Hello, I use freeradius 2.1.1-7 and a CISCO router (IOS 12.4(6)T9) to provide VPN connections. I would like my CISCO router to assign static IP address to remote VPN users thanks to the Freeradius server. My freeradius server is configured to give static ip address to users. I can check it with radtest : [r...@host ~]# radtest t...@domain.com mypassword 127.0.0.1 0 testing123 Sending Access-Request of id 152 to 127.0.0.1 port 1812 User-Name = "t...@domain.com" User-Password = "mypassword" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=152, length=69 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 15.1.1.99 Framed-IP-Netmask = 255.255.255.0
and the CISCO router gets it ... Log Buffer (32768 bytes): Jul 3 17:50:35.368: RADIUS/ENCODE(00000058):Orig. component type = VPN_IPSEC Jul 3 17:50:35.368: RADIUS: AAA Unsupported Attr: interface [158] 13 Jul 3 17:50:35.368: RADIUS: 32 31 33 2E 34 31 2E 31 33 33 2E Jul 3 17:50:35.368: RADIUS/ENCODE(00000058): dropping service type, "radius-ser ver attribute 6 on-for-login-auth" is off Jul 3 17:50:35.368: RADIUS(00000058): Config NAS IP: 0.0.0.0 Jul 3 17:50:35.368: RADIUS/ENCODE(00000058): acct_session_id: 72 Jul 3 17:50:35.368: RADIUS(00000058): sending Jul 3 17:50:35.368: RADIUS/ENCODE: Best Local IP-Address X.X.X.X for Radius -Server Y.Y.Y.Y Jul 3 17:50:35.368: RADIUS(00000058): Send Access-Request to Y.Y.Y.Y:1812 i d 1645/50, len 112 Jul 3 17:50:35.368: RADIUS: authenticator 73 C3 A8 1F E5 ED BA C6 - B0 39 12 7 4 33 3C 80 A7 Jul 3 17:50:35.372: RADIUS: User-Name [1] 25 "t...@domain.com" Jul 3 17:50:35.372: RADIUS: User-Password [2] 18 * Jul 3 17:50:35.372: RADIUS: Calling-Station-Id [31] 16 "A.B.C.D" Jul 3 17:50:35.372: RADIUS: NAS-Port-Type [61] 6 Virtual [5] Jul 3 17:50:35.372: RADIUS: NAS-Port [5] 6 3 Jul 3 17:50:35.372: RADIUS: NAS-Port-Id [87] 15 "E.F.G.H" Jul 3 17:50:35.372: RADIUS: NAS-IP-Address [4] 6 X.X.X.X Jul 3 17:50:35.440: RADIUS: Received from id 1645/50 Y.Y.Y.Y:1812, Access-A ccept, len 44 Jul 3 17:50:35.444: RADIUS: authenticator 86 A5 0A EA BE DF 30 E0 - 11 E3 24 5 4 9B 2C C6 77 Jul 3 17:50:35.444: RADIUS: Service-Type [6] 6 Framed [2] Jul 3 17:50:35.444: RADIUS: Framed-Protocol [7] 6 PPP [1] Jul 3 17:50:35.444: RADIUS: Framed-IP-Address [8] 6 15.1.1.99 Jul 3 17:50:35.444: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.0 Jul 3 17:50:35.444: RADIUS(00000058): Received from id 1645/50 Jul 3 17:50:35.444: RADIUS: Constructed " ppp negotiate" Jul 3 17:50:37.852: RADIUS/ENCODE(00000058):Orig.. component type = VPN_IPSEC Jul 3 17:50:37.852: RADIUS(00000058): Config NAS IP: 0.0.0.0 Jul 3 17:50:37.852: RADIUS(00000058): sending Jul 3 17:50:37.852: RADIUS/ENCODE: Best Local IP-Address X.X.X.X for Radius -Server Y.Y.Y.Y Jul 3 17:50:37.852: RADIUS(00000058): Send Accounting-Request to Y.Y.Y.Y:18 13 id 1646/33, len 112 Jul 3 17:50:37.852: RADIUS: authenticator AE 34 03 31 02 D0 C3 19 - 16 B0 6F D D 1E 26 FE 66 Jul 3 17:50:37.852: RADIUS: Acct-Session-Id [44] 10 "00000048" Jul 3 17:50:37.852: RADIUS: Framed-IP-Address [8] 6 15.1.1.18 Jul 3 17:50:37.852: RADIUS: User-Name [1] 25 "t...@domain.com" Jul 3 17:50:37.852: RADIUS: Acct-Authentic [45] 6 RADIUS [1] Jul 3 17:50:37.852: RADIUS: Acct-Status-Type [40] 6 Start [1] Jul 3 17:50:37.852: RADIUS: NAS-Port-Type [61] 6 Virtual [5] Jul 3 17:50:37.852: RADIUS: NAS-Port [5] 6 3 Jul 3 17:50:37.852: RADIUS: NAS-Port-Id [87] 15 "E.F.G.H" Jul 3 17:50:37.852: RADIUS: NAS-IP-Address [4] 6 X.X.X.X Jul 3 17:50:37.852: RADIUS: Acct-Delay-Time [41] 6 0 Jul 3 17:50:37.856: RADIUS: Received from id 1646/33 Y.Y.Y.Y:1813, Accounti ng-response, len 20 Jul 3 17:50:37.856: RADIUS: authenticator B8 26 8E 14 AE AB AF AA - 67 C3 3C 1 F 62 4D 70 5B .. but never assign it to remote users, the cisco router assigns an IP address from its local pool. The interesting lines of my cisco configuration are : aaa new-model ! ! aaa authentication login ClientAuth group radius aaa authorization network ClienAuth group radius local aaa accounting delay-start aaa accounting network ClientAuth start-stop group radius crypto isakmp client configuration address-pool local vpnpool crypto map rasvpn client authentication list ClientAuth crypto map rasvpn client accounting list ClientAuth crypto map rasvpn isakmp authorization list ClientAuth crypto map rasvpn client configuration address respond crypto map rasvpn 10 ipsec-isakmp dynamic dynmap I also tried with the cisco av-pair attribute with no luck ... Does anybody know what the problem could be ? Thanks! Fred
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html