Re: (RADIATOR) Cisco AVPAIR not working
Hello Thony, On the 5300 terminal, do: debug radius debug aaa authorization terminal monitor then make a test call and see what comes out. I think you'll see the router ignoring or flagging one of the attributes as erroneous. BTW, your IOS version looks rather old. I wouldn't expect avpairs to do properly their job in anything older than 12.1. If you come to see something odd at the debug output, you may want to upgrade IOS to, say, 12.2.6 or better. regards cl. From: Anthony Roque Adriano [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: (RADIATOR) Cisco AVPAIR not working Date: Wed, 4 Sep 2002 10:31:51 +0800 Hello, Am currently configuring RADIATOR to give a DNS entry instead of the RAS giving it. The setup is working for the ASCEND RAS but for my CISCO 5300 its not. Have gone through the mailing list and try all suggestion, but still can't get it to work, can anyone point out what i'm doing wrong. Here's my config : #LogStdout LogDir /var/log/radius-log LogFile %L/%Y-%m-%d-radiuslog DbDir /usr/local/etc/raddb DictionaryFile /usr/local/etc/raddb/dictionary.cisco DictionaryFile /usr/local/etc/raddb/dictionary.ascend2 DictionaryFile /usr/local/etc/raddb/dictionary.livingston DictionaryFile /usr/local/etc/raddb/dictionary # Dont turn this up too high, since all log messages are logged # to the RADMESSAGES table in the database. 3 will give you everything # except debugging messages Trace 4 AuthBy RADMIN Identifier Acceptmehere # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSourcedbi:mysql:# DBUsername ## DBAuth ## # Only one session per user at a time #DefaultSimultaneousUse 1 # Let the user in if they have any time left # Set the Session-timeout to timeleft AuthSelect select PASS_WORD,STATICADDRESS,\ MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID \ from RADUSERS where (USERNAME='%n' and VALIDFROM %t ) AuthColumnDef 0,User-Password,check AuthColumnDef 1,Filter-Id,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Simultaneous-Use,check # You can add to or change these if you want, but you # will probably want to change the database schema first AccountingTable RADUSAGE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef ACCTTERMINATECAUSE,Ascend-Disconnect-Cause,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply # Add Idle-Timeout of 15 mins DefaultReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Routing = None, \ Framed-MTU = 1500, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Idle-Timeout = 900, \ cisco-avpair= ip:dns-servers=xxx.xxx.xxx.xxx, \ Ascend-Client-Primary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Secondary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Assign-DNS = DNS-Assign-Yes /AuthBy Handler Realm=myrealm AuthBy Acceptmehere # Show rejection reason to users RejectHasReason By the way, im using Cisco 5300, Cisco Internetwork Operating System Software IOS (tm) 5300 Software (C5300-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Wed 08-Dec-99 20:25 by phanguye Image text-base: 0x600088F8, data-base: 0x60C6A000 And here is my RADIUS log file Tue Sep 3 15:13:37 2002: DEBUG: Packet dump
(RADIATOR) Cisco AVPAIR not working
Hello, Am currently configuring RADIATOR to give a DNS entry instead of the RAS giving it.The setup is working for the ASCEND RASbut for myCISCO5300its not. Have gone through the mailing list and try all suggestion, butstill can't get it to work, can anyone point out what i'm doing wrong. Here's my config: #LogStdoutLogDir /var/log/radius-logLogFile %L/%Y-%m-%d-radiuslogDbDir /usr/local/etc/raddb DictionaryFile /usr/local/etc/raddb/dictionary.ciscoDictionaryFile /usr/local/etc/raddb/dictionary.ascend2DictionaryFile /usr/local/etc/raddb/dictionary.livingstonDictionaryFile /usr/local/etc/raddb/dictionary # Dont turn this up too high, since all log messages are logged# to the RADMESSAGES table in the database. 3 will give you everything# except debugging messagesTrace 4 AuthBy RADMIN Identifier Acceptmehere # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL below # so its the same DBSource dbi:mysql:# DBUsername ## DBAuth ## # Only one session per user at a time #DefaultSimultaneousUse 1 # Let the user in if they have any time left # Set the Session-timeout to timeleft AuthSelect select PASS_WORD,STATICADDRESS,\ MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID \ from RADUSERS where (USERNAME='%n' and VALIDFROM %t ) AuthColumnDef 0,User-Password,check AuthColumnDef 1,Filter-Id,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Simultaneous-Use,check # You can add to or change these if you want, but you # will probably want to change the database schema first AccountingTable RADUSAGE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef ACCTTERMINATECAUSE,Ascend-Disconnect-Cause,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply # Add Idle-Timeout of 15 mins DefaultReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Routing = None, \ Framed-MTU = 1500, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Idle-Timeout = 900, \ cisco-avpair= "ip:dns-servers=xxx.xxx.xxx.xxx", \ Ascend-Client-Primary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Secondary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Assign-DNS = DNS-Assign-Yes /AuthBy Handler Realm=myrealm AuthBy Acceptmehere # Show rejection reason to users RejectHasReason By the way, im using Cisco 5300, Cisco Internetwork Operating System SoftwareIOS (tm) 5300 Software (C5300-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)Copyright (c) 1986-1999 by cisco Systems, Inc.Compiled Wed 08-Dec-99 20:25 by phanguyeImage text-base: 0x600088F8, data-base: 0x60C6A000 And here is my RADIUS log file Tue Sep 3 15:13:37 2002: DEBUG: Packet dump:*** Received from xxx.xxx.xxx.xxx port 33554 Code: Access-RequestIdentifier: 174Authentic: E1472035162145t149E3180T1942022318Attributes: NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 228 NAS-Port-Type = Virtual User-Name = "user@myrealm" Called-Station-Id = "" Calling-Station-Id = "" User-Password = "212 1441647176206113182255165164141145181149" Service-Type = Framed-User Framed-Protocol = PPP Tue Sep 3 15:13:37 2002: DEBUG: Check if Handler Realm=myrealm should be used to handle this requestTue Sep 3 15:13:37 2002: DEBUG: Handling request with Handler 'Realm=myrealm'Tue Sep 3 15:13:37 2002: DEBUG: Deleting session for user@myrealm, xxx.xxx.xxx.xxx, 228Tue Sep 3 15:13:37 2002: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=0228 Tue Sep 3 15:13:37 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1031037217, 4, 'Handling with Radius::AuthRADMIN') Tue Sep 3 15:13:37 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1031037217, 4, 'Handling with Radius::AuthRADMIN: Acceptmehere') Tue Sep 3 15:13:37 2002: DEBUG: Query is: select
Re: (RADIATOR) Cisco AVPAIR not working
Hello Anthony - You will have to check a debug on the Cisco to see what is happening, and you will have to check with Cisco to ascertain the correct syntax for the cisco-avpair. It may also be possible to use Ascend compatibility on the Cisco to achieve this. I do not believe there is any way to override hard-coded DNS settings on a host, although someone else on the list may know more than I do. regards Hugh On Wednesday, September 4, 2002, at 12:31 PM, Anthony Roque Adriano wrote: Hello, Am currently configuring RADIATOR to give a DNS entry instead of the RAS giving it. The setup is working for the ASCEND RAS but for my CISCO 5300 its not. Have gone through the mailing list and try all suggestion, but still can't get it to work, can anyone point out what i'm doing wrong. Here's my config : #LogStdout LogDir /var/log/radius-log LogFile %L/%Y-%m-%d-radiuslog DbDir /usr/local/etc/raddb DictionaryFile /usr/local/etc/raddb/dictionary.cisco DictionaryFile /usr/local/etc/raddb/dictionary.ascend2 DictionaryFile /usr/local/etc/raddb/dictionary.livingston DictionaryFile /usr/local/etc/raddb/dictionary # Dont turn this up too high, since all log messages are logged # to the RADMESSAGES table in the database. 3 will give you everything # except debugging messages Trace 4 AuthBy RADMIN> Identifier Acceptmehere # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in SessionDatabse SQL> below # so its the same DBSource dbi:mysql:# DBUsername ## DBAuth ## # Only one session per user at a time #DefaultSimultaneousUse 1 # Let the user in if they have any time left # Set the Session-timeout to timeleft AuthSelect select PASS_WORD,STATICADDRESS,\ MAXLOGINS,FRAMED_NETMASK,FRAMED_FILTER_ID \ from RADUSERS where (USERNAME='%n' and VALIDFROM %t ) AuthColumnDef 0,User-Password,check AuthColumnDef 1,Filter-Id,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Simultaneous-Use,check # You can add to or change these if you want, but you # will probably want to change the database schema first AccountingTable RADUSAGE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef ACCTTERMINATECAUSE,Ascend-Disconnect-Cause,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply # Add Idle-Timeout of 15 mins DefaultReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Routing = None, \ Framed-MTU = 1500, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Idle-Timeout = 900, \ cisco-avpair= "ip:dns-servers=xxx.xxx.xxx.xxx", \ Ascend-Client-Primary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Secondary-DNS = xxx.xxx.xxx.xxx,\ Ascend-Client-Assign-DNS = DNS-Assign-Yes /AuthBy> Handler Realm=myrealm> AuthBy Acceptmehere # Show rejection reason to users RejectHasReason By the way, im using Cisco 5300, Cisco Internetwork Operating System Software IOS (tm) 5300 Software (C5300-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Wed 08-Dec-99 20:25 by phanguye Image text-base: 0x600088F8, data-base: 0x60C6A000 And here is my RADIUS log file Tue Sep 3 15:13:37 2002: DEBUG: Packet dump: *** Received from xxx.xxx.xxx.xxx port 33554 Code: Access-Request Identifier: 174 Authentic: