Hello all,
I am using FreeRadius 2.1.8 with MySQL to authenticate BBA users. I get L2TP
sessions from my ISP (=LAC) arriving in VRF l2tp_vrf which I want to terminate
in a different VRF (e.g. inet_vrf). Basic authentication works as long as I do
not intruduce cisco-avpair attributes.
Which ones do I need? I tried "lcp:interface-config#1=ip vrf forwarding
(inet_vrf)" and "ip:vrf-id:=inet_vrf" in my radgroupreply table - without
success. From the "debug radius authentication" I see "AAA Unsupported Attr:
interface" and "parse unknown cisco vsa "vrf-id:". Here are some parts of my
Cisco config:
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting exec default
action-type start-stop
group radius
aaa accounting network default
action-type start-stop
broadcast
group radius
aaa accounting connection default
action-type start-stop
group radius
aaa session-id common
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname LAC
vpn vrf l2tp_vrf
source-ip xxx.xxx.xxx.xxx
local name LNS
l2tp tunnel password 0 xyz
ip mtu adjust
interface Virtual-Template1
mtu 1460
ip unnumbered Loopback0
no snmp trap link-status
peer default ip address pool INET_ADDR_POOL
no keepalive
ppp mru match
ppp authentication pap callin
ppp ipcp mask 255.255.255.255
end
What am I missing? Thanks in advance!
Cheers,
Alexander
+----+-----------+--------------------+----+----------------------------------------------+
| id | GroupName | Attribute | op | Value
|
+----+-----------+--------------------+----+----------------------------------------------+
| 1 | dynamic | Framed-Protocol | = | PPP
|
| 2 | dynamic | Framed-MTU | = | 1460
|
| 3 | dynamic | Framed-Compression | = | None
|
| 4 | dynamic | Service-Type | = | Framed
|
| 5 | dynamic | Session-Timeout | = | 86400
|
| 6 | dynamic | Idle-Timeout | = | 3600
|
| 7 | dynamic | cisco-avpair | = | "ip:ip-unnumbered=lo0"
|
| 8 | dynamic | cisco-avpair | = | "ip:vrf-id:=inet_vrf"
|
| 9 | dynamic | cisco-avpair | = | "ip:dns-servers=192.92.138.35
193.81.83.2" |
+----+-----------+--------------------+----+----------------------------------------------+
rad_recv: Access-Request packet from host xxx.xxx.50.254 port 1645, id=117,
length=134
Framed-Protocol = PPP
User-Name = "dummy"
User-Password = "dummypass"
Calling-Station-Id = "xxx"
Called-Station-Id = "corporate.xyz"
Connect-Info = "8640000"
NAS-Port-Type = Virtual
NAS-Port = 106
NAS-Port-Id = "Uniq-Sess-ID106"
Service-Type = Framed-User
NAS-IP-Address = xxx.xxx.50.254
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dummy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql] expand: %{User-Name} -> dummy
[sql] sql_set_user escaped user --> 'dummy'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'dummy' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'dummy' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM usergroup WHERE username = 'dummy' ORDER BY
priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'dynamic' ORDER BY id
[sql] User found in group dynamic
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'dynamic' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "dummypass"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 117 to xxx.xxx.50.254 port 1645
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1460
Service-Type = Framed-User
Session-Timeout = 86400
Idle-Timeout = 3600
Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding (inet_vrf)"
Finished request 31.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xxx.xxx.50.254 port 1645, id=118,
length=134
Framed-Protocol = PPP
User-Name = "dummy"
User-Password = "dummypass"
Calling-Station-Id = "xxx"
Called-Station-Id = "corporate.xyz"
Connect-Info = "8640000"
NAS-Port-Type = Virtual
NAS-Port = 107
NAS-Port-Id = "Uniq-Sess-ID107"
Service-Type = Framed-User
NAS-IP-Address = xxx.xxx.50.254
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dummy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql] expand: %{User-Name} -> dummy
[sql] sql_set_user escaped user --> 'dummy'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'dummy' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'dummy' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM usergroup WHERE username = 'dummy' ORDER BY
priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'dynamic' ORDER BY id
[sql] User found in group dynamic
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'dynamic' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "dummypass"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 118 to xxx.xxx.50.254 port 1645
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1460
Service-Type = Framed-User
Session-Timeout = 86400
Idle-Timeout = 3600
Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding (inet_vrf)"
Finished request 32.
