Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
2
Replies

IOS Easy VPN Server / Radius attributes

Go to solution
nnw11903
Level 1
Level 1

‎07-31-2003 08:04 AM - edited ‎02-21-2020 12:42 PM

Hi,

I made a Easy VPN server setup with a 2621XM router running 12.2(15)T5 release. VPN Clients/Users are authenticated against Cisco ACS 3.2 via radius.

This is working fine, but there is one problem I cannot solve. Each VPN user needs to have the same IP address assigned every time he is authenticated.

The ACS is sending the right radius attribute (Framed-IP-Address) back to the IOS box, but this address is not assigned to the client. The client always gets the next available IP address from the local defined pool on the router.

How can I solve this problem?

Please find relevant parts of the configuration and a "deb radius" below.

Regards,

Christian

aaa authentication password-prompt password:

aaa authentication username-prompt username:

aaa authentication login users group radius local

aaa authorization network default group radius local

crypto isakmp policy 1

group 2

!

crypto isakmp policy 3

hash md5

authentication pre-share

group 2

crypto isakmp identity hostname

!

crypto isakmp client configuration group kh_vpn

key mypreshared

pool mypool

!

crypto ipsec transform-set shades esp-3des esp-sha-hmac

!

crypto dynamic-map mode 1

set transform-set shades

!

crypto map mode client authentication list users

crypto map mode isakmp authorization list default

crypto map mode client configuration address respond

crypto map mode 1 ipsec-isakmp dynamic mode

!

interface FastEthernet0/1

ip address 192.168.100.41 255.255.255.248

crypto map mode

!

ip local pool mypool 172.16.0.2 172.16.0.10 !

radius-server attribute 8 include-in-access-req

radius-server host 192.168.100.13 auth-port 1645 acct-port 1646 key XXXXXXXXXXXXXXXX

radius-server authorization permit missing Service-Type

# deb radius

00:03:28: RADIUS: Pick NAS IP for u=0x83547CDC tableid=0 cfg_addr=0.0.0.0 best_a

ddr=192.168.100.26

00:03:28: RADIUS: ustruct sharecount=2

00:03:28: Radius: radius_port_info() success=0 radius_nas_port=1

00:03:28: RADIUS(00000000): Send Access-Request to 192.168.100.13:1645 id 21645/

4, len 73

00:03:28: RADIUS: authenticator 89 EA 97 56 12 B1 C5 C2 - C0 66 59 47 F7 88 96

68

00:03:28: RADIUS: NAS-IP-Address [4] 6 192.168.100.26

00:03:28: RADIUS: NAS-Port-Type [61] 6 Async [0]

00:03:28: RADIUS: User-Name [1] 10 "vpnuser1"

00:03:28: RADIUS: Calling-Station-Id [31] 13 "10.1.14.150"

00:03:28: RADIUS: User-Password [2] 18 *

00:03:28: RADIUS: Received from id 21645/4 192.168.100.13:1645, Access-Accept, l

en 108

00:03:28: RADIUS: authenticator C1 7D 29 56 50 89 35 B7 - 92 7B 1A 32 87 6C 15

A4

00:03:28: RADIUS: Service-Type [6] 6 Outbound [5]

00:03:28: RADIUS: login-ip-addr-host [14] 6 255.255.255.255

00:03:28: RADIUS: Tunnel-Type [64] 6 01:ESP [9]

00:03:28: RADIUS: Tunnel-Password [69] 21 *

00:03:28: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.0

00:03:28: RADIUS: Framed-IP-Address [8] 6 172.16.0.5

00:03:28: RADIUS: Class [25] 37

00:03:28: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 31 30 [CISCOACS:0

000010]

00:03:28: RADIUS: 33 2F 63 30 61 38 36 34 31 61 2F 76 70 6E 75 73 [3/c0a8641a

/vpnus]

00:03:28: RADIUS: 65 72 31 [er1]

00:03:28: RADIUS: saved authorization data for user 83547CDC at 83548430

00:03:29: RADIUS: authenticating to get author data

00:03:29: RADIUS: Pick NAS IP for u=0x82A279FC tableid=0 cfg_addr=0.0.0.0 best_a

ddr=192.168.100.26

00:03:29: RADIUS: ustruct sharecount=3

00:03:29: Radius: radius_port_info() success=0 radius_nas_port=1

00:03:29: RADIUS(00000000): Send Access-Request to 192.168.100.13:1645 id 21645/

5, len 77

00:03:29: RADIUS: authenticator 13 B2 A6 CE BF B5 DA 7E - 7B F6 F0 0B A2 35 60

E3

00:03:29: RADIUS: NAS-IP-Address [4] 6 192.168.100.26

00:03:29: RADIUS: NAS-Port-Type [61] 6 Async [0]

00:03:29: RADIUS: User-Name [1] 8 "kh_vpn"

00:03:29: RADIUS: Calling-Station-Id [31] 13 "10.1.14.150"

00:03:29: RADIUS: User-Password [2] 18 *

00:03:29: RADIUS: Service-Type [6] 6 Outbound [5]

00:03:29: RADIUS: Received from id 21645/5 192.168.100.13:1645, Access-Accept, l

en 94

00:03:29: RADIUS: authenticator C4 F5 2F C3 EE 56 DA C9 - 05 D6 23 F5 5D EF 74

AF

00:03:29: RADIUS: Service-Type [6] 6 Outbound [5]

00:03:29: RADIUS: login-ip-addr-host [14] 6 255.255.255.255

00:03:29: RADIUS: Tunnel-Type [64] 6 01:ESP [9]

00:03:29: RADIUS: Tunnel-Password [69] 21 *

00:03:29: RADIUS: Class [25] 35

00:03:29: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 31 30 [CISCOACS:0

000010]

00:03:29: RADIUS: 34 2F 63 30 61 38 36 34 31 61 2F 6B 68 5F 76 70 [4/c0a8641a

/kh_vp]

00:03:29: RADIUS: 6E [n]

00:03:29: RADIUS: saved authorization data for user 82A279FC at 82A27D3C

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎08-04-2003 10:29 PM

Assigning an IP address via a Raidus server is currently not supported, so even if your Radius server is passing down an IP address, the router will ignore it and just assign an IP address out of the locla pool. In fact, the local pool is the only way to assign IP addresses currently.

About the only way to do what you want currently is to create different VPN groups, each referencing a local IP pool with one address in it. Then have each user connect to the appropriate group via their VPN client.

Yes, messy, but just trying to provide a solution for you.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎08-04-2003 10:29 PM

Assigning an IP address via a Raidus server is currently not supported, so even if your Radius server is passing down an IP address, the router will ignore it and just assign an IP address out of the locla pool. In fact, the local pool is the only way to assign IP addresses currently.

About the only way to do what you want currently is to create different VPN groups, each referencing a local IP pool with one address in it. Then have each user connect to the appropriate group via their VPN client.

Yes, messy, but just trying to provide a solution for you.

0 Helpful

Go to solution
nnw11903
Level 1
Level 1
In response to gfullage

‎08-04-2003 10:58 PM

Ah, ok; I expected that. In the meantime I made my way with an 3005 for production instead of the IOS box.

But it would be nice to see this feature available in future IOS versions. The amount of unused routers collecting dust seems far higher than the amount of VPN Concentrators. Just to reactivate them for serving small VPN user groups ;-) We need to have this static user <-> IP mapping for TN3270 host access.

Thank you,

Christian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents