Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPDN DNIS issues with RADIUS

Hi,

I'm new to the dial/vpn environment and have come across a problem with regards to VPDN and Radius. I have searched Cisco's documentation, IOS command references and design guides but have not found any mention of the problem I have found.

Since we have enabled VPDN on our Access servers, we have been getting "no such user" errors on our RADIUS server with a username of "dnisxxxxx" where xxxxx is the number that was dialled. so basically, when a user dials in, the Access Server passes the user name to the Radius server and the user gets authenticated, but then the Access server sends ANOTHER username to the RADIUS server of dnis:<number called>. This is seen in the RADIUS debugs:

RADIUS/ENCODE: Attribute has no value set for AAA attribute clid

RADIUS: AAA Unsupported [150] 7

RADIUS: 41 73 79 6E 63 [Async]

RADIUS(00000031): Storing nasport 10 in rad_db

RADIUS(00000031): Config NAS IP: 0.0.0.0

RADIUS/ENCODE(00000031): acct_session_id: 58

RADIUS(00000031): sending

RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x

RADIUS(00000031): Send Access-Request to x.x.x.x:1645 id 21645/37, len 84

RADIUS: authenticator A7 33 C0 3B 13 02 00 88 - 6E 37 25 FD 73 4E 6B FA

RADIUS: Framed-Protocol [7] 6 PPP [1]

RADIUS: User-Name [1] 10 "bob2541"

RADIUS: User-Password [2] 18 *

RADIUS: Called-Station-Id [30] 6 "0027"

RADIUS: NAS-Port-Type [61] 6 Async [0]

RADIUS: NAS-Port [5] 6 10

RADIUS: Service-Type [6] 6 Framed [2]

RADIUS: NAS-IP-Address [4] 6 x.x.x.x

RADIUS: Received from id 21645/37 x.x.x.x:1645, Access-Accept, len 40

RADIUS: authenticator 22 73 01 DD 9E AC 26 80 - 7E 44 DB 11 27 1F EE BD

RADIUS: Service-Type [6] 6 Framed [2]

RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255

RADIUS: Reply-Message [18] 8

RADIUS: 61 6E 6E 65 78 3A [annex:]

RADIUS(00000031): Received from id 21645/37

RADIUS/DECODE: Reply-Message fragments, 6, total 6 bytes

**********Above user authentication successful but now the DNIS authentication***********

RADIUS/ENCODE: Attribute has no value set for AAA attribute clid

RADIUS: AAA Unsupported [150] 7

RADIUS: 41 73 79 6E 63 [Async]

RADIUS(00000031): Using existing nas_port 10

RADIUS(00000031): Config NAS IP: 0.0.0.0

RADIUS/ENCODE(00000031): acct_session_id: 58

RADIUS(00000031): sending

RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x

RADIUS(00000031): Send Access-Request to x.x.x.x:1645 id 21645/38, len 79

RADIUS: authenticator 63 6B 06 3E B2 B3 7E E8 - 88 9C 45 E8 B5 D5 8B 20

RADIUS: User-Name [1] 11 "dnis:0027"

RADIUS: User-Password [2] 18 *

RADIUS: Called-Station-Id [30] 6 "0027"

RADIUS: NAS-Port-Type [61] 6 Async [0]

RADIUS: NAS-Port [5] 6 10

Service-Type [6] 6 Outbound [5]

RADIUS: NAS-IP-Address [4] 6 x.x.x.x

RADIUS: Received from id 21645/38 x.x.x.x:1645, Access-Reject, len 34

RADIUS: authenticator 31 5A AE 6F B2 41 82 1C - 35 A4 74 9D 3A 82 23 11

RADIUS: Reply-Message [18] 14

RADIUS: 4E 6F 20 73 75 63 68 20 75 73 65 72 [No such user]

RADIUS(00000031): Received from id 21645/38

RADIUS/DECODE: Reply-Message fragments, 12, total 12 bytes

Can anyone tell me or point me in the right direction on how to stop the Access Server from requesting the dnis authentication? This is causing a LOT of traffic to our RADIUS servers because this happens for every user who dials in. Any help is greatly appreciated.

thanks

2 REPLIES
Cisco Employee

Re: VPDN DNIS issues with RADIUS

Normally this is only seen when doing pre-auth, not sure if you're doing that or not.

The global config command 'vpdn authen before-forward' will skip the dnis/domain request, but this is usually seen BEFORE the client username request, not AFTER.

You might also try 'vpdn search-order domain' and see if that helps.

New Member

Re: VPDN DNIS issues with RADIUS

Thank you thank you thank you thank you :)

This was my VPDN config before:

vpdn enable

vpdn authen-before-forward

vpdn authorize directed-request

I have now added the "vpdn search-order domain" command and it's working perfectly. No more dnis.

Thanks again for the help :)

143
Views
0
Helpful
2
Replies