Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS Easy VPN Server / Radius attributes

Hi,

I made a Easy VPN server setup with a 2621XM router running 12.2(15)T5 release. VPN Clients/Users are authenticated against Cisco ACS 3.2 via radius.

This is working fine, but there is one problem I cannot solve. Each VPN user needs to have the same IP address assigned every time he is authenticated.

The ACS is sending the right radius attribute (Framed-IP-Address) back to the IOS box, but this address is not assigned to the client. The client always gets the next available IP address from the local defined pool on the router.

How can I solve this problem?

Please find relevant parts of the configuration and a "deb radius" below.

Regards,

Christian

aaa authentication password-prompt password:

aaa authentication username-prompt username:

aaa authentication login users group radius local

aaa authorization network default group radius local

crypto isakmp policy 1

group 2

!

crypto isakmp policy 3

hash md5

authentication pre-share

group 2

crypto isakmp identity hostname

!

crypto isakmp client configuration group kh_vpn

key mypreshared

pool mypool

!

crypto ipsec transform-set shades esp-3des esp-sha-hmac

!

crypto dynamic-map mode 1

set transform-set shades

!

crypto map mode client authentication list users

crypto map mode isakmp authorization list default

crypto map mode client configuration address respond

crypto map mode 1 ipsec-isakmp dynamic mode

!

interface FastEthernet0/1

ip address 192.168.100.41 255.255.255.248

crypto map mode

!

ip local pool mypool 172.16.0.2 172.16.0.10 !

radius-server attribute 8 include-in-access-req

radius-server host 192.168.100.13 auth-port 1645 acct-port 1646 key XXXXXXXXXXXXXXXX

radius-server authorization permit missing Service-Type

# deb radius

00:03:28: RADIUS: Pick NAS IP for u=0x83547CDC tableid=0 cfg_addr=0.0.0.0 best_a

ddr=192.168.100.26

00:03:28: RADIUS: ustruct sharecount=2

00:03:28: Radius: radius_port_info() success=0 radius_nas_port=1

00:03:28: RADIUS(00000000): Send Access-Request to 192.168.100.13:1645 id 21645/

4, len 73

00:03:28: RADIUS: authenticator 89 EA 97 56 12 B1 C5 C2 - C0 66 59 47 F7 88 96

68

00:03:28: RADIUS: NAS-IP-Address [4] 6 192.168.100.26

00:03:28: RADIUS: NAS-Port-Type [61] 6 Async [0]

00:03:28: RADIUS: User-Name [1] 10 "vpnuser1"

00:03:28: RADIUS: Calling-Station-Id [31] 13 "10.1.14.150"

00:03:28: RADIUS: User-Password [2] 18 *

00:03:28: RADIUS: Received from id 21645/4 192.168.100.13:1645, Access-Accept, l

en 108

00:03:28: RADIUS: authenticator C1 7D 29 56 50 89 35 B7 - 92 7B 1A 32 87 6C 15

A4

00:03:28: RADIUS: Service-Type [6] 6 Outbound [5]

00:03:28: RADIUS: login-ip-addr-host [14] 6 255.255.255.255

00:03:28: RADIUS: Tunnel-Type [64] 6 01:ESP [9]

00:03:28: RADIUS: Tunnel-Password [69] 21 *

00:03:28: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.0

00:03:28: RADIUS: Framed-IP-Address [8] 6 172.16.0.5

00:03:28: RADIUS: Class [25] 37

00:03:28: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 31 30 [CISCOACS:0

000010]

00:03:28: RADIUS: 33 2F 63 30 61 38 36 34 31 61 2F 76 70 6E 75 73 [3/c0a8641a

/vpnus]

00:03:28: RADIUS: 65 72 31 [er1]

00:03:28: RADIUS: saved authorization data for user 83547CDC at 83548430

00:03:29: RADIUS: authenticating to get author data

00:03:29: RADIUS: Pick NAS IP for u=0x82A279FC tableid=0 cfg_addr=0.0.0.0 best_a

ddr=192.168.100.26

00:03:29: RADIUS: ustruct sharecount=3

00:03:29: Radius: radius_port_info() success=0 radius_nas_port=1

00:03:29: RADIUS(00000000): Send Access-Request to 192.168.100.13:1645 id 21645/

5, len 77

00:03:29: RADIUS: authenticator 13 B2 A6 CE BF B5 DA 7E - 7B F6 F0 0B A2 35 60

E3

00:03:29: RADIUS: NAS-IP-Address [4] 6 192.168.100.26

00:03:29: RADIUS: NAS-Port-Type [61] 6 Async [0]

00:03:29: RADIUS: User-Name [1] 8 "kh_vpn"

00:03:29: RADIUS: Calling-Station-Id [31] 13 "10.1.14.150"

00:03:29: RADIUS: User-Password [2] 18 *

00:03:29: RADIUS: Service-Type [6] 6 Outbound [5]

00:03:29: RADIUS: Received from id 21645/5 192.168.100.13:1645, Access-Accept, l

en 94

00:03:29: RADIUS: authenticator C4 F5 2F C3 EE 56 DA C9 - 05 D6 23 F5 5D EF 74

AF

00:03:29: RADIUS: Service-Type [6] 6 Outbound [5]

00:03:29: RADIUS: login-ip-addr-host [14] 6 255.255.255.255

00:03:29: RADIUS: Tunnel-Type [64] 6 01:ESP [9]

00:03:29: RADIUS: Tunnel-Password [69] 21 *

00:03:29: RADIUS: Class [25] 35

00:03:29: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 31 30 [CISCOACS:0

000010]

00:03:29: RADIUS: 34 2F 63 30 61 38 36 34 31 61 2F 6B 68 5F 76 70 [4/c0a8641a

/kh_vp]

00:03:29: RADIUS: 6E [n]

00:03:29: RADIUS: saved authorization data for user 82A279FC at 82A27D3C

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IOS Easy VPN Server / Radius attributes

Assigning an IP address via a Raidus server is currently not supported, so even if your Radius server is passing down an IP address, the router will ignore it and just assign an IP address out of the locla pool. In fact, the local pool is the only way to assign IP addresses currently.

About the only way to do what you want currently is to create different VPN groups, each referencing a local IP pool with one address in it. Then have each user connect to the appropriate group via their VPN client.

Yes, messy, but just trying to provide a solution for you.

2 REPLIES
Cisco Employee

Re: IOS Easy VPN Server / Radius attributes

Assigning an IP address via a Raidus server is currently not supported, so even if your Radius server is passing down an IP address, the router will ignore it and just assign an IP address out of the locla pool. In fact, the local pool is the only way to assign IP addresses currently.

About the only way to do what you want currently is to create different VPN groups, each referencing a local IP pool with one address in it. Then have each user connect to the appropriate group via their VPN client.

Yes, messy, but just trying to provide a solution for you.

New Member

Re: IOS Easy VPN Server / Radius attributes

Ah, ok; I expected that. In the meantime I made my way with an 3005 for production instead of the IOS box.

But it would be nice to see this feature available in future IOS versions. The amount of unused routers collecting dust seems far higher than the amount of VPN Concentrators. Just to reactivate them for serving small VPN user groups ;-) We need to have this static user <-> IP mapping for TN3270 host access.

Thank you,

Christian

282
Views
0
Helpful
2
Replies