Framed-IP-Address in auth
i have Cisco 7206VXR IOS 12.2(6c)
setted up for pptp users and aaa (Radius) accounting...
now i have to check source IP of the client during the authorization... But can't find it in auth packets. Only in start/stop/alive (Tunnel-Client-IP or something like this)...
I've tried to set
radius-server attribute 8 include-in-access-req
but no changes...
How can i find the source ip of the client during aaa auth in RADIUS?
Anyone can help? Thenk you.
Hi ,
Try using:
aaa accounting delay-start
Regards,
~JG
Do rate helpful posts
Similar Messages
-
Framed-IP-Address in RADIUS Access Request for WLC web-auth users
We have a web-auth WLAN (with 7.6.130.0 software on a 2504 WLC) configured to authenticate users through RADIUS. The Framed-IP-Address attribute, representing the client device's IP address is sent in the Accounting Request, as expected. However, this information should be available at the WLC before sending the RADIUS Access Request, since the device is already having an IP address.
So is there a way to configure the WLC to send the Framed-IP-Address attribute in the RADIUS Access Request as well?Hi ,
Try using:
aaa accounting delay-start
Regards,
~JG
Do rate helpful posts -
L2TP and fixed Framed IP Address for VPN user
Hi,
I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
The radius server is returning the correct parameters, I think.
I hope someone can help me.
It´s a Cisco 892 Integrated Service Router.
Router Config:
=============================================================
Current configuration : 8239 bytes
! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
hostname vpngw2
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
logging buffered 51200 warnings
enable secret 5 secret
aaa new-model
aaa authentication login default local group radius
aaa authentication login userauthen local group radius
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network groupauthor local
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting exec default
action-type start-stop
group radius
aaa accounting network default
action-type start-stop
group radius
aaa accounting resource default
action-type start-stop
group radius
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip domain name aspect-online.de
ip name-server 10.28.1.31
ip inspect WAAS flush-timeout 10
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
virtual-profile if-needed
multilink bundle-name authenticated
async-bootp dns-server 10.28.1.31
async-bootp nbns-server 10.28.1.31
vpdn enable
vpdn authen-before-forward
vpdn authorize directed-request
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
license udi pid -K9 sn FCZ
username root password 7 secret
ip ssh source-interface FastEthernet8
ip ssh version 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key mykey address 0.0.0.0 no-xauth
crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac
mode transport
crypto dynamic-map config-map-l2tp 10
set nat demux
set transform-set configl2tp
crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
no ip address
spanning-tree portfast
interface FastEthernet1
no ip address
spanning-tree portfast
<snip>
interface FastEthernet7
no ip address
spanning-tree portfast
interface FastEthernet8
ip address 10.28.1.97 255.255.255.0
ip access-group vpn_to_lan out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1
ip unnumbered GigabitEthernet0
ip access-group vpn_to_inet_lan in
ip nat inside
ip virtual-reassembly in
peer default ip address pool l2tpvpnpool
ppp encrypt mppe 128
ppp authentication chap
interface GigabitEthernet0
description WAN Port
ip address x.x.x.39 255.255.255.0
ip access-group from_inet in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpnl2tp
interface Vlan1
no ip address
shutdown
ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199
ip local pool remotepool 192.168.252.240 192.168.252.243
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat log translations syslog
ip nat inside source route-map natmap interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.33
ip access-list extended from_inet
<snip>
ip access-list extended nat_clients
permit ip 192.168.252.0 0.0.0.255 any
ip access-list extended vpn_to_inet_lan
<snip>
ip access-list extended vpn_to_lan
<snip>
deny ip any any log-input
logging trap debugging
logging facility local2
logging 10.28.1.42
no cdp run
route-map natmap permit 10
match ip address nat_clients
radius-server attribute 8 include-in-access-req
radius-server host 10.27.1.228 auth-port 1812 acct-port 1813
radius-server key 7 mykey
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
mgcp profile default
banner login ^C
Hostname: vpngw2
Model: Cisco 892 Integrated Service Router
Description: L2TP/IPsec VPN Gateway with Radius Auth
^C
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
=============================================================
User Config in Radius (tying multiple attributes):
=============================================================
Attribute | op | Value
Service-Type | = | Framed-User
Cisco-AVPair | = | vpdn:ip-addresses=192.168.252.220
Framed-IP-Address | := | 192.168.252.221
Cisco-AVPair | = | ip:addr-pool=remotepool
=============================================================
Debug Log from freeradius2:
=============================================================
rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100
Framed-Protocol = PPP
User-Name = "me1"
CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'me1' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'me1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'me1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "me1" with CHAP password
[chap] Using clear text password "test" for user me1 authentication.
