan 27 18:16:08: As36 CHAP: Ignoring Additional Response

Jan 27 18:16:11: RADIUS: Retransmit to (10.176.4.87:1645,1646) for id 6

Jan 27 18:16:11: RADIUS: Received from id 6 10.176.4.87:1645, Access-Accept, len 69

Jan 27 18:16:11: RADIUS: authenticator 75 A9 B2 1E 13 4B 35 8F - 1F 68 12 B7 25 A3 2E 92

Jan 27 18:16:11: RADIUS: Service-Type [6] 6 Framed [2]

Jan 27 18:16:11: RADIUS: Framed-Protocol [7] 6 PPP [1]

Jan 27 18:16:11: RADIUS: Framed-IP-Address [8] 6 10.176.41.81

Jan 27 18:16:11: RADIUS: Class [25] 31

Jan 27 18:16:11: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 33 36 [CISCOACS:0000036]

Jan 27 18:16:11: RADIUS: 38 2F 30 61 62 30 32 63 33 38 2F [8/0ab02c38/]

Jan 27 18:16:11: RADIUS: Response (6) failed decrypt

Jan 27 18:16:12: As36 EVT: Packet [44] 0 0x616603C0

Jan 27 18:16:12: As36 CHAP: I RESPONSE id 29 len 27 from "radius"

Jan 27 18:16:12: As36 CHAP: Ignoring Additional Response

Jan 27 18:16:16: As36 EVT: Packet [44] 0 0x6142A484

Jan 27 18:16:16: As36 CHAP: I RESPONSE id 29 len 27 from "radius"

Jan 27 18:16:16: As36 CHAP: Ignoring Additional Response

Jan 27 18:16:16: As36 AUTH: Timeout 2

Jan 27 18:16:16: RADIUS: Tried all servers.

Jan 27 18:16:16: RADIUS: No valid server found. Trying any viable server

Jan 27 18:16:16: RADIUS: Tried all servers.

Jan 27 18:16:16: RADIUS: No response from (10.176.4.87:1645,1646) for id 6

Jan 27 18:16:16: RADIUS/DECODE: parse response no app start; FAIL

Jan 27 18:16:16: RADIUS/DECODE: parse response; FAIL

Jan 27 18:16:16: AAA/LOCAL/LOGIN(00000B0F): user radius not found

Jan 27 18:16:16: AAA/LOCAL/LOGIN(00000B0F): CHAP

Jan 27 18:16:16: AAA/LOCAL/LOGIN(00000B0F): failover

Jan 27 18:16:16: As36 PPP: Received LOGIN Response from AAA = FAIL

Jan 27 18:16:16: As36 CHAP: O FAILURE id 29 len 26 msg is "Authentication failure"

Jan 27 18:16:16: As36 PPP: Phase is TERMINATING

====================================================

(I don't use ACL, up to now)

If you have an idea, thanks in advance

guillerm · ‎02-03-2004

Problem of the "Response failed decrypt" message solved by coding the radius key parameter directly in the specific radius-server host xxxx key xxxx IOS command,

instead of in the global radius-server key IOS command ;

(by the way, it is to be noted that receiving the access-accept message from the AAA Server does not prove the keys are identical and well taken into account on both sides (AAA client and AAA server)