Re: (RADIATOR) VSA's (26/3076/x) for the Cisco VPN 3000 Firmware Version 4.x
Hi Hugh, Hugh Irvine schrieb: Hi Charly - Thanks for your mail. The Radiator 3.7.1 standard dictionary already has most of the definitions you list below. I will add the additional ones that you have sent, but they will have the existing Altiga prefix. I'll send you a copy of the modified dictionary in a seperate mail. thanks NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? I just stumled over this error in the first: Fri Oct 31 09:23:17 2003: ERR: Attribute number 32 (vendor 3076) is not defined in your dictionary Fri Oct 31 09:23:17 2003: DEBUG: Packet dump: *** Received from 134.60.112.177 port 1287 Code: Access-Request ... I can't trigger all missing attributes, since I use not all features of the VPN Concentrator. The most useful info for all new/old attributes is: http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a0080094e96.shtml from where I've the definitions and values, from the other sources I took the mnemonics for the names. Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:[EMAIL PROTECTED] Service Group Network Tel.: ++49 731 50-22499 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) VSA's (26/3076/x) for the Cisco VPN 3000 Firmware Version 4.x
I'm actually having a similar problem right now. I'm not sure if I'm not seeing the VSA's or if my VPN 3000 isn't sending them. When I get the authentication request I see: Fri Oct 31 10:06:16 2003: DEBUG: Packet dump: *** Received from 132.241.67.38 port 3323 Code: Access-Request Identifier: 189 Authentic: Attributes: User-Name = jward User-Password = NAS-Port = 10492 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Client-Endpoint = 132.241.67.22 NAS-IP-Address = 132.241.67.38 NAS-Port-Type = Virtual I know that there are other VSAs that should come in with the Access-Request, but I'm not seeing them. I'm not sure if my VPN concentrator is configured wrong or if I'm not accepting them. Any thoughts or insight? Thanks!!! -Josh Network Operations California State University, Chico -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl Gaissmaier Sent: Friday, October 31, 2003 12:30 AM To: Hugh Irvine Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) VSA's (26/3076/x) for the Cisco VPN 3000 Firmware Version 4.x Hi Hugh, Hugh Irvine schrieb: Hi Charly - Thanks for your mail. The Radiator 3.7.1 standard dictionary already has most of the definitions you list below. I will add the additional ones that you have sent, but they will have the existing Altiga prefix. I'll send you a copy of the modified dictionary in a seperate mail. thanks NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? I just stumled over this error in the first: Fri Oct 31 09:23:17 2003: ERR: Attribute number 32 (vendor 3076) is not defined in your dictionary Fri Oct 31 09:23:17 2003: DEBUG: Packet dump: *** Received from 134.60.112.177 port 1287 Code: Access-Request ... I can't trigger all missing attributes, since I use not all features of the VPN Concentrator. The most useful info for all new/old attributes is: http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_ tech_note09186a0080094e96.shtml from where I've the definitions and values, from the other sources I took the mnemonics for the names. Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:[EMAIL PROTECTED] Service Group Network Tel.: ++49 731 50-22499 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) VSA's (26/3076/x) for the Cisco VPN 3000 Firmware Version 4.x