[chap] chap user me1 authenticated succesfully
++[chap] returns ok
Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 7 to 10.28.1.97 port 1645
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP-Address := 192.168.252.221
Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"
Service-Type = Framed-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213
Acct-Session-Id = "00000011"
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IPv4
Tunnel-Server-Endpoint:0 = "x.x.x.39"
Tunnel-Client-Endpoint:0 = "x.x.x.34"
Tunnel-Assignment-Id:0 = "L2TP"
Tunnel-Client-Auth-Id:0 = "me1"
Tunnel-Server-Auth-Id:0 = "vpngw2"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.252.9
User-Name = "me1"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.28.1.97
[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] expand: %t -> Fri Mar 30 11:20:07 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> me1
++[radutmp] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> me1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 19 to 10.28.1.97 port 1646
Finished request 1.
Cleaning up request 1 ID 19 with timestamp +53
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407
Acct-Session-Id = "00000011"
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IPv4
Tunnel-Server-Endpoint:0 = "x.x.x.39"
Tunnel-Client-Endpoint:0 = "x.x.x.34"
Tunnel-Assignment-Id:0 = "L2TP"
Tunnel-Client-Auth-Id:0 = "me1"
Tunnel-Server-Auth-Id:0 = "vpngw2"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.252.9
Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
User-Name = "me1"
Acct-Authentic = RADIUS
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=100000000"
Cisco-AVPair = "nas-rx-speed=100000000"
Acct-Session-Time = 5
Acct-Input-Octets = 5980
Acct-Output-Octets = 120
Acct-Input-Packets = 47
Acct-Output-Packets = 11
Acct-Terminate-Cause = User-Request
Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
Acct-Status-Type = Stop
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.28.1.97
[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] expand: %t -> Fri Mar 30 11:20:12 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> me1
++[radutmp] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Input-Octets} -> 5980
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Output-Octets} -> 120
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstoptime = '2012-03-30 11:20:12', acctsessiontime = '5', acctinputoctets = '0' << 32 | '5980', acctoutputoctets = '0' << 32 |
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> me1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 20 to 10.28.1.97 port 1646
Finished request 2.
Cleaning up request 2 ID 20 with timestamp +58
Going to the next request
Waking up in 0.1 seconds.
Cleaning up request 0 ID 7 with timestamp +53
Ready to process requests.
=============================================================
Log From Cisco Router:
=============================================================
Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added
Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17
Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending
Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100
Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS: authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22
Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS: CHAP-Password [3] 19 *
Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85
Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS: authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16
Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS: Framed-IP-Address [8] 6 192.168.252.221
Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS: Vendor, Cisco [26] 41
Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS: Cisco AVpair [1] 35 "vpdn:ip-addresses=192.168.252.220"
Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7
Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending
Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213
Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS: authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53
Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS: Acct-Session-Id [44] 10 "00000011"
Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS: Tunnel-Type [64] 6 00:
Mar 30 11:20:07 vpngw2 1258: L2TP [3]
Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"
Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"
Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS: Tunnel-Assignment-Id[82] 6 "L2TP"
Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Auth-I[90] 5 "me1"
Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Auth-I[91] 8 "vpngw2"
Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS: Framed-IP-Address [8] 6 192.168.252.9
Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS: Vendor, Cisco [26] 35
Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS: Acct-Status-Type [40] 6 Start [1]
Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS: Acct-Delay-Time [41] 6 0
Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20
Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS: authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4
Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending
Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407
Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS: authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12
Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS: Acct-Session-Id [44] 10 "00000011"
Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS: Tunnel-Type [64] 6 00:
Mar 30 11:20:12 vpngw2 1292: L2TP [3]
Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"
Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"
Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS: Tunnel-Assignment-Id[82] 6 "L2TP"
Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Auth-I[90] 5 "me1"
Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Auth-I[91] 8 "vpngw2"
Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS: Framed-IP-Address [8] 6 192.168.252.9
Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 59
Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 53 "ppp-disconnect-cause=Received LCP TERMREQ from peer"
Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 35
Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 30
Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 24 "nas-tx-speed=100000000"
Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 30
Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 24 "nas-rx-speed=100000000"
Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS: Acct-Session-Time [46] 6 5
Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS: Acct-Input-Octets [42] 6 5980
Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS: Acct-Output-Octets [43] 6 120
Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS: Acct-Input-Packets [47] 6 47
Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS: Acct-Output-Packets [48] 6 11
Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS: Acct-Terminate-Cause[49] 6 user-request [1]
Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 39
Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 33 "disc-cause-ext=PPP Receive Term"
Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS: Acct-Status-Type [40] 6 Stop [2]
Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS: Acct-Delay-Time [41] 6 0
Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20
Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS: authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5
Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
=============================================================I found the failure.
