List,
I will appear entirely uneducated in this cry for assistance, but must,
at the expense of revealing ignorance, show my true colors if I expect
to find any help.
We are an ISP. I've installed FreeRadius on a server that heretofore
has been used solely for the aaa needs of a PortMaster 3 (dialup users).
This company recently began reselling Qwest's DSL service, which was
delivered to us over an ATM T1 into a Cisco 2621. Initially, it seemed
there was no need to go through the learning curve of getting the Cisco
to aaa against the FreeRadius server, but now, with an increase of
orders that require static IP addresses, and the Virtual-Template
limitations on the router, I must get the Cisco to aaa against
FreeRadius.
Earlier this month (September) I found another gentleman with an almost
identical dilemma - one pool of addresses doled out to dhcp customers
(from an ip address pool on the Cisco), and another Virtual-Template
that allowed customers requiring static IP's, to get their addresses
from the FreeRadius server. He obviously found a solution, though it
wasn't spelled out in his victory-message to the list...and my searches
through the past 3 years of list-activity, while enlightening, have not
yielded a working configuration.
The server has FreeRadius 0.9.0 running. The server is a RedHat Linux
box (kernel 2.4.9-e.27smp). I am simply authenticating against the
system (etc/password, etc/shadow, etc/group) until I get a better grasp
of working with MySQL. Yesterday, I attempted the implementation of what
configuration I'd derived through many hours of research...and the
result was - the only activity on the FreeRadius server, was that of
authenticating me on the console session through the loopback0
interface.
I had a test customer reset their modem (Actiontek - actually a router),
and there was no indication in the FreeRadius debug (radiusd -sfxxyz -l
stdout) that the router even sent a request for authentication. Below
is my 2621's aaa configuration (as well as a sample pvc and
Virtual-Template). {Actually, I had to remove the aaa new-model commands
in order for the customers to get back online... Nevertheless, this is
what I'm still prepared to re-enter this evening, unless someone on this
list can show me better.}
aaa new-model
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6
radius-server host 10.99.101.3 auth-port 1812 acct-port 1813
radius-server attribute 8 include-in-access-req
ip radius source-interface loopback0
interface loopback0
ip address 10.99.13.254 255.255.255.255
radius-server unique-ident 99
radius-server configure-nas
radius-server key ctte/dbtr
interface Virtual-Template2
description StaticGroup
ip unnumbered FastEthernet0/0
no peer default ip address
ppp authentication pap callin
access-list 1 permit 10.99.13.0 0.0.0.255
When no requests seemed to be hitting the FreeRadius server, I tried
"debug radius"...and totally lost control of the router. It continued
to cycle through attempts at authenticating Virtual-Access5...but with
no such evidence on the radius server.
As to my FreeRadius configuration...I don't want to overload you (though
I probably already have)...but, I've set up my Huntgroups file as
follows...
DSLHost NAS-IP-Address == 10.99.13.254 (note: this is loopback0
for the router)
PM3 NAS-IP-Address == 10.99.105.1
Dynamic NAS-IP-Address == 10.99.13.254
User-Name = RodCom,
User-Name = FarBur, (and the list goes on)
Static1 NAS-IP-Address == 10.99.13.254
User-Name = NecOlo
And, my Users file looks like so (just an example)
Mark Auth-Type := System, Huntgroup-Name == "PM3"
Fall-Through = Yes
RodCom Auth-Type := System, Huntgroup-Name == "DSLHost"
Fall-Through = Yes
NecOlo Auth-Type := System, Huntgroup-Name == "DSLHost"
Fall-Through = Yes
DEFAULT Service-Type == Framed-User, Huntgroup-Name == "PM3"
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Framed-Protocol = PPP,
Service-Type = Framed-User,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Service-Type == Framed-User, Huntgroup-name == "dynamic"
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 1500
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Service-Type == Framed-User, Huntgroup-Name == "static1"
Framed-IP-Address = 10.99.12.15,
Framed-IP-Netmask = 255.255.255.255,
Framed-MTU = 1500,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
Now, I may have a problem in part of my radiusd.conf file...in that, in
the authorization section there is no entry for PAP, while there is such
an entry in the authenticate section.
Could anyone tell me if I should be using the loopback0 address, as the
NAS-IP-Address, or the FastEthernet0/0 address?
I recognize this may be too lengthly or long-winded for your taste, but
am hoping to give enough detail to avail you an honest opportunity to
zero-in on what's wrong.
Sincerest Regards,
D. Paul Sparks
Operations
rodinetechnology.com
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
