[c-nsp] VPDN and Radius Problem

M.Palis security at cytanet.com.cy
Tue Nov 23 06:50:53 EST 2004 

Here is my LNS configuration. I did not find any specific configuration
setting for stripping domain. It just strips the domain and replaces it with
spaces..

LNS Configuration (Cisco 7200)
IOS c7200-jk8s-mz.122-8.T.bin"
aaa authentication login default local group radius enable

aaa authentication login admin local line

aaa authentication ppp default local group radius

aaa authorization exec default local group radius if-authenticated

aaa authorization network default group radius

aaa authorization reverse-access default local

aaa accounting update newinfo

aaa accounting network default start-stop group radius



vpdn enable

vpdn source-ip x.x.x.x

vpdn search-order domain

!

vpdn-group 2

accept-dialin

protocol l2tp

virtual-template 3

terminate-from hostname testvpn

local name isp

interface Virtual-Template3

ip unnumbered Loopback1

no logging event link-status

no peer default ip address

ppp authentication ms-chap chap pap

adius-server host x.x.x.x

radius-server host x.x.x.x

radius-server retransmit 3

radius-server directed-request

radius-server optional-passwords

radius-server key 7 x.x.x.x.x

radius-server vsa send accounting

radius-server vsa send authentication

IOS

c7200-jk8s-mz.122-8.T.bin"

Some debugs from LNS

Nov 23 11:20:45 EET: Vi41 PAP: I AUTH-REQ id 214 len 22 from "test1 at vpn"

.Nov 23 11:20:45 EET: Vi41 PAP: Ignoring Additional Request

.Nov 23 11:20:47 EET: RADIUS: Retransmit to (195.14.133.152:1812,1813) for
id 87

.Nov 23 11:20:47 EET: RADIUS: authenticator BC A3 E7 F5 B8 85 C9 FA - 34 74
40 86 5A 10 5E 01

.Nov 23 11:20:47 EET: RADIUS: Framed-Protocol [7] 6 PPP [1]

.Nov 23 11:20:47 EET: RADIUS: User-Name [1] 11 "test1 "

.Nov 23 11:20:47 EET: RADIUS: User-Password [2] 18 *

.Nov 23 11:20:47 EET: RADIUS: NAS-Port [5] 6 41

.Nov 23 11:20:47 EET: RADIUS: Vendor, Cisco [26] 34

.Nov 23 11:20:47 EET: RADIUS: Cisco AVpair [1] 28
"interface=Virtual-Access41"

.Nov 23 11:20:47 EET: RADIUS: NAS-Port-Type [61] 6 Virtual [5]


Thanks for your response.

----- Original Message ----- 
From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
To: "M.Palis" <security at cytanet.com.cy>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, November 23, 2004 11:25 AM
Subject: RE: [c-nsp] VPDN and Radius Problem



> I am trying to configure VPDN connections but I am facing some
> problems with radius I think... I dial using the format test1 at vpn.
> The LAC establishes connection with the LNS, the LNS removes the @vpn
> and replaces the @vpn with spaces and sends the user name to the
> Radius. as shown below from debug.
>
>.Nov 23 10:59:45 EET: RADIUS:  User-Name           [1]   11  "test1
"
>
> Problem is that I am getting authentication failure because radius
> does not recognise the username followed by spaces. Is their a way or
> a command to eliminate the spaces? In case I dial with out the @vpn
> (e.g via windows vpn client) authentication is OK

Can you send the config and "show version" of the LNS? Just want to
check how you configured your LNS to strip the domain (by default it
doesn't strip it). This doesn't sound right, we shouldn't replacethe
domain with spaces when we strip the domain..

oli

More information about the cisco-nsp mailing list