In the cisco config it must be
aaa authorization network default group radius local
not
aaa authorization network groupauthor local -
Vpn-framed-ip-address not working with anyconnect
Hi Folks, please help me to verify if this case is a bug or a "not valid scenario".
Scenario:
ASA 5520, OS 9.1, SSL VPN with Anyconnect v3.x, static ip address for the client, and RSA token authentication (all the users/pin/passwords are in the RSA server, not in the ASA, but i need to create some users in the ASA in order to apply the vpn-framed-ip-address attribute for specific users).
In fact the anyconnect ssl vpn with RSA auth works fine, the ssl connection works, the user is authenticated, the anyconnect works, traffic passing, BUT.. the anyconnect its getting an ip address from the ip local pool INSTEAD of the static ip defined with the vpn-framed-ip-address command.
I'm trying to assign a static ip address for a user (defined locally on the ASA) that performs auth via RSA (aaa-server), by using the vpn-framed-ip-address command as an attribute for this local user. But it seems the command is not working.
Already I´ve tried to resolve (with no success) by entering the
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local
Also i´ve tried by removing the pool from tunnel-group in order to force all the connection session to use the static ip address, but in this case, the anyconnect sends a message "No Address Available for SVC Connection". Meaning the ASA simply is ignoring the vpn-framed-ip-address command.
Its supposed the ASA implement the policies in this order, DAP > User policy > UserGrp policy > ConnProfile > DefGrpPolicy, and according to this, the vpn-framed-ip-address command should take effect first since its specified as User policy, overriding everything else. But its not working.
At this point i think the issue is... since the user is locally defined but its password its being authenticated via RSA (not local), the user attributes (static ip) are being ignored by the ASA because its not expecting to receive an ip address from the aaa server (RSA), so jumps to the next policies falling to the pool. Anyway the user policies attributes SHOULD work according to cisco.
Please your advise, or tell if its a bug? or a not valid scenario for this command to work with the ASA.
This is the current config:
ip local pool PoolSSL 192.168.229.10-192.168.229.19 mask 255.255.255.0
aaa-server RSA protocol sdi
aaa-server RSA (inside) host 192.168.12.1
retry-interval 5
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
group-policy GroupPolicyABC internal
group-policy GroupPolicyABC attributes
wins-server none
dns-server value 192.168.61.1 192.168.61.2
vpn-tunnel-protocol ssl-client
group-lock value TunnelGroupABC
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ServersDB
default-domain value my.domain.com
split-tunnel-all-dns disable
webvpn
anyconnect ask none default anyconnect
username USER1 password xHhacRZ56Uadqoq encrypted
username USER1 attributes
vpn-framed-ip-address 192.168.229.7 255.255.255.0
group-lock value TunnelGroupABC
tunnel-group TunnelGroupABC type remote-access
tunnel-group TunnelGroupABC general-attributes
address-pool PoolSSL
authentication-server-group RSA
default-group-policy GroupPolicyABC
tunnel-group TunnelGroupABC webvpn-attributes
group-alias AccessToDB enable
I´ll wait for your answers, regards!https://tools.cisco.com/bugsearch/bug/CSCtf71671/
you need AAA assignment, or at least you needed to have it a couple of years back. -
Framed-IP-Address in Start Accounting message
We have a 5400 plataform configured with Radius Accounting and I am seeing that the attribute 8 (Framed-IP-Address) appears only in the Stop message.
The cuestions is...how i can to do that the attribute 8 will be included in the Start message too?
