Guys, I currently have FreeRadius working with a MySQL back-end to authenticate VPN users on my 2800 Cisco router. I have been trying to get the download-able access list feature working but am hitting a brick wall. If i enable cisco-avpair:=ipsec:inacl=185 i can see the radius server responding with the access-list but it does not get applied on the connecting vpn client which is then unable to successfully connect. My router config and radius debug are below. Your help is greatly appreciated.
Router Config: aaa authentication login default group radius local aaa authentication login vpnauth group radius local aaa authorization exec default group radius local aaa authorization network vpnautho local ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group test key test dns 200.12.240.9 domain greendottt.net pool ippool ! ! crypto ipsec transform-set MD5_3DES esp-3des esp-md5-hmac ! crypto dynamic-map VPNClientMap 1 set transform-set MD5_3DES reverse-route ! ! crypto map Remoteusers client authentication list vpnauth crypto map Remoteusers isakmp authorization list vpnautho crypto map Remoteusers client configuration address respond crypto map Remoteusers 10 ipsec-isakmp dynamic VPNClientMap ! ! ! ! interface FastEthernet0/0 description External ip address 192.168.74.46 255.255.255.0 duplex auto speed auto crypto map Remoteusers radius-server host 192.168.74.45 auth-port 1812 acct-port 1813 key cisco access-list 185 permit ip any any Router debug: *Feb 28 23:00:35.791: AAA/BIND(0000006B): Bind i/f *Feb 28 23:00:36.039: AAA/AUTHOR (0x6B): Pick method list 'vpnautho' *Feb 28 23:00:36.103: AAA/BIND(0000006C): Bind i/f RouterB# *Feb 28 23:00:39.147: RADIUS/ENCODE(0000006C):Orig. component type = VPN_IPSEC *Feb 28 23:00:39.151: RADIUS: AAA Unsupported Attr: interface [157] 13 *Feb 28 23:00:39.155: RADIUS: 31 39 32 2E 31 36 38 2E 37 34 2E [192.168.74.] *Feb 28 23:00:39.155: RADIUS/ENCODE(0000006C): dropping service type, "radius-server attribute 6 on-for-login-auth" is off *Feb 28 23:00:39.159: RADIUS(0000006C): Config NAS IP: 0.0.0.0 *Feb 28 23:00:39.163: RADIUS/ENCODE(0000006C): acct_session_id: 108 *Feb 28 23:00:39.163: RADIUS(0000006C): sending *Feb 28 23:00:39.171: RADIUS/ENCODE: Best Local IP-Address 192.168.74.46 for Radius-Server 192.168.74.45 *Feb 28 23:00:39.179: RADIUS(0000006C): Send Access-Request to 192.168.74.45:1812 id 1645/56, len 96 *Feb 28 23:00:39.183: RADIUS: authenticator 39 23 30 9E 12 B5 1A 85 - E8 FF 5E 4D 13 99 6C 73 *Feb 28 23:00:39.183: RADIUS: User-Name [1] 10 "smathura" *Feb 28 23:00:39.187: RADIUS: User-Password [2] RouterB# 18 * *Feb 28 23:00:39.187: RADIUS: Calling-Station-Id [31] 15 "192.168.74.43" *Feb 28 23:00:39.191: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Feb 28 23:00:39.195: RADIUS: NAS-Port [5] 6 0 *Feb 28 23:00:39.195: RADIUS: NAS-Port-Id [87] 15 "192.168.74.46" *Feb 28 23:00:39.199: RADIUS: NAS-IP-Address [4] 6 192.168.74.46 *Feb 28 23:00:39.383: RADIUS: Received from id 1645/56 192.168.74.45:1812, Access-Accept, len 49 *Feb 28 23:00:39.387: RADIUS: authenticator 28 AB B2 01 8C 17 3C E2 - AD 2C 98 DD 91 0D CF 6D *Feb 28 23:00:39.387: RADIUS: Service-Type [6] 6 NAS Prompt [7] *Feb 28 23:00:39.391: RADIUS: Vendor, Cisco [26] 23 *Feb 28 23:00:39.391: RADIUS: Cisco AVpair [1] 17 "ipsec:inacl=185" *Feb 28 23:00:39.399: RADIUS(0000006C): Received from id 1645/56 Radius Server Debug rad_recv: Access-Request packet from host 192.168.74.46 port 1645, id=56, length=96 User-Name = "smathura" User-Password = "xxxxxxxxx" Calling-Station-Id = "192.168.74.43" NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = "192.168.74.46" NAS-IP-Address = 192.168.74.46 +- entering group authorize ++[preprocess] returns ok rlm_sql (sql): - sql_xlat expand: %{User-Name} -> smathura rlm_sql (sql): sql_set_user escaped user --> 'smathura' expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF (SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "%{User-Name}") -> SELECT groupname FROM radhuntgroup WHERE nasipaddress="192.168.74.46" AND nasportid LIKE IF (SUBSTRING("192.168.74.46", 1, 3) = 'tty', 'tty', "192.168.74.46") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "smathura") rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): - sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF (SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "%{User-Name}") } -> vpn ++[request] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "smathura", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry DEFAULT at line 211 ++[files] returns ok expand: %{User-Name} -> smathura rlm_sql (sql): sql_set_user escaped user --> 'smathura' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'smathura' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'smathura' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'smathura' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'engineering' ORDER BY id rlm_sql (sql): User found in group engineering expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'engineering' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing SHA-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [smathura] (from client R1 port 0 cli 192.168.74.43) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 56 to 192.168.74.46 port 1645 Service-Type := NAS-Prompt-User Cisco-AVPair := "ipsec:inacl=185" Finished request 15. Going to the next request Waking up in 4.9 seconds. Cleaning up request 15 ID 56 with timestamp +2444 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html