[c-nsp] vti tunnel configuration via radius with inacl avrpair
Thomas Braun
thomas.braun at flashstudy.de
Fri Jan 23 10:40:32 EST 2009
Hi,
if i use the avpairs on the group user, everything is working.
It would be nice to use the avpairs with the xauth user, is there any
other solution to use the avpairs in an easy vpn enviroment on the user?
regards
thomas
Thomas Braun schrieb:
> Hi Group,
>
> i run into a problem with vti tunnel interface.
>
> I got following error message when i try to install inacl or outacl via
> cisco-avrpairs:
> %AAA-3-BADHDL: invalid hdl AAA ID 7, hdl 36000024, retire
>
> I use the cisco-avrpair example from the cisco site:
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1090640
>
>
> I use freeradius for the authorization and i send following string to
> the cisco router:
>
> mysql> select * from radreply where username='tb';
> +----+----------+--------------+----+----------------------------------------------+
>
> | id | UserName | Attribute | op | Value
> |
> +----+----------+--------------+----+----------------------------------------------+
>
> | 45 | tb | Cisco-AVPair | += | ip:outacl#101=permit tcp any any
> established |
> +----+----------+--------------+----+----------------------------------------------+
>
> 1 row in set (0.00 sec)
>
> I got the same error message with following entry:
> ip:sub-policy-Out#4=pppoemap
>
> When i remove the 2 AVPairs i don't get the error message.
>
>
> I tried different ios version to test this feature, from 12.4T9 to
> 12.4T22 and i use a cisco 2821 to test it.
>
> Maybe someone has seen the same problem and has a workaround.
>
>
>
>
> Here is the debug output:
> *Jan 23 13:43:52.211: AAA/BIND(00000011): Bind i/f
> *Jan 23 13:43:52.243: AAA/AUTHOR (0x11): Pick method list 'groupauthor'
> *Jan 23 13:43:52.243: RADIUS/ENCODE(00000011):Orig. component type =
> VPN_IPSEC
> *Jan 23 13:43:52.243: RADIUS(00000011): Config NAS IP: 0.0.0.0
> *Jan 23 13:43:52.243: RADIUS/ENCODE(00000011): acct_session_id: 17
> *Jan 23 13:43:52.243: RADIUS(00000011): sending
> *Jan 23 13:43:52.243: RADIUS/ENCODE: Best Local IP-Address 55.55.55.2
> for Radiu
> 1*Jan 23 13:43:52.243: RADIUS(00000011): Send Access-Request to
> 55.55.55.1:1812
> 2*Jan 23 13:43:52.243: RADIUS: authenticator 5C 2F C9 41 D5 A6 A9 36 -
> AC 62 98
> 8*Jan 23 13:43:52.243: RADIUS: User-Name [1] 6 "PHAT"
> *Jan 23 13:43:52.243: RADIUS: User-Password [2] 18 *
> *Jan 23 13:43:52.243: RADIUS: Calling-Station-Id [31] 12 "66.66.66.2"
> *Jan 23 13:43:52.243: RADIUS: NAS-Port-Type [61] 6 Virtual
>
> ]*Jan 23 13:43:52.243: RADIUS: NAS-Port [5] 6 0
>
> *Jan 23 13:43:52.243: RADIUS: NAS-Port-Id [87] 12 "66.66.66.1"
> *Jan 23 13:43:52.243: RADIUS: Service-Type [6] 6 Outbound
>
> ]*Jan 23 13:43:52.243: RADIUS: NAS-IP-Address [4] 6 55.55.55.2
>
> *Jan 23 13:43:52.247: RADIUS: Received from id 1645/19 55.55.55.1:1812,
> Access-
> 6*Jan 23 13:43:52.247: RADIUS: authenticator 27 FF 7E 5E 89 30 19 72 -
> 5A 2B FD
> 1*Jan 23 13:43:52.247: RADIUS: Service-Type [6] 6 Outbound
>
> ]*Jan 23 13:43:52.247: RADIUS: Vendor, Cisco [26] 36
> *Jan 23 13:43:52.247: RADIUS: Cisco AVpair [1] 30
> "ipsec:addr-pool=P
> "*Jan 23 13:43:52.247: RADIUS: Vendor, Cisco [26] 30
> *Jan 23 13:43:52.247: RADIUS: Cisco AVpair [1] 24
> "ipsec:key-exchang
> "*Jan 23 13:43:52.247: RADIUS: Vendor, Cisco [26] 35
> *Jan 23 13:43:52.247: RADIUS: Cisco AVpair [1] 29
> "ipsec:tunnel-pass
> "*Jan 23 13:43:52.247: RADIUS: Vendor, Cisco [26] 29
> *Jan 23 13:43:52.247: RADIUS: Cisco AVpair [1] 23
> "ipsec:tunnel-type
> "*Jan 23 13:43:52.247: RADIUS(00000011): Received from id 1645/19
> *Jan 23 13:43:52.267: AAA/BIND(00000012): Bind i/f
> *Jan 23 13:43:52.271: RADIUS/ENCODE(00000012):Orig. component type =