Regards
CONFIGURATION
ip radius source-interface GigabitEthernet0/0.63
aaa new-model
radius-server host 200.49.193.225 auth-port 1812 acct-port 1813
radius-server key cisco1
aaa group server radius RADIUS-VLZ1
server 200.49.193.225
aaa dnis map enable
aaa dnis map 1151307063 authentication ppp group RADIUS-VLZ1
aaa dnis map 1151307063 accounting network start-stop group RADIUS-VLZ1
aaa authentication login default group RADIUS-VLZ1 local
no aaa authentication ppp default local
aaa authentication ppp default if-needed radius
aaa authorization network radius
aaa accounting exec default start-stop group RADIUS-VLZ1
aaa accounting network default start-stop group RADIUS-VLZ1
radius-server attribute 8 inc
DEBUG RADIUS
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
*Jul 15 16:56:32.856: RADIUS: Acct-Session-Id [44] 10 "00000192"
*Jul 15 16:56:32.856: RADIUS: User-Name [1] 9 "italtel"
*Jul 15 16:56:32.856: RADIUS: Acct-Authentic [45] 6 RADIUS
[1]
*Jul 15 16:56:32.856: RADIUS: Acct-Status-Type [40] 6 Start
[1]
*Jul 15 16:56:32.856: RADIUS: Calling-Station-Id [31] 12 "1147876876"
*Jul 15 16:56:32.856: RADIUS: Called-Station-Id [30] 14 "541151307063"
*Jul 15 16:56:32.856: RADIUS: NAS-Port [5] 6 544
*Jul 15 16:56:32.856: RADIUS: NAS-Port-Id [87] 9 "tty4/04"
*Jul 15 16:56:32.856: RADIUS: NAS-Port-Type [61] 6 Async
[0]
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
*Jul 15 16:55:23.508: RADIUS: Framed-IP-Address [8] 6 10.82.94.11
*Jul 15 16:55:23.508: RADIUS: User-Name [1] 6 "pepe"
*Jul 15 16:55:23.508: RADIUS: Acct-Authentic [45] 6 RADIUS
[1]
*Jul 15 16:55:23.508: RADIUS: Acct-Session-Time [46] 6 15
*Jul 15 16:55:23.508: RADIUS: Acct-Input-Octets [42] 6 3613
*Jul 15 16:55:23.508: RADIUS: Acct-Output-Octets [43] 6 118
*Jul 15 16:55:23.508: RADIUS: Acct-Input-Packets [47] 6 55
*Jul 15 16:55:23.508: RADIUS: Acct-Output-Packets [48] 6 7
*Jul 15 16:55:23.508: RADIUS: Acct-Terminate-Cause[49] 6 user-request
[1]
*Jul 15 16:55:23.508: RADIUS: Acct-Status-Type [40] 6 StopHi ,
Try using:
aaa accounting delay-start
Regards,
~JG
Do rate helpful posts -
AP 1252 in autonomous mode not sending framed-ip-address
I was attempting to use the Websense RADIUS Agent to transparently map wireless users in it's database. This is done by passing the RADIUS accounting packets through the websense server where Websense can read them and map the username and password. This works for our Cisco VPN clients and Anyconnect clients. The problem I have is that the 1252 AP does not send the framed-ip-address in the RADIUS accounting packet. The AP should know the client IP since it can be seen with "show dot11 association".
For whatever reason, the AP doesn't know the IP address. This is verified by enabling aaa acounting delay-start which delays the sending accounting packets until the peer IP is known. With this command in, no accounting packets are ever sent from the AP.
Does anyone know why the AP doesn't include the framed-ip-address in the accounting packets? Or, why the AP is not able to learn the peer IP address from the client association information?
Thanks,
MarkFor a session to be disconnected, the values in one or more of the key fields in the POD request must match the values for a session on one of the network access server ports. Which values must match depends on the auth-type attribute defined in the command. If noauth-type is specified, all four values must match. If no match is found, all connections remain intact and an error response is returned. The key fields are as follows:
User-Name
Framed-IP-Address
Session-Id
Server-Key -
Hi Guys,
I'm using a cisco 5510 ASA at the headoffice to provide the VPN (remote access vpn) connectivity to the branch offices.
My local network is - 192.168.30.0 /24 and I've used a part of same segment for the vpn_pool as well ( i.e 192.168.30.152 -192.168.30.199). Further I'm using the vpn-framed-ip-address feature to allocate an unique ip address for each branch office when it connects.
My problem is, though this setup worked fine at the begining, now sometimes when the vpn connections are established from remote branches, they take different ip addresses from the allocated vpn pool, rather than the specific ip address which is mentioned under the vpn-framed-ip-address command.
Can anyone assist me with this issue?
Regards,
SuthakarHi Javier,
I think I have found out a solution for this problem.
I've removed the ip vpn pool and its reference under tunnel group general-attributes
ip local pool vpn_pool x.x.x.x - x.x.x.x
tunnel-group x.x.x.x general-attributes
address-pool vpn_pool
since there is no ip-pool, now the remote client's are getting the exact individual ip addresses allocated for them with the vpn-framed-ip-address command.
Thank you for your support.
Regards,
Suthakar -
VPN pw mgmt plus framed IP address not working
I am trying to configure AAA for an SSL VPN (ASA, 8.x) to support both password management and a framed IP address. Authentication server is AD.
I can get the pw mgmt to work when using LDAP authentication against AD, and I can get the framed IP address to work with IAS (RADIUS on AD). But, I cannot get both to work at the same time with either method.
Any help appreciated.The security appliance can use one or more of the following methods for assigning IP addresses to remote access clients. If you configure more than one address assignment method, the security appliance searches each of the options until it finds an IP address. By default, all methods are enabled. The following URL will help you
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/vpnadd.html
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/svc.html -
CVPN3030 and FreeRADIUS - attribute "Framed-IP-Address"
We are authenticating VPN users via a FreeRADIUS server (see www.freeradius.org). This works fine for username/password, but we don't seem to be able to pass RADIUS attributes back to the VPN, or at least not in a way that affects the user's session. I'm focussing on "Framed-IP-Address" (to assign the VPN client a specific IP); if I can get it working for this, I'm sure I can port the method to other attributes.
Ayone out there doing this? With FreeRADIUS?
Thanks!Hi!
As far as i remember VPN3k don't understand neither "Framed-IP-Address" nor cisco-av-pair.
I've used "Group Lock" feature to specify which ip-pool concentrator should use for authenticated user. It works like specifying "cisco-av-pair=ip:addr-pool" in Radius for usual (ios) NAS.
In your Radius-server you should add "Class" attribute. When user authenticates he moves to a new group which has an associated address pool.
For more detail look at the http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml -
I am trying to setup Single Sign On between wireless and a network filter. The filter requires the <Framed-IP-Address> to be in the NPS servers (Server 2012 R2) log files. I have manually checked and the username, etc is there but not
the framed-ip-address. This server currently handles DHCP, we added the NPS server for lack of a better place, and then made it do AD CS after finding out we needed that for PEAP authentication. What would be the likely cause of the logs not having
the framed-ip-address field. This field should be unique for each user and submit the ip address they received when connecting to the wireless. This is what our filter company is telling us. Thoughts?Hi,
Framed-IP-Address indicates the address to be configured for the user. It is used to assign static IP address to user. If we want NPS to log the Framed-IP-Address, we need to configure static IP address for user.
To configure static IP address for user, please follow the steps below,
Open Active Directory Users and Computers.
In the console tree, click Users.
In the details pane, right-click a user name, and then click Properties.
On the Dial-in tab, select the Assign a Static IP Address check box, and then type the static IP address for this user.
For detailed information, please refer to the link below,
Configure static IP address assignment
http://technet.microsoft.com/en-us/library/cc786213(v=WS.10).aspx
Best Regards.
Steven Lee
TechNet Community Support -
Using Framed IP Address in ISE AuthZ policy
Hi,
i have an issue when attempting to use the RADIUS-Framed-IP attribute in a User Authorisation policy. Essentially, when I try and map the Radius attribute to the user custom attribute in the AAuthZ profile, it will not let me as the RADIUS Framed IP has a data type of IPv4 and the user attribute i created has a data type of string.
I cannot see the data type of IPv4 available when creating user attributes.
Is there a way around this?
Thanks
MarioWhich version of ISE / patch are you using
The following was fixed in ISE 1.2 patch 3
CSCuj14382 Cannot statically assign IP address as FramedAddress -
Framed-Ip-Address