[c-nsp] vti tunnel configuration via radius with inacl avrpair

Thomas Braun thomas.braun at flashstudy.de
Fri Jan 23 08:10:29 EST 2009 

Hi Group,

i run into a problem with vti tunnel interface.

I got following error message when i try to install inacl or outacl via
cisco-avrpairs:
%AAA-3-BADHDL: invalid hdl AAA ID 7, hdl 36000024, retire

I use the cisco-avrpair example from the cisco site:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1090640

I use freeradius for the authorization and i send following string to
the cisco router:

mysql> select * from radreply where username='tb';
+----+----------+--------------+----+----------------------------------------------+
| id | UserName | Attribute    | op | Value
            |
+----+----------+--------------+----+----------------------------------------------+
| 45 | tb       | Cisco-AVPair | += | ip:outacl#101=permit tcp any any
established |
+----+----------+--------------+----+----------------------------------------------+
1 row in set (0.00 sec)

I got the same error message with following entry:
ip:sub-policy-Out#4=pppoemap

When i remove the 2 AVPairs i don't get the error message.


I tried different ios version to test this feature, from 12.4T9 to
12.4T22 and i use a cisco 2821 to test it.

Maybe someone has seen the same problem and has a workaround.




Here is the debug output:
*Jan 23 13:43:52.211: AAA/BIND(00000011): Bind i/f
  *Jan 23 13:43:52.243: AAA/AUTHOR (0x11): Pick method list 'groupauthor'
  *Jan 23 13:43:52.243: RADIUS/ENCODE(00000011):Orig. component type =
VPN_IPSEC
  *Jan 23 13:43:52.243: RADIUS(00000011): Config NAS IP: 0.0.0.0
  *Jan 23 13:43:52.243: RADIUS/ENCODE(00000011): acct_session_id: 17
  *Jan 23 13:43:52.243: RADIUS(00000011): sending
  *Jan 23 13:43:52.243: RADIUS/ENCODE: Best Local IP-Address 55.55.55.2
for Radiu
1*Jan 23 13:43:52.243: RADIUS(00000011): Send Access-Request to
55.55.55.1:1812
2*Jan 23 13:43:52.243: RADIUS:  authenticator 5C 2F C9 41 D5 A6 A9 36 -
AC 62 98
8*Jan 23 13:43:52.243: RADIUS:  User-Name           [1]   6   "PHAT"
  *Jan 23 13:43:52.243: RADIUS:  User-Password       [2]   18  *
  *Jan 23 13:43:52.243: RADIUS:  Calling-Station-Id  [31]  12  "66.66.66.2"
  *Jan 23 13:43:52.243: RADIUS:  NAS-Port-Type       [61]  6   Virtual

]*Jan 23 13:43:52.243: RADIUS:  NAS-Port            [5]   6   0

  *Jan 23 13:43:52.243: RADIUS:  NAS-Port-Id         [87]  12  "66.66.66.1"
  *Jan 23 13:43:52.243: RADIUS:  Service-Type        [6]   6   Outbound

]*Jan 23 13:43:52.243: RADIUS:  NAS-IP-Address      [4]   6   55.55.55.2

  *Jan 23 13:43:52.247: RADIUS: Received from id 1645/19 55.55.55.1:1812,
Access-
6*Jan 23 13:43:52.247: RADIUS:  authenticator 27 FF 7E 5E 89 30 19 72 -
5A 2B FD
1*Jan 23 13:43:52.247: RADIUS:  Service-Type        [6]   6   Outbound

]*Jan 23 13:43:52.247: RADIUS:  Vendor, Cisco       [26]  36
  *Jan 23 13:43:52.247: RADIUS:   Cisco AVpair       [1]   30
"ipsec:addr-pool=P
"*Jan 23 13:43:52.247: RADIUS:  Vendor, Cisco       [26]  30
  *Jan 23 13:43:52.247: RADIUS:   Cisco AVpair       [1]   24
"ipsec:key-exchang
"*Jan 23 13:43:52.247: RADIUS:  Vendor, Cisco       [26]  35
  *Jan 23 13:43:52.247: RADIUS:   Cisco AVpair       [1]   29
"ipsec:tunnel-pass
"*Jan 23 13:43:52.247: RADIUS:  Vendor, Cisco       [26]  29
  *Jan 23 13:43:52.247: RADIUS:   Cisco AVpair       [1]   23
"ipsec:tunnel-type
"*Jan 23 13:43:52.247: RADIUS(00000011): Received from id 1645/19
  *Jan 23 13:43:52.267: AAA/BIND(00000012): Bind i/f
  *Jan 23 13:43:52.271: RADIUS/ENCODE(00000012):Orig. component type =
VPN_IPSEC
  *Jan 23 13:43:52.271: RADIUS/ENCODE(00000012): dropping service type,
"radius-s
f*Jan 23 13:43:52.271: RADIUS(00000012): Config NAS IP: 0.0.0.0
  *Jan 23 13:43:52.271: RADIUS/ENCODE(00000012): acct_session_id: 18
  *Jan 23 13:43:52.271: RADIUS(00000012): sending
  *Jan 23 13:43:52.271: RADIUS/ENCODE: Best Local IP-Address 55.55.55.2
for Radiu
1*Jan 23 13:43:52.271: RADIUS(00000012): Send Access-Request to
55.55.55.1:1812
4*Jan 23 13:43:52.271: RADIUS:  authenticator 42 FB 1B 29 3C 18 8F A0 -
16 84 0E
0*Jan 23 13:43:52.271: RADIUS:  User-Name           [1]   4   "tb"
  *Jan 23 13:43:52.271: RADIUS:  User-Password       [2]   18  *
  *Jan 23 13:43:52.271: RADIUS:  Calling-Station-Id  [31]  12  "66.66.66.2"
  *Jan 23 13:43:52.271: RADIUS:  NAS-Port-Type       [61]  6   Virtual

