[c-nsp] VPDN and Radius Problem

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Nov 24 02:07:02 EST 2004 

> Oliver it seems that it is working know.  radius-server
> directed-request is  needed in order to strip the Domain. In case I
remove this command,
> domain is no stripped and I have to create a username in the form
> test at domain. The  problem was with user authentication type on radius.
We had Auth-Type
> := MS-CHAP, and as soon as we changed it to Local it did work.
> 
> Is their any other way to strip of the domain without using
> radius-server directed-request ?

Well, you seem to have two options: 

a) Use the domain-stripping hack with "radius-server directed-request",
but upgrade to a later 12.2T or 12.3 image to get the fix Dennis was
mentioning (CSCdx40593)

b) use the "radius-server domain-stripping" command in 12.2(13)T or
later

	oli

> ----- Original Message -----
> From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
> To: "M.Palis" <security at cytanet.com.cy>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Tuesday, November 23, 2004 2:10 PM
> Subject: RE: [c-nsp] VPDN and Radius Problem
> 
> 
> Hi,
> 
> this is not the complete config (you can send it to me unicast, please
> don't "sanitize" it), but from what I see, "radius-server
> " might be causing this. This command is used for the
> domain stripping hack
> (http://www.cisco.com/warp/public/480/domain_stripping_hack.shtml). I
> wouldn't use it..
> 
> Is there a specific reason why you enabled local authentication for
>   PPP? aaa authentication ppp default local group radius
> this doesn't match with network authorization, which doesn't include
> local:
>   aaa authorization network default group radius
> Can you change this to use only Radius for authen/authorization?
> 
> If everything else fails, please collect a complete trace of the
> failing 
> call..
> 
>  debug vpdn l2x-ev
>  debug vpdn l2x-pack
>  debug ppp neg
>  debug aaa authen
>  debug aaa author
>  debug radius authen
> 
> Tx,
> oli
> 
> M.Palis <mailto:security at cytanet.com.cy> wrote on Tuesday, November
> 23, 2004 12:51 PM:
> 
>> Here is my LNS configuration. I did not find any specific
>> configuration setting for stripping domain. It just strips the
>> domain and replaces it with spaces..
>> 
>> LNS Configuration (Cisco 7200)
>> IOS c7200-jk8s-mz.122-8.T.bin"
>> aaa authentication login default local group radius enable
>> 
>> aaa authentication login admin local line
>> 
>> aaa authentication ppp default local group radius
>> 
>> aaa authorization exec default local group radius if-authenticated
>> 
>> aaa authorization network default group radius
>> 
>> aaa authorization reverse-access default local
>> 
>> aaa accounting update newinfo
>> 
>> aaa accounting network default start-stop group radius
>> 
>> 
>> 
>> vpdn enable
>> 
>> vpdn source-ip x.x.x.x
>> 
>> vpdn search-order domain
>> 
>> !
>> 
>> vpdn-group 2
>> 
>> accept-dialin
>> 
>> protocol l2tp
>> 
>> virtual-template 3
>> 
>> terminate-from hostname testvpn
>> 
>> local name isp
>> 
>> interface Virtual-Template3
>> 
>> ip unnumbered Loopback1
>> 
>> no logging event link-status
>> 
>> no peer default ip address
>> 
>> ppp authentication ms-chap chap pap
>> 
>> adius-server host x.x.x.x
>> 
>> radius-server host x.x.x.x
>> 
>> radius-server retransmit 3
>> 
>> radius-server directed-request
>> 
>> radius-server optional-passwords
>> 
>> radius-server key 7 x.x.x.x.x
>> 
>> radius-server vsa send accounting
>> 
>> radius-server vsa send authentication
>> 
>> IOS
>> 
>> c7200-jk8s-mz.122-8.T.bin"
>> 
>> Some debugs from LNS
>> 
>> Nov 23 11:20:45 EET: Vi41 PAP: I AUTH-REQ id 214 len 22 from
>> "test1 at vpn" 
>> 
>> .Nov 23 11:20:45 EET: Vi41 PAP: Ignoring Additional Request
>> 
>> .Nov 23 11:20:47 EET: RADIUS: Retransmit to
>> (195.14.133.152:1812,1813) for
>> id 87
>> 
>> .Nov 23 11:20:47 EET: RADIUS: authenticator BC A3 E7 F5 B8 85 C9 FA
>> - 34 74 40 86 5A 10 5E 01 
>> 
>> .Nov 23 11:20:47 EET: RADIUS: Framed-Protocol [7] 6 PPP [1]
>> 
>> .Nov 23 11:20:47 EET: RADIUS: User-Name [1] 11 "test1 "
>> 
>> .Nov 23 11:20:47 EET: RADIUS: User-Password [2] 18 *
>> 
>> .Nov 23 11:20:47 EET: RADIUS: NAS-Port [5] 6 41
>> 
>> .Nov 23 11:20:47 EET: RADIUS: Vendor, Cisco [26] 34
>> 
>> .Nov 23 11:20:47 EET: RADIUS: Cisco AVpair [1] 28
>> "interface=Virtual-Access41"
>> 
>> .Nov 23 11:20:47 EET: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
>> 
>> 
>> Thanks for your response.
>> 
>> ----- Original Message -----
>> From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
>> To: "M.Palis" <security at cytanet.com.cy>; <cisco-nsp at puck.nether.net>
>> Sent: Tuesday, November 23, 2004 11:25 AM
>> Subject: RE: [c-nsp] VPDN and Radius Problem
>> 
>> 
>> 
>>> I am trying to configure VPDN connections but I am facing some
>>> problems with radius I think... I dial using the format test1 at vpn.
>>> The LAC establishes connection with the LNS, the LNS removes the
>>> @vpn and replaces the @vpn with spaces and sends the user name to
>>> the Radius. as shown below from debug.
>>> 
>>> .Nov 23 10:59:45 EET: RADIUS:  User-Name           [1]   11  "test1
>>> " 
>>> 
>>> Problem is that I am getting authentication failure because radius
>>> does not recognise the username followed by spaces. Is their a way
>>> or a command to eliminate the spaces? In case I dial with out the
>>> @vpn (e.g via windows vpn client) authentication is OK
>> 
>> Can you send the config and "show version" of the LNS? Just want to
>> check how you configured your LNS to strip the domain (by default it
>> doesn't strip it). This doesn't sound right, we shouldn't replacethe
>> domain with spaces when we strip the domain..
>> 
>> oli

More information about the cisco-nsp mailing list