Pierre LEONARD a écrit :
hi
i would like to configure my cisco 2620 router as VPN concentrator
with a 12.3 IOS and i use a radius server (freeradius) to authenticate
the users of the VPN but when the radius get the ip config to the
router then the router don't relay these informations to the VPN
client and it assigns an ip in its pool.
i don't know how must i config the router in order that it uses the
radius ip config to configure the VPN client...
if i delete the pool from the router then i cannot connect on the VPN
router and i didn't find any configuration to specify the router to
use the ip config from the radius...
i hope i'm clear !!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i forgot to join my config
*******************radiusd.conf*********************
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
passwd user2ip {
filename = /etc/freeradius/user2ip
format = "*User-Name:=Framed-IP-Address"
hashsize = 100
}
}
authorize {
preprocess
files
user2ip
}
authenticate {
}
preacct {
preprocess
files
}
accounting {
detail
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
*****************************clients.conf***************************************
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
client <@ip routeur VPN> {
secret = <clé partagé radius/routeur>
shortname = router
nastype = cisco
}
*****************************users**********************************************
DEFAULT
Tunnel-Type = VLAN,
Fall-Through = 1
DEFAULT Nas-Port == 2, Nas-IP-Address == <@ip routeur VPN>
Idle-Timeout = 300,
Fall-through = 1
pierre User-Password == "pierrot"
Tunnel-Private-Group-Id = 12,
toto User-Password == "titi"
Tunnel-Private-Group-Id = 13,
*****************************user2ip********************************************
pierre:192.168.6.6
toto:192.168.10.10
*****************************router*********************************************
Current configuration : 2759 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn2600
!
boot-start-marker
boot system tftp c2600-ik9o3s3-mz.123-18.bin <private>
boot system tftp c2600-ik9o3s3-mz.123-18.bin2 <private>
boot system tftp c2600-ik9o3s3-mz.123-18.bin3 <private>
boot-end-marker
!
enable secret 5 $1$j8hq$EhL3/t7cL.uNf5spPQ7mX0
!
aaa new-model
!
!
aaa group server radius group-radius
server <private> auth-port 1812 acct-port 1813
!
aaa authentication login leo local
aaa authentication login authentication-radius group group-radius
aaa authorization network groupleo local
aaa authorization configuration authorization-radius group group-radius
aaa session-id common
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
username pierre password 7 1119100005000E
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
!
!
crypto isakmp client configuration group test-cisco-vpn
key key-vpn
domain u-bordeaux.fr
pool pool-cisco-vpn
!
!
crypto ipsec transform-set set-cisco-vpn esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap-cisco-vpn 10
set transform-set set-cisco-vpn
!
!
crypto map clientmap-cisco-vpn client authentication list
authentication-radius
crypto map clientmap-cisco-vpn isakmp authorization list
authorization-radius
crypto map clientmap-cisco-vpn client configuration address initiate
crypto map clientmap-cisco-vpn client configuration address respond
crypto map clientmap-cisco-vpn 10 ipsec-isakmp dynamic dynmap-cisco-vpn
!
!
interface FastEthernet0/0
ip address <private> <private>
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet1/0
ip address <private> <private>
half-duplex
crypto map clientmap-cisco-vpn
!
ip local pool pool-cisco-vpn 192.168.3.5 192.168.3.10
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 <private>
!
!
radius-server host <private> auth-port 1812 acct-port 1813 key key-vpn
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
begin:vcard
fn:Pierre LEONARD
n:LEONARD;Pierre
org:Debian Etch - Testing ;Linux user
email;internet:[EMAIL PROTECTED]
title:Student - Network & Telecoms
version:2.1
end:vcard
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html