]*Jan 23 13:43:52.271: RADIUS:  NAS-Port            [5]   6   0

  *Jan 23 13:43:52.271: RADIUS:  NAS-Port-Id         [87]  12  "66.66.66.1"
  *Jan 23 13:43:52.271: RADIUS:  NAS-IP-Address      [4]   6   55.55.55.2

  *Jan 23 13:43:52.275: RADIUS: Received from id 1645/20 55.55.55.1:1812,
Access-
2*Jan 23 13:43:52.275: RADIUS:  authenticator 1C 69 C1 EC 2D 57 35 6B -
3D 01 D6
6*Jan 23 13:43:52.275: RADIUS:  Vendor, Cisco       [26]  52
  *Jan 23 13:43:52.275: RADIUS:   Cisco AVpair       [1]   46
"ip:outacl#101=per
"*Jan 23 13:43:52.275: RADIUS(00000012): Received from id 1645/20
  *Jan 23 13:43:52.279: AAA/AUTHOR (0x12): Pick method list 'groupauthor'
  *Jan 23 13:43:52.279: RADIUS/ENCODE(00000012):Orig. component type =
VPN_IPSEC
  *Jan 23 13:43:52.279: RADIUS(00000012): Config NAS IP: 0.0.0.0
  *Jan 23 13:43:52.279: RADIUS/ENCODE(00000012): acct_session_id: 18
  *Jan 23 13:43:52.279: RADIUS(00000012): sending
  *Jan 23 13:43:52.279: RADIUS/ENCODE: Best Local IP-Address 55.55.55.2
for Radiu
1*Jan 23 13:43:52.279: RADIUS(00000012): Send Access-Request to
55.55.55.1:1812
8*Jan 23 13:43:52.279: RADIUS:  authenticator 92 C8 4E 0E E3 16 02 6E -
0B 64 CA
C*Jan 23 13:43:52.279: RADIUS:  User-Name           [1]   6   "PHAT"
  *Jan 23 13:43:52.279: RADIUS:  User-Password       [2]   18  *
  *Jan 23 13:43:52.279: RADIUS:  Calling-Station-Id  [31]  12  "66.66.66.2"
  *Jan 23 13:43:52.279: RADIUS:  NAS-Port-Type       [61]  6   Virtual

]*Jan 23 13:43:52.279: RADIUS:  NAS-Port-Type       [61]  6   Virtual

]*Jan 23 13:43:52.279: RADIUS:  NAS-Port            [5]   6   0

  *Jan 23 13:43:52.279: RADIUS:  NAS-Port-Id         [87]  12  "66.66.66.1"
  *Jan 23 13:43:52.279: RADIUS:  Service-Type        [6]   6   Outbound

]*Jan 23 13:43:52.279: RADIUS:  NAS-IP-Address      [4]   6   55.55.55.2

  *Jan 23 13:43:52.283: RADIUS: Received from id 1645/21 55.55.55.1:1812,
Access-
6*Jan 23 13:43:52.283: RADIUS:  authenticator 3E AA 07 BE 08 03 8F BC -
19 AA 22
B*Jan 23 13:43:52.283: RADIUS:  Service-Type        [6]   6   Outbound

]*Jan 23 13:43:52.283: RADIUS:  Vendor, Cisco       [26]  36
  *Jan 23 13:43:52.283: RADIUS:   Cisco AVpair       [1]   30
"ipsec:addr-pool=P
"*Jan 23 13:43:52.283: RADIUS:  Vendor, Cisco       [26]  30
  *Jan 23 13:43:52.283: RADIUS:   Cisco AVpair       [1]   24
"ipsec:key-exchang
"*Jan 23 13:43:52.283: RADIUS:  Vendor, Cisco       [26]  35
  *Jan 23 13:43:52.283: RADIUS:   Cisco AVpair       [1]   29
"ipsec:tunnel-pass
"*Jan 23 13:43:52.283: RADIUS:  Vendor, Cisco       [26]  29
  *Jan 23 13:43:52.283: RADIUS:   Cisco AVpair       [1]   23
"ipsec:tunnel-type
"*Jan 23 13:43:52.283: RADIUS(00000012): Received from id 1645/21
  *Jan 23 13:43:52.295: %AAA-3-BADHDL: invalid hdl AAA ID 18, hdl
1B000077, retir
4*Jan 23 13:43:52.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-A

Regards
thomas

More information about the cisco-nsp mailing list