Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ISG radius-proxy attribute filtering

device: CSR1000v IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.3(2)S0a

running-config in attachment

I'm trying to use ISG as a AAA proxy. NAS uses RADIUS to assing an IP address to the client.

Whenever NAS sends access-request to ISG, ISG starts to parse recieved attributes and forms a proxy session.

As NAS yet doesnt know the Framed-IP-Address(it supposed to recieve it in access-reply) it filles the field with 255.255.255.255. ISG can't parse this "invalid" address and proxy session failes.

How do i get pass this moment ? Please, im stuck

Sep  3 10:41:57.956: RADIUS: Received from id 1812/209 192.168.145.1:10031, Access-Request, len 201

Sep  3 10:41:57.956: RADIUS:  authenticator 54 72 D1 CA CA CE A0 BC - 33 13 61 3B 30 8F 9B 86

Sep  3 10:41:57.956: RADIUS:  Vendor, 3GPP2       [26]  16 

Sep  3 10:41:57.956: RADIUS:   cdma-correlation-id[44]  10  "177F8150"

Sep  3 10:41:57.956: RADIUS:  Vendor, 3GPP2       [26]  12 

Sep  3 10:41:57.956: RADIUS:   cdma-service-option[16]  6   59                       

Sep  3 10:41:57.956: RADIUS:  User-Name           [1]   19  "evdo@triatel.test"

Sep  3 10:41:57.956: RADIUS:  Vendor, 3GPP2       [26]  12 

Sep  3 10:41:57.956: RADIUS:   cdma-sess-term-capa[88]  6   3                        

Sep  3 10:41:57.956: RADIUS:  CHAP-Challenge      [60]  18 

Sep  3 10:41:57.956: RADIUS:   54 72 D1 CA CA CE A0 BC 33 13 61 3B 30 8F 9B 86            [ Tr3a;0]

Sep  3 10:41:57.956: RADIUS:  CHAP-Password       [3]   19  *

Sep  3 10:41:57.956: RADIUS:  NAS-Port-Type       [61]  6   Unsupported               [24]

Sep  3 10:41:57.956: RADIUS:  Calling-Station-Id  [31]  17  "247033715834844"

Sep  3 10:41:57.956: RADIUS:  Service-Type        [6]   6   Framed                    [2]

Sep  3 10:41:57.956: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]

Sep  3 10:41:57.956: RADIUS:  NAS-IP-Address      [4]   6   192.168.145.1            

Sep  3 10:41:57.956: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255          

Sep  3 10:41:57.956: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.255          

Sep  3 10:41:57.956: RADIUS:  Vendor, 3GPP2       [26]  12 

Sep  3 10:41:57.956: RADIUS:   cdma-ip-tech       [22]  6   1                        

Sep  3 10:41:57.956: RADIUS:  Event-Timestamp     [55]  6   1378204917               

Sep  3 10:41:57.956: RADIUS:  Vendor, 3GPP2       [26]  14 

Sep  3 10:41:57.956: RADIUS:   cdma-prepaid-accoun[91]  8  

Sep  3 10:41:57.956: RADIUS:   01 06 00 00 00 03

Sep  3 10:41:57.956: RADIUS(00000000): Received from id 10031/209

Sep  3 10:41:57.956: RADIUS/DECODE: Invalid attr to decode; CHAP-Password

Sep  3 10:41:57.956: RP-EVENT: Parse Request: Username = evdo@triatel.test

Sep  3 10:41:57.956: RP-EVENT: Parse Request: Caller ID = 247033715834844

Sep  3 10:41:57.956: RP-EVENT: Parse Request: NAS ip = 192.168.145.1

Sep  3 10:41:57.956: RP-EVENT: Parse Request: IP = 255.255.255.255

Sep  3 10:41:57.956: RP-ERROR: Invalid ip address: 255.255.255.255

Sep  3 10:41:57.956: RP-ERROR: Cleaning up the radius proxy session

Sep  3 10:41:57.956: RP-EVENT: Cleaning up the radius request context

Sep  3 10:41:57.956: RP-EVENT: Returning Access-Reject to client 192.168.145.1


Version history
Revision #:
1 of 1
Last update:
‎09-03-2013 03:39 AM
Updated by:
 
Labels (1)
Attachments
Comments
New Member

Is it possible to configure ISG radius-proxy to be fully transparent to RADIUS messages ?

New Member

Hello,

IOS XE radius-proxy didn't allow Framed-IP adress to be set to 255.255.255.255 (all ones) and dropped the packet with the following message:

Sep  3 10:41:57.956: RP-ERROR: Invalid ip address: 255.255.255.255

This is documented in Bug CSCuj27743 and is fixed in IOS XE 3.10.1 - 15.3(3)S1

As a workaround the NAS should be configured to omit radius attribute Framed-IP-Address [8]

for radius-proxy authentication as long as no real IP address is assigned to the client.

The ISG can add the IP address to the session later if you do e.g. radius accounting for DHCP leases.