> VPN_IPSEC
> *Jan 23 13:43:52.271: RADIUS/ENCODE(00000012): dropping service type,
> "radius-s
> f*Jan 23 13:43:52.271: RADIUS(00000012): Config NAS IP: 0.0.0.0
> *Jan 23 13:43:52.271: RADIUS/ENCODE(00000012): acct_session_id: 18
> *Jan 23 13:43:52.271: RADIUS(00000012): sending
> *Jan 23 13:43:52.271: RADIUS/ENCODE: Best Local IP-Address 55.55.55.2
> for Radiu
> 1*Jan 23 13:43:52.271: RADIUS(00000012): Send Access-Request to
> 55.55.55.1:1812
> 4*Jan 23 13:43:52.271: RADIUS: authenticator 42 FB 1B 29 3C 18 8F A0 -
> 16 84 0E
> 0*Jan 23 13:43:52.271: RADIUS: User-Name [1] 4 "tb"
> *Jan 23 13:43:52.271: RADIUS: User-Password [2] 18 *
> *Jan 23 13:43:52.271: RADIUS: Calling-Station-Id [31] 12 "66.66.66.2"
> *Jan 23 13:43:52.271: RADIUS: NAS-Port-Type [61] 6 Virtual
>
> ]*Jan 23 13:43:52.271: RADIUS: NAS-Port [5] 6 0
>
> *Jan 23 13:43:52.271: RADIUS: NAS-Port-Id [87] 12 "66.66.66.1"
> *Jan 23 13:43:52.271: RADIUS: NAS-IP-Address [4] 6 55.55.55.2
>
> *Jan 23 13:43:52.275: RADIUS: Received from id 1645/20 55.55.55.1:1812,
> Access-
> 2*Jan 23 13:43:52.275: RADIUS: authenticator 1C 69 C1 EC 2D 57 35 6B -
> 3D 01 D6
> 6*Jan 23 13:43:52.275: RADIUS: Vendor, Cisco [26] 52
> *Jan 23 13:43:52.275: RADIUS: Cisco AVpair [1] 46
> "ip:outacl#101=per
> "*Jan 23 13:43:52.275: RADIUS(00000012): Received from id 1645/20
> *Jan 23 13:43:52.279: AAA/AUTHOR (0x12): Pick method list 'groupauthor'
> *Jan 23 13:43:52.279: RADIUS/ENCODE(00000012):Orig. component type =
> VPN_IPSEC
> *Jan 23 13:43:52.279: RADIUS(00000012): Config NAS IP: 0.0.0.0
> *Jan 23 13:43:52.279: RADIUS/ENCODE(00000012): acct_session_id: 18
> *Jan 23 13:43:52.279: RADIUS(00000012): sending
> *Jan 23 13:43:52.279: RADIUS/ENCODE: Best Local IP-Address 55.55.55.2
> for Radiu
> 1*Jan 23 13:43:52.279: RADIUS(00000012): Send Access-Request to
> 55.55.55.1:1812
> 8*Jan 23 13:43:52.279: RADIUS: authenticator 92 C8 4E 0E E3 16 02 6E -
> 0B 64 CA
> C*Jan 23 13:43:52.279: RADIUS: User-Name [1] 6 "PHAT"
> *Jan 23 13:43:52.279: RADIUS: User-Password [2] 18 *
> *Jan 23 13:43:52.279: RADIUS: Calling-Station-Id [31] 12 "66.66.66.2"
> *Jan 23 13:43:52.279: RADIUS: NAS-Port-Type [61] 6 Virtual
>
> ]*Jan 23 13:43:52.279: RADIUS: NAS-Port-Type [61] 6 Virtual
>
> ]*Jan 23 13:43:52.279: RADIUS: NAS-Port [5] 6 0
>
> *Jan 23 13:43:52.279: RADIUS: NAS-Port-Id [87] 12 "66.66.66.1"
> *Jan 23 13:43:52.279: RADIUS: Service-Type [6] 6 Outbound
>
> ]*Jan 23 13:43:52.279: RADIUS: NAS-IP-Address [4] 6 55.55.55.2
>
> *Jan 23 13:43:52.283: RADIUS: Received from id 1645/21 55.55.55.1:1812,
> Access-
> 6*Jan 23 13:43:52.283: RADIUS: authenticator 3E AA 07 BE 08 03 8F BC -
> 19 AA 22
> B*Jan 23 13:43:52.283: RADIUS: Service-Type [6] 6 Outbound
>
> ]*Jan 23 13:43:52.283: RADIUS: Vendor, Cisco [26] 36
> *Jan 23 13:43:52.283: RADIUS: Cisco AVpair [1] 30
> "ipsec:addr-pool=P
> "*Jan 23 13:43:52.283: RADIUS: Vendor, Cisco [26] 30
> *Jan 23 13:43:52.283: RADIUS: Cisco AVpair [1] 24
> "ipsec:key-exchang
> "*Jan 23 13:43:52.283: RADIUS: Vendor, Cisco [26] 35
> *Jan 23 13:43:52.283: RADIUS: Cisco AVpair [1] 29
> "ipsec:tunnel-pass
> "*Jan 23 13:43:52.283: RADIUS: Vendor, Cisco [26] 29
> *Jan 23 13:43:52.283: RADIUS: Cisco AVpair [1] 23
> "ipsec:tunnel-type
> "*Jan 23 13:43:52.283: RADIUS(00000012): Received from id 1645/21
> *Jan 23 13:43:52.295: %AAA-3-BADHDL: invalid hdl AAA ID 18, hdl
> 1B000077, retir
> 4*Jan 23 13:43:52.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Virtual-A
>
> Regards
> thomas
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Thomas Braun
Bungert 1
52068 Aachen
Tel.: 0241/531088202
Fax: 0241/531088209
Email: thomas.braun at flashstudy.de
More information about the cisco-nsp
mailing list