[c-nsp] VPDN and Radius Problem

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Tue Nov 23 07:10:37 EST 2004


Hi,

this is not the complete config (you can send it to me unicast, please
don't "sanitize" it), but from what I see, "radius-server
directed-request" might be causing this. This command is used for the
domain stripping hack
(http://www.cisco.com/warp/public/480/domain_stripping_hack.shtml). I
wouldn't use it..

Is there a specific reason why you enabled local authentication for PPP?
  aaa authentication ppp default local group radius
this doesn't match with network authorization, which doesn't include
local:
  aaa authorization network default group radius
Can you change this to use only Radius for authen/authorization?

If everything else fails, please collect a complete trace of the failing
call..

 debug vpdn l2x-ev
 debug vpdn l2x-pack
 debug ppp neg
 debug aaa authen
 debug aaa author
 debug radius authen

Tx,
	oli

M.Palis <mailto:security at cytanet.com.cy> wrote on Tuesday, November 23,
2004 12:51 PM:

> Here is my LNS configuration. I did not find any specific
> configuration 
> setting for stripping domain. It just strips the domain and replaces
> it with 
> spaces..
> 
> LNS Configuration (Cisco 7200)
> IOS c7200-jk8s-mz.122-8.T.bin"
> aaa authentication login default local group radius enable
> 
> aaa authentication login admin local line
> 
> aaa authentication ppp default local group radius
> 
> aaa authorization exec default local group radius if-authenticated
> 
> aaa authorization network default group radius
> 
> aaa authorization reverse-access default local
> 
> aaa accounting update newinfo
> 
> aaa accounting network default start-stop group radius
> 
> 
> 
> vpdn enable
> 
> vpdn source-ip x.x.x.x
> 
> vpdn search-order domain
> 
> !
> 
> vpdn-group 2
> 
> accept-dialin
> 
> protocol l2tp
> 
> virtual-template 3
> 
> terminate-from hostname testvpn
> 
> local name isp
> 
> interface Virtual-Template3
> 
> ip unnumbered Loopback1
> 
> no logging event link-status
> 
> no peer default ip address
> 
> ppp authentication ms-chap chap pap
> 
> adius-server host x.x.x.x
> 
> radius-server host x.x.x.x
> 
> radius-server retransmit 3
> 
> radius-server directed-request
> 
> radius-server optional-passwords
> 
> radius-server key 7 x.x.x.x.x
> 
> radius-server vsa send accounting
> 
> radius-server vsa send authentication
> 
> IOS
> 
> c7200-jk8s-mz.122-8.T.bin"
> 
> Some debugs from LNS
> 
> Nov 23 11:20:45 EET: Vi41 PAP: I AUTH-REQ id 214 len 22 from
> "test1 at vpn" 
> 
> .Nov 23 11:20:45 EET: Vi41 PAP: Ignoring Additional Request
> 
> .Nov 23 11:20:47 EET: RADIUS: Retransmit to
> (195.14.133.152:1812,1813) for 
> id 87
> 
> .Nov 23 11:20:47 EET: RADIUS: authenticator BC A3 E7 F5 B8 85 C9 FA -
> 34 74 40 86 5A 10 5E 01
> 
> .Nov 23 11:20:47 EET: RADIUS: Framed-Protocol [7] 6 PPP [1]
> 
> .Nov 23 11:20:47 EET: RADIUS: User-Name [1] 11 "test1 "
> 
> .Nov 23 11:20:47 EET: RADIUS: User-Password [2] 18 *
> 
> .Nov 23 11:20:47 EET: RADIUS: NAS-Port [5] 6 41
> 
> .Nov 23 11:20:47 EET: RADIUS: Vendor, Cisco [26] 34
> 
> .Nov 23 11:20:47 EET: RADIUS: Cisco AVpair [1] 28
> "interface=Virtual-Access41"
> 
> .Nov 23 11:20:47 EET: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
> 
> 
> Thanks for your response.
> 
> ----- Original Message -----
> From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
> To: "M.Palis" <security at cytanet.com.cy>; <cisco-nsp at puck.nether.net>
> Sent: Tuesday, November 23, 2004 11:25 AM
> Subject: RE: [c-nsp] VPDN and Radius Problem
> 
> 
> 
>> I am trying to configure VPDN connections but I am facing some
>> problems with radius I think... I dial using the format test1 at vpn.
>> The LAC establishes connection with the LNS, the LNS removes the @vpn
>> and replaces the @vpn with spaces and sends the user name to the
>> Radius. as shown below from debug.
>> 
>> .Nov 23 10:59:45 EET: RADIUS:  User-Name           [1]   11  "test1 "
>> 
>> Problem is that I am getting authentication failure because radius
>> does not recognise the username followed by spaces. Is their a way or
>> a command to eliminate the spaces? In case I dial with out the @vpn
>> (e.g via windows vpn client) authentication is OK
> 
> Can you send the config and "show version" of the LNS? Just want to
> check how you configured your LNS to strip the domain (by default it
> doesn't strip it). This doesn't sound right, we shouldn't replacethe
> domain with spaces when we strip the domain..
> 
> oli



More information about the cisco-nsp mailing list