Cisco ignores Framed-IP-Address from freeradius

Gilloteau Frederic Mon, 06 Jul 2009 07:53:21 -0700

Hello,
I use freeradius 2.1.1-7 and a CISCO router (IOS 12.4(6)T9) to provide VPN 
connections.
I would like my CISCO router to assign static IP address to remote VPN users 
thanks to the Freeradius server.
My freeradius server is configured to give static ip address to users. I can 
check it with radtest :
[r...@host ~]# radtest t...@domain.com mypassword 127.0.0.1 0 testing123
Sending Access-Request of id 152 to 127.0.0.1 port 1812
        User-Name = "t...@domain.com"
        User-Password = "mypassword"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=152, length=69
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 15.1.1.99
        Framed-IP-Netmask = 255.255.255.0


and the CISCO router gets it ...

Log Buffer (32768 bytes):
Jul  3 17:50:35.368: RADIUS/ENCODE(00000058):Orig. component type = VPN_IPSEC
Jul  3 17:50:35.368: RADIUS:  AAA Unsupported Attr: interface         [158] 13
Jul  3 17:50:35.368: RADIUS:   32 31 33 2E 34 31 2E 31 33 33 2E
Jul  3 17:50:35.368: RADIUS/ENCODE(00000058): dropping service type, "radius-ser
ver attribute 6 on-for-login-auth" is off
Jul  3 17:50:35.368: RADIUS(00000058): Config NAS IP: 0.0.0.0
Jul  3 17:50:35.368: RADIUS/ENCODE(00000058): acct_session_id: 72
Jul  3 17:50:35.368: RADIUS(00000058): sending
Jul  3 17:50:35.368: RADIUS/ENCODE: Best Local IP-Address X.X.X.X for Radius
-Server Y.Y.Y.Y
Jul  3 17:50:35.368: RADIUS(00000058): Send Access-Request to Y.Y.Y.Y:1812 i
d 1645/50, len 112
Jul  3 17:50:35.368: RADIUS:  authenticator 73 C3 A8 1F E5 ED BA C6 - B0 39 12 7
4 33 3C 80 A7
Jul  3 17:50:35.372: RADIUS:  User-Name           [1]   25  "t...@domain.com"
Jul  3 17:50:35.372: RADIUS:  User-Password       [2]   18  *
Jul  3 17:50:35.372: RADIUS:  Calling-Station-Id  [31]  16  "A.B.C.D"
Jul  3 17:50:35.372: RADIUS:  NAS-Port-Type       [61]  6   Virtual
      [5]
Jul  3 17:50:35.372: RADIUS:  NAS-Port            [5]   6   3
Jul  3 17:50:35.372: RADIUS:  NAS-Port-Id         [87]  15  "E.F.G.H"
Jul  3 17:50:35.372: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.X
Jul  3 17:50:35.440: RADIUS: Received from id 1645/50 Y.Y.Y.Y:1812, Access-A
ccept, len 44
Jul  3 17:50:35.444: RADIUS:  authenticator 86 A5 0A EA BE DF 30 E0 - 11 E3 24 5
4 9B 2C C6 77
Jul  3 17:50:35.444: RADIUS:  Service-Type        [6]   6   Framed
      [2]
Jul  3 17:50:35.444: RADIUS:  Framed-Protocol     [7]   6   PPP
      [1]
Jul  3 17:50:35.444: RADIUS:  Framed-IP-Address   [8]   6   15.1.1.99
Jul  3 17:50:35.444: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.0
Jul  3 17:50:35.444: RADIUS(00000058): Received from id 1645/50
Jul  3 17:50:35.444: RADIUS: Constructed " ppp negotiate"
Jul  3 17:50:37.852: RADIUS/ENCODE(00000058):Orig.. component type = VPN_IPSEC
Jul  3 17:50:37.852: RADIUS(00000058): Config NAS IP: 0.0.0.0
Jul  3 17:50:37.852: RADIUS(00000058): sending
Jul  3 17:50:37.852: RADIUS/ENCODE: Best Local IP-Address X.X.X.X for Radius
-Server Y.Y.Y.Y
Jul  3 17:50:37.852: RADIUS(00000058): Send Accounting-Request to Y.Y.Y.Y:18
13 id 1646/33, len 112
Jul  3 17:50:37.852: RADIUS:  authenticator AE 34 03 31 02 D0 C3 19 - 16 B0 6F D
D 1E 26 FE 66
Jul  3 17:50:37.852: RADIUS:  Acct-Session-Id     [44]  10  "00000048"
Jul  3 17:50:37.852: RADIUS:  Framed-IP-Address   [8]   6   15.1.1.18
Jul  3 17:50:37.852: RADIUS:  User-Name           [1]   25  "t...@domain.com"
Jul  3 17:50:37.852: RADIUS:  Acct-Authentic      [45]  6   RADIUS
      [1]
Jul  3 17:50:37.852: RADIUS:  Acct-Status-Type    [40]  6   Start
      [1]
Jul  3 17:50:37.852: RADIUS:  NAS-Port-Type       [61]  6   Virtual
      [5]
Jul  3 17:50:37.852: RADIUS:  NAS-Port            [5]   6   3
Jul  3 17:50:37.852: RADIUS:  NAS-Port-Id         [87]  15  "E.F.G.H"
Jul  3 17:50:37.852: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.X
Jul  3 17:50:37.852: RADIUS:  Acct-Delay-Time     [41]  6   0
Jul  3 17:50:37.856: RADIUS: Received from id 1646/33 Y.Y.Y.Y:1813, Accounti
ng-response, len 20
Jul  3 17:50:37.856: RADIUS:  authenticator B8 26 8E 14 AE AB AF AA - 67 C3 3C 1
F 62 4D 70 5B


.. but never assign it to remote users, the cisco router assigns an IP address 
from its local pool.

The interesting lines of my cisco configuration are :

aaa new-model
!
!
aaa authentication login ClientAuth group radius
aaa authorization network ClienAuth group radius local
aaa accounting delay-start
aaa accounting network ClientAuth start-stop group radius
crypto isakmp client configuration address-pool local vpnpool
crypto map rasvpn client authentication list ClientAuth
crypto map rasvpn client accounting list ClientAuth
crypto map rasvpn isakmp authorization list ClientAuth
crypto map rasvpn client configuration address respond
crypto map rasvpn 10 ipsec-isakmp dynamic dynmap

I also tried with the cisco av-pair attribute with no luck ...

Does anybody know what the problem could be ?

Thanks!

Fred

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco ignores Framed-IP-Address from freeradius

Reply via email to