Going to the next request
Waking up in 1.9 seconds.
Cleaning up request 31 ID 117 with timestamp +9697
Waking up in 3.0 seconds.
Cleaning up request 32 ID 118 with timestamp +9700
Ready to process requests.
RADIUS/ENCODE(00000085):Orig. component type = VPDN
RADIUS: AAA Unsupported Attr: interface [175] 15
RADIUS: 55 6E 69 71 2D 53 65 73 73 2D 49 44 31 [Uniq-Sess-ID1]
RADIUS(00000085): Config NAS IP: xxx.xxx.50.254
RADIUS/ENCODE(00000085): acct_session_id: 178
RADIUS(00000085): sending
RADIUS(00000085): Send Access-Request to xxx.xxx.50.1:1812 id 1645/117, len 134
RADIUS: authenticator 91 E6 3D BE D8 86 10 4C - 6F A3 36 6F DA D3 3A 50
RADIUS: Framed-Protocol [7] 6 PPP [1]
RADIUS: User-Name [1] 7 "dummy"
RADIUS: User-Password [2] 18 *
RADIUS: Calling-Station-Id [31] 14 "xxx"
RADIUS: Called-Station-Id [30] 19 "corporate.xyz"
RADIUS: Connect-Info [77] 9 "8640000"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-Port [5] 6 106
RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID106"
RADIUS: Service-Type [6] 6 Framed [2]
RADIUS: NAS-IP-Address [4] 6 xxx.xxx.50.254
RADIUS: Received from id 1645/117 xxx.xxx.50.1:1812, Access-Accept, len 115
RADIUS: authenticator 87 03 C4 01 B0 4A 64 80 - D0 18 EB A5 55 5C A2 E2
RADIUS: Framed-Protocol [7] 6 PPP [1]
RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
RADIUS: Framed-MTU [12] 6 1460
RADIUS: Service-Type [6] 6 Framed [2]
RADIUS: Session-Timeout [27] 6 86400
RADIUS: Idle-Timeout [28] 6 3600
RADIUS: Vendor, Cisco [26] 59
RADIUS: Cisco AVpair [1] 53 "lcp:interface-config#1=ip vrf
forwarding (inet_vrf)"
RADIUS(00000085): Received from id 1645/117
%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
RADIUS/ENCODE(00000086):Orig. component type = VPDN
RADIUS: AAA Unsupported Attr: interface [175] 15
RADIUS: 55 6E 69 71 2D 53 65 73 73 2D 49 44 31 [Uniq-Sess-ID1]
RADIUS(00000086): Config NAS IP: xxx.xxx.50.254
RADIUS/ENCODE(00000086): acct_session_id: 179
RADIUS(00000086): sending
RADIUS(00000086): Send Access-Request to xxx.xxx.50.1:1812 id 1645/118, len 134
RADIUS: authenticator 67 73 4C 0A AA 9B 68 1C - 9B 52 CD 99 56 47 2D 49
RADIUS: Framed-Protocol [7] 6 PPP [1]
RADIUS: User-Name [1] 7 "dummy"
RADIUS: User-Password [2] 18 *
RADIUS: Calling-Station-Id [31] 14 "xxx"
RADIUS: Called-Station-Id [30] 19 "corporate.xyz"
RADIUS: Connect-Info [77] 9 "8640000"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-Port [5] 6 107
RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID107"
RADIUS: Service-Type [6] 6 Framed [2]
RADIUS: NAS-IP-Address [4] 6 xxx.xxx.50.254
RADIUS: Received from id 1645/118 xxx.xxx.50.1:1812, Access-Accept, len 115
RADIUS: authenticator 82 52 2E 9B 8B 87 4A 37 - FD 85 78 C3 11 73 C3 C6
RADIUS: Framed-Protocol [7] 6 PPP [1]
RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
RADIUS: Framed-MTU [12] 6 1460
RADIUS: Service-Type [6] 6 Framed [2]
RADIUS: Session-Timeout [27] 6 86400
RADIUS: Idle-Timeout [28] 6 3600
RADIUS: Vendor, Cisco [26] 59
RADIUS: Cisco AVpair [1] 53 "lcp:interface-config#1=ip vrf
forwarding (inet_vrf)"
RADIUS(00000086): Received from id 1645/118
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html