[c-nsp] VPDN and Radius Problem

M.Palis security at cytanet.com.cy
Wed Nov 24 01:04:31 EST 2004 

Oliver it seems that it is working know.  radius-server directed-request is
needed in order to strip the Domain. In case I remove this command, domain
is no stripped and I have to create a username in the form test at domain. The
problem was with user authentication type on radius. We had Auth-Type :=
MS-CHAP, and as soon as we changed it to Local it did work.

Is their any other way to strip of the domain without using radius-server
directed-request ?

Best regards and thanks for the info you provided.

----- Original Message ----- 
From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
To: "M.Palis" <security at cytanet.com.cy>
Cc: <cisco-nsp at puck.nether.net>
Sent: Tuesday, November 23, 2004 2:10 PM
Subject: RE: [c-nsp] VPDN and Radius Problem


Hi,

this is not the complete config (you can send it to me unicast, please
don't "sanitize" it), but from what I see, "radius-server
" might be causing this. This command is used for the
domain stripping hack
(http://www.cisco.com/warp/public/480/domain_stripping_hack.shtml). I
wouldn't use it..

Is there a specific reason why you enabled local authentication for PPP?
  aaa authentication ppp default local group radius
this doesn't match with network authorization, which doesn't include
local:
  aaa authorization network default group radius
Can you change this to use only Radius for authen/authorization?

If everything else fails, please collect a complete trace of the failing
call..

 debug vpdn l2x-ev
 debug vpdn l2x-pack
 debug ppp neg
 debug aaa authen
 debug aaa author
 debug radius authen

Tx,
oli

M.Palis <mailto:security at cytanet.com.cy> wrote on Tuesday, November 23,
2004 12:51 PM:

> Here is my LNS configuration. I did not find any specific
> configuration
> setting for stripping domain. It just strips the domain and replaces
> it with
> spaces..
>
> LNS Configuration (Cisco 7200)
> IOS c7200-jk8s-mz.122-8.T.bin"
> aaa authentication login default local group radius enable
>
> aaa authentication login admin local line
>
> aaa authentication ppp default local group radius
>
> aaa authorization exec default local group radius if-authenticated
>
> aaa authorization network default group radius
>
> aaa authorization reverse-access default local
>
> aaa accounting update newinfo
>
> aaa accounting network default start-stop group radius
>
>
>
> vpdn enable
>
> vpdn source-ip x.x.x.x
>
> vpdn search-order domain
>
> !
>
> vpdn-group 2
>
> accept-dialin
>
> protocol l2tp
>
> virtual-template 3
>
> terminate-from hostname testvpn
>
> local name isp
>
> interface Virtual-Template3
>
> ip unnumbered Loopback1
>
> no logging event link-status
>
> no peer default ip address
>
> ppp authentication ms-chap chap pap
>
> adius-server host x.x.x.x
>
> radius-server host x.x.x.x
>
> radius-server retransmit 3
>
> radius-server directed-request
>
> radius-server optional-passwords
>
> radius-server key 7 x.x.x.x.x
>
> radius-server vsa send accounting
>
> radius-server vsa send authentication
>
> IOS
>
> c7200-jk8s-mz.122-8.T.bin"
>
> Some debugs from LNS
>
> Nov 23 11:20:45 EET: Vi41 PAP: I AUTH-REQ id 214 len 22 from
> "test1 at vpn"
>
> .Nov 23 11:20:45 EET: Vi41 PAP: Ignoring Additional Request
>
> .Nov 23 11:20:47 EET: RADIUS: Retransmit to
> (195.14.133.152:1812,1813) for
> id 87
>
> .Nov 23 11:20:47 EET: RADIUS: authenticator BC A3 E7 F5 B8 85 C9 FA -
> 34 74 40 86 5A 10 5E 01
>
> .Nov 23 11:20:47 EET: RADIUS: Framed-Protocol [7] 6 PPP [1]
>
> .Nov 23 11:20:47 EET: RADIUS: User-Name [1] 11 "test1 "
>
> .Nov 23 11:20:47 EET: RADIUS: User-Password [2] 18 *
>
> .Nov 23 11:20:47 EET: RADIUS: NAS-Port [5] 6 41
>
> .Nov 23 11:20:47 EET: RADIUS: Vendor, Cisco [26] 34
>
> .Nov 23 11:20:47 EET: RADIUS: Cisco AVpair [1] 28
> "interface=Virtual-Access41"
>
> .Nov 23 11:20:47 EET: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
>
>
> Thanks for your response.
>
> ----- Original Message -----
> From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
> To: "M.Palis" <security at cytanet.com.cy>; <cisco-nsp at puck.nether.net>
> Sent: Tuesday, November 23, 2004 11:25 AM
> Subject: RE: [c-nsp] VPDN and Radius Problem
>
>
>
>> I am trying to configure VPDN connections but I am facing some
>> problems with radius I think... I dial using the format test1 at vpn.
>> The LAC establishes connection with the LNS, the LNS removes the @vpn
>> and replaces the @vpn with spaces and sends the user name to the
>> Radius. as shown below from debug.
>>
>> .Nov 23 10:59:45 EET: RADIUS:  User-Name           [1]   11  "test1 "
>>
>> Problem is that I am getting authentication failure because radius
>> does not recognise the username followed by spaces. Is their a way or
>> a command to eliminate the spaces? In case I dial with out the @vpn
>> (e.g via windows vpn client) authentication is OK
>
> Can you send the config and "show version" of the LNS? Just want to
> check how you configured your LNS to strip the domain (by default it
> doesn't strip it). This doesn't sound right, we shouldn't replacethe
> domain with spaces when we strip the domain..
>
> oli

More information about the cisco-nsp mailing list