Hello Josh - You can see the hex dumps of the received packets by running at trace 5. If there are no errors when decoding the incoming request, then the attributes are not in the packets and you will need to configure something in the NAS to get them. regards Hugh On 01/11/2003, at 5:58 AM, Ward, Josh wrote: I'm actually having a similar problem right now. I'm not sure if I'm not seeing the VSA's or if my VPN 3000 isn't sending them. When I get the authentication request I see: Fri Oct 31 10:06:16 2003: DEBUG: Packet dump: *** Received from 132.241.67.38 port 3323 Code: Access-Request Identifier: 189 Authentic: Attributes: User-Name = jward User-Password = NAS-Port = 10492 Service-Type = Framed-User Framed-Protocol = PPP Tunnel-Client-Endpoint = 132.241.67.22 NAS-IP-Address = 132.241.67.38 NAS-Port-Type = Virtual I know that there are other VSAs that should come in with the Access-Request, but I'm not seeing them. I'm not sure if my VPN concentrator is configured wrong or if I'm not accepting them. Any thoughts or insight? Thanks!!! -Josh Network Operations California State University, Chico -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl Gaissmaier Sent: Friday, October 31, 2003 12:30 AM To: Hugh Irvine Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) VSA's (26/3076/x) for the Cisco VPN 3000 Firmware Version 4.x Hi Hugh, Hugh Irvine schrieb: Hi Charly - Thanks for your mail. The Radiator 3.7.1 standard dictionary already has most of the definitions you list below. I will add the additional ones that you have sent, but they will have the existing Altiga prefix. I'll send you a copy of the modified dictionary in a seperate mail. thanks NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? I just stumled over this error in the first: Fri Oct 31 09:23:17 2003: ERR: Attribute number 32 (vendor 3076) is not defined in your dictionary Fri Oct 31 09:23:17 2003: DEBUG: Packet dump: *** Received from 134.60.112.177 port 1287 Code: Access-Request ... I can't trigger all missing attributes, since I use not all features of the VPN Concentrator. The most useful info for all new/old attributes is: http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/ products_ tech_note09186a0080094e96.shtml from where I've the definitions and values, from the other sources I took the mnemonics for the names. Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:[EMAIL PROTECTED] Service Group Network Tel.: ++49 731 50-22499 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) VSA's (26/3076/x) for the Cisco VPN 3000 Firmware Version 4.x
Hi Charly - Thanks for your mail. The Radiator 3.7.1 standard dictionary already has most of the definitions you list below. I will add the additional ones that you have sent, but they will have the existing Altiga prefix. I'll send you a copy of the modified dictionary in a seperate mail. regards Hugh On 31/10/2003, at 4:03 AM, Karl Gaissmaier wrote: Hi Hugh or Mike, after searching for a proper VSA file for the new Version of the Cisco VPN Concentrator software without luck, I assembled a radiator compliant VSA dictionary from the different sources on the web. Hugh or Mike, perhaps you can put it into the goodies folder in the next release/patch. P.S. I know that the standard dictionary contains VSA's for the vendor code 3076 (formerly Altiga), but this is not enough for the new Software Versions on the Cisco VPN Concentrators. Best regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:[EMAIL PROTECTED] Service Group Network Tel.: ++49 731 50-22499 # -- # Start OF Cisco VPN 3k Vendor-specific information # -- # # Accumulated by [EMAIL PROTECTED], 29/10/2003 # Please send me patches