Answer the question
In order to leave comments, you need to log in
P
P
Python2232014-12-25 04:34:51
Python223, 2014-12-25 04:34:51
Pptp vpn cisco + nps radius how to setup avpair?
There is a cisco 2911 with firmware c2900-universalk9-mz.SPA.151-3.T.bin Configured pptp vpn with user authorization via AD(NPS - Radius).
AAA:
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa accounting network VPN-USERS
action-type start-stop
group radiusVPDN:
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15Virtual Template:
interface Virtual-Template1
ip unnumbered fa0/0
peer default ip address pool VPN
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2
ppp authorization X-AUTH
ppp accounting VPN-USERSRadius setting:
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key xxxxxxxxxxxWell, the pool of ip addresses itself:
ip local pool VPN 192.168.13.1 192.168.13.20VPN users normally connect via VPN. But there is a problem that VPN users have access to all subnets that are on cisco. I would like to hang ACL sheets, having smoked mana, as I understand it, this is done through VSA, in the case of a cisco, this is av-pair. The problem is that av-pair comes to cisco but there is no result.
Debug Radius:
Dec 25 01:06:46.980: RADIUS/ENCODE(00000CB7):Orig. component type = VPDN
Dec 25 01:06:46.980: RADIUS: AAA Unsupported Attr: interface [209] 13
Dec 25 01:06:46.980: RADIUS: 55 6E 69 71 2D 53 65 73 73 2D 49 [ Uniq-Sess-I]
Dec 25 01:06:46.980: RADIUS(00000CB7): Config NAS IP: 0.0.0.0
Dec 25 01:06:46.980: RADIUS/ENCODE(00000CB7): acct_session_id: 3246
Dec 25 01:06:46.980: RADIUS(00000CB7): sending
Dec 25 01:06:46.980: RADIUS/ENCODE: Best Local IP-Address xxx.xxx.xxx.xxx for Radius-Server xxx.xxx.xxx.xxx
Dec 25 01:06:46.980: RADIUS(00000CB7): Send Access-Request to xxx.xxx.xxx.xxx:1812 id 1645/2, len 157
Dec 25 01:06:46.980: RADIUS: authenticator 6F A4 19 55 FA 91 7A 6E - BA F3 4D C4 83 75 3A C1
Dec 25 01:06:46.980: RADIUS: Framed-Protocol [7] 6 PPP [1]
Dec 25 01:06:46.980: RADIUS: User-Name [1] 10 "TEST"
Dec 25 01:06:46.980: RADIUS: Vendor, Microsoft [26] 24
Dec 25 01:06:46.980: RADIUS: MS-CHAP-Challenge [11] 18
Dec 25 01:06:46.980: RADIUS: 6F A4 19 55 FA 91 7A 6E BA F3 4D C4 83 75 3A C1 [ oUznMu:]
Dec 25 01:06:46.980: RADIUS: Vendor, Microsoft [26] 58
Dec 25 01:06:46.980: RADIUS: MS-CHAP-V2-Response[25] 52 *
Dec 25 01:06:46.980: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Dec 25 01:06:46.980: RADIUS: NAS-Port [5] 6 2
Dec 25 01:06:46.980: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID2"
Dec 25 01:06:46.980: RADIUS: Service-Type [6] 6 Framed [2]
Dec 25 01:06:46.980: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Dec 25 01:06:46.980: RADIUS(00000CB7): Started 5 sec timeout
Dec 25 01:06:46.984: RADIUS: Received from id 1645/2 xxx.xxx.xxx.xxx:1812, Access-Accept, len 309
Dec 25 01:06:46.984: RADIUS: authenticator 46 89 82 B5 65 ED 5D 20 - 96 C4 EC 48 EB 1F 34 F4
Dec 25 01:06:46.984: RADIUS: Framed-Protocol [7] 6 PPP [1]
Dec 25 01:06:46.984: RADIUS: Service-Type [6] 6 Framed [2]
Dec 25 01:06:46.984: RADIUS: Class [25] 46
Dec 25 01:06:46.984: RADIUS: 5A FE 05 2B 00 00 01 37 00 01 02 00 AC 12 00 96 00 00 00 00 00 00 00 00 00 00 00 00 01 D0 19 BA 65 48 BC 5C 00 00 00 00 00 00 00 32 [ Z+7eH\2]
Dec 25 01:06:46.984: RADIUS: Vendor, Microsoft [26] 42
Dec 25 01:06:46.984: RADIUS: MS-MPPE-Recv-Key [17] 36 *
Dec 25 01:06:46.984: RADIUS: Vendor, Microsoft [26] 42
Dec 25 01:06:46.984: RADIUS: MS-MPPE-Send-Key [16] 36 *
Dec 25 01:06:46.984: RADIUS: Vendor, Microsoft [26] 51
Dec 25 01:06:46.984: RADIUS: MS-CHAP-V2-Success [26] 45 "S=72A45B8CB57C36FF86C7CADB586D15B00038B0DB"
Dec 25 01:06:46.984: RADIUS: Vendor, Microsoft [26] 12
Dec 25 01:06:46.984: RADIUS: MS-CHAP-DOMAIN [10] 6 "TEST"
Dec 25 01:06:46.984: RADIUS: Vendor, Cisco [26] 36
Dec 25 01:06:46.988: RADIUS: Cisco AVpair [1] 30 "ip:inacl#500=deny ip any any"
