[c-nsp] Cisco Client VPN and Downloadable Access List

Satyam Mathura satz.sm at gmail.com
Fri Dec 4 00:48:57 EST 2009 

Guys,
I currently have FreeRadius working with a MySQL back-end to authenticate
VPN users on my 2811 Cisco router. I have been trying to get the
download-able access list feature working but am hitting a brick wall. If i
enable cisco-avpair:=ipsec:inacl=185 i can see the radius server responding
with the access-list but it does not get applied on the connecting vpn
client which is then unable to successfully connect.
My router config and radius debug are below. Your help is greatly
appreciated.

Router Config:
aaa authentication login default group radius local
aaa authentication login vpnauth group radius local
aaa authorization exec default group radius local
aaa authorization network vpnautho local
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group test
 key test
 dns 200.12.240.9
 domain greendottt.net
 pool ippool
!
!
crypto ipsec transform-set MD5_3DES esp-3des esp-md5-hmac
!
crypto dynamic-map VPNClientMap 1
 set transform-set MD5_3DES
 reverse-route
!
!
crypto map Remoteusers client authentication list vpnauth
crypto map Remoteusers isakmp authorization list vpnautho
crypto map Remoteusers client configuration address respond
crypto map Remoteusers 10 ipsec-isakmp dynamic VPNClientMap
!
!
!
!
interface FastEthernet0/0
 description External
 ip address 192.168.74.46 255.255.255.0
 duplex auto
 speed auto
 crypto map Remoteusers

radius-server host 192.168.74.45 auth-port 1812 acct-port 1813 key cisco

access-list 185 permit ip any any


Router debug:
*Feb 28 23:00:35.791: AAA/BIND(0000006B): Bind i/f
*Feb 28 23:00:36.039: AAA/AUTHOR (0x6B): Pick method list 'vpnautho'
*Feb 28 23:00:36.103: AAA/BIND(0000006C): Bind i/f
RouterB#
*Feb 28 23:00:39.147: RADIUS/ENCODE(0000006C):Orig. component type =
VPN_IPSEC
*Feb 28 23:00:39.151: RADIUS:  AAA Unsupported Attr: interface         [157]
13
*Feb 28 23:00:39.155: RADIUS:   31 39 32 2E 31 36 38 2E 37 34
2E                 [192.168.74.]
*Feb 28 23:00:39.155: RADIUS/ENCODE(0000006C): dropping service type,
"radius-server attribute 6 on-for-login-auth" is off
*Feb 28 23:00:39.159: RADIUS(0000006C): Config NAS IP: 0.0.0.0
*Feb 28 23:00:39.163: RADIUS/ENCODE(0000006C): acct_session_id: 108
*Feb 28 23:00:39.163: RADIUS(0000006C): sending
*Feb 28 23:00:39.171: RADIUS/ENCODE: Best Local IP-Address 192.168.74.46 for
Radius-Server 192.168.74.45
*Feb 28 23:00:39.179: RADIUS(0000006C): Send Access-Request to
192.168.74.45:1812 id 1645/56, len 96
*Feb 28 23:00:39.183: RADIUS:  authenticator 39 23 30 9E 12 B5 1A 85 - E8 FF
5E 4D 13 99 6C 73
*Feb 28 23:00:39.183: RADIUS:  User-Name           [1]   10  "smathura"
*Feb 28 23:00:39.187: RADIUS:  User-Password       [2]
RouterB#  18  *
*Feb 28 23:00:39.187: RADIUS:  Calling-Station-Id  [31]  15  "192.168.74.43"
*Feb 28 23:00:39.191: RADIUS:  NAS-Port-Type       [61]  6
Virtual                   [5]
*Feb 28 23:00:39.195: RADIUS:  NAS-Port            [5]   6
0
*Feb 28 23:00:39.195: RADIUS:  NAS-Port-Id         [87]  15  "192.168.74.46"
*Feb 28 23:00:39.199: RADIUS:  NAS-IP-Address      [4]   6
192.168.74.46
*Feb 28 23:00:39.383: RADIUS: Received from id 1645/56 192.168.74.45:1812,
Access-Accept, len 49
*Feb 28 23:00:39.387: RADIUS:  authenticator 28 AB B2 01 8C 17 3C E2 - AD 2C
98 DD 91 0D CF 6D
*Feb 28 23:00:39.387: RADIUS:  Service-Type        [6]   6   NAS
Prompt                [7]
*Feb 28 23:00:39.391: RADIUS:  Vendor, Cisco       [26]  23
*Feb 28 23:00:39.391: RADIUS:   Cisco AVpair       [1]   17
"ipsec:inacl=185"
*Feb 28 23:00:39.399: RADIUS(0000006C): Received from id 1645/56


FreeRadius Response:

Sending Access-Accept of id 56 to 192.168.74.46 port 1645
        Service-Type := NAS-Prompt-User
        Cisco-AVPair := "ipsec:inacl=185"
Finished request 15.

More information about the cisco-nsp mailing list