and corrections. # # Sources: # Cisco VPN 3000 Concentrator Vendor Specific Attributes 2.0 - 3.6 # on http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/ products_tech_note09186a0080094e96.shtml # # and: # cisco3k.dct, Funk Radius Dictionary File for VPN 3000 in the downlaod area # of the Cisco VPN 3000 Concentrator # # and: # http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/ csacs4nt/acs31/acsuser/ad.htm#984410 # # # The suffixes at the end of each attribute indicate if the attribute is a # Group only attribute (-G) or is a Group and/or User attribute (-G/U). # # VSA Code 3076, Cisco VPN 3000 Concentrator, formerly Altiga # VENDORATTR 3076 CVPN-3K-Access-Hours-G/U 1 string VENDORATTR 3076 CVPN-3K-Simultaneous-Logins-G/U 2 integer VENDORATTR 3076 CVPN-3K-Primary-DNS-G5 ipaddr VENDORATTR 3076 CVPN-3K-Secondary-DNS-G6 ipaddr VENDORATTR 3076 CVPN-3K-Primary-WINS-G7 ipaddr VENDORATTR 3076 CVPN-3K-Secondary-WINS-G 8 ipaddr VENDORATTR 3076 CVPN-3K-SEP-Card-Assignment-G/U 9 integer VENDORATTR 3076 CVPN-3K-Tunneling-Protocols-G/U 11 integer VENDORATTR 3076 CVPN-3K-IPSec-Sec-Association-G/U 12 string VENDORATTR 3076 CVPN-3K-IPSec-Authentication-G 13 integer VENDORATTR 3076 CVPN-3K-Arg-ModeCfg-IPSec-Banner 15 string VENDORATTR 3076 CVPN-3K-ModeCfg-IPSec-Allow-Passwd-Store-G 16 integer VENDORATTR 3076 CVPN-3K-Use-Client-Address-G/U 17 integer VENDORATTR 3076 CVPN-3k-PPTP-Minimal-Auth-Protocol-G/U 18 integer VENDORATTR 3076 CVPN-3k-L2TP-Minimal-Auth-Protocol-G/U 19 integer VENDORATTR 3076 CVPN-3K-PPTP-Encryption-G 20 integer VENDORATTR 3076 CVPN-3K-L2TP-Encryption-G 21 integer VENDORATTR 3076 CVPN-3k-Arg-Authentication-Server-Type 22 integer VENDORATTR 3076 CVPN-3k-Arg-Authentication-Server-Password 23 string VENDORATTR 3076 CVPN-3k-Arg-Request-Authenticator-Vector 24 string VENDORATTR 3076 CVPN-3k-IPSec-LTL-Keepalives 25 integer VENDORATTR 3076 CVPN-3k-Arg-IPSec-Group-Name 26 integer VENDORATTR 3076 CVPN-3K-Arg-ModeCfg-IPSec-Split-Tunnel-List 27 string VENDORATTR 3076 CVPN-3K-ModeCfg-IPSec-Default-Domain-G 28 string VENDORATTR 3076 CVPN-3K-IPSec-Secondary-Domain-List-G 29 string VENDORATTR 3076 CVPN-3K-IPSec-Tunnel-Type-G 30 integer VENDORATTR 3076 CVPN-3K-IPSec-Mode-Config-G 31 integer VENDORATTR 3076 CVPN-3k-Arg-Authentication-Server-Priority 32 integer VENDORATTR 3076 CVPN-3K-IPSec-User-Group-Lock-G 33 integer VENDORATTR 3076 CVPN-3K-ModeCfg-IPSec-Over-UDP-G 34 integer VENDORATTR 3076 CVPN-3K-ModeCfg-IPSec-Over-UDP-Port-Num-G 35 integer VENDORATTR 3076 CVPN-3K-IPSec-Banner2-G36 string VENDORATTR 3076 CVPN-3K-PPTP-MPPC-Compression-G 37 integer VENDORATTR 3076 CVPN-3K-L2TP-MPPC-Compression-G 38 integer VENDORATTR 3076 CVPN-3K-IP-Compression-G 39 integer VENDORATTR 3076 CVPN-3K-IKE-Peer-ID-Check-G 40 integer VENDORATTR 3076 CVPN-3K-IKE-Keepalives-G 41 integer VENDORATTR 3076 CVPN-3K-IPSec-Auth-On-Rekey-G 42 integer VENDORATTR 3076 CVPN-3K-Required-FW-Vendor-Code-G 45 integer VENDORATTR 3076 CVPN-3K-Required-FW-Product-Code-G 46 integer VENDORATTR 3076 CVPN-3K-Required-FW-Description-G 47 string VENDORATTR 3076 CVPN-3K-Require-HW-Client-Auth-G 48 integer VENDORATTR 3076 CVPN-3K-Require-Individ-User-Auth-G 49 integer VENDORATTR 3076 CVPN-3K-User-Idle-Timeout-G 50 integer VENDORATTR 3076 CVPN-3K-Cisco-IP-Phone-Bypass-G 51 integer VENDORATTR 3076 CVPN-3K-IPSec-Split-Tunnel-Policy-G 55 integer VENDORATTR 3076 CVPN-3K-Client-FW-Capability-G 56 integer VENDORATTR 3076 CVPN-3K-Client-FW-Filter-Name-G 57 string VENDORATTR 3076 CVPN-3K-Client-FW-Optional-G 58 integer VENDORATTR 3076 CVPN-3K-Backup-IPSec-Servers-G 59 integer VENDORATTR 3076