Dec 25 01:06:46.988: RADIUS: Vendor, Microsoft [26] 12
Dec 25 01:06:46.988: RADIUS: MS-Link-Util-Thresh[14] 6
Dec 25 01:06:46.988: RADIUS: 00 00 00 32 [ 2]
Dec 25 01:06:46.988: RADIUS: Vendor, Microsoft [26] 12
Dec 25 01:06:46.988: RADIUS: MS-Link-Drop-Time-L[15] 6
Dec 25 01:06:46.988: RADIUS: 00 00 00 78 [ x]
Dec 25 01:06:46.988: RADIUS: Vendor, Microsoft [26] 12
Dec 25 01:06:46.988: RADIUS: MS-MPPE-Enc-Policy [7] 6
Dec 25 01:06:46.988: RADIUS: 00 00 00 02
Dec 25 01:06:46.988: RADIUS: Vendor, Microsoft [26] 12
Dec 25 01:06:46.988: RADIUS: MS-MPPE-Enc-Type [8] 6
Dec 25 01:06:46.988: RADIUS: 00 00 00 04
Dec 25 01:06:46.988: RADIUS(00000CB7): Received from id 1645/2
Dec 25 01:06:46.996: RADIUS/ENCODE(00000CB7):Orig. component type = VPDN
Dec 25 01:06:46.996: RADIUS(00000CB7): Config NAS IP: 0.0.0.0
Dec 25 01:06:46.996: RADIUS(00000CB7): sending
Dec 25 01:06:46.996: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Dec 25 01:06:46.996: RADIUS/ENCODE: Best Local IP-Address xxx.xxx.xxx.xxx for Radius-Server xxx.xxx.xxx.xxx
Dec 25 01:06:46.996: RADIUS(00000CB7): Send Accounting-Request to xxx.xxx.xxx.xxx:1813 id 1646/3, len 197
Dec 25 01:06:46.996: RADIUS: authenticator 0E CC 68 3E F3 67 A1 67 - B1 35 A9 6A 65 3B 8D F7
Dec 25 01:06:46.996: RADIUS: Acct-Session-Id [44] 10 "00000CAE"
Dec 25 01:06:46.996: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Dec 25 01:06:46.996: RADIUS: Tunnel-Server-Endpoi[67] 16 "xxx.xxx.xxx.xxx"
Dec 25 01:06:46.996: RADIUS: Tunnel-Client-Endpoi[66] 15 "xxx.xxx.xxx.xxx"
Dec 25 01:06:46.996: RADIUS: Tunnel-Assignment-Id[82] 3 "1"
Dec 25 01:06:46.996: RADIUS: Tunnel-Server-Auth-I[91] 4 "R0"
Dec 25 01:06:46.996: RADIUS: Acct-Tunnel-Connecti[68] 4 "42"
Dec 25 01:06:46.996: RADIUS: Framed-Protocol [7] 6 PPP [1]
Dec 25 01:06:46.996: RADIUS: User-Name [1] 10 "TEST"
Dec 25 01:06:46.996: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Dec 25 01:06:46.996: RADIUS: Acct-Status-Type [40] 6 Start [1]
Dec 25 01:06:46.996: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Dec 25 01:06:46.996: RADIUS: NAS-Port [5] 6 2
Dec 25 01:06:46.996: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID2"
Dec 25 01:06:46.996: RADIUS: Class [25] 46
Dec 25 01:06:46.996: RADIUS: 5A FE 05 2B 00 00 01 37 00 01 02 00 AC 12 00 96 00 00 00 00 00 00 00 00 00 00 00 00 01 D0 19 BA 65 48 BC 5C 00 00 00 00 00 00 00 32 [ Z+7eH\2]
Dec 25 01:06:46.996: RADIUS: Service-Type [6] 6 Framed [2]
Dec 25 01:06:46.996: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Dec 25 01:06:46.996: RADIUS: Acct-Delay-Time [41] 6 0
Dec 25 01:06:46.996: RADIUS(00000CB7): Started 5 sec timeout
Dec 25 01:06:47.000: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
R0#
Dec 25 01:06:47.000: RADIUS: Received from id 1646/3 xxx.xxx.xxx.xxx:1813, Accounting-response, len 20
Dec 25 01:06:47.004: RADIUS: authenticator 8D 72 92 EE DE 16 1F AD - 66 C4 CC C3 7D DF BC 03I don't like the line:
AAA Unsupported Attr: interface [209] 13NPS is configured like this:
Cisco doesn't react to AV-Pair, helpp plizz(
2 answer(s)
@Piton223
@vvpoloskin
P
Piton223, 2015-01-13 @Piton223
I solved the problem using named authentication and authorization sheets.
AAA:
aaa authentication ppp NPS group radius
Virtual-Template:
ppp authentication ms-chap-v2 NPS
ppp authorization NPS
V
Valentin, 2014-12-25 @vvpoloskin
You don’t like this line in vain, you can treat it as a warning, or you can add it (unless, of course, you figure out what it means in your radius) via the radius-server attribute .
If I were you, I would try to run the radius in debug mode (I don’t know on yours, I use freeradius myself), disable all functionality with accounting for now, see what attributes are sent, what their value is.
Similar questions
W
@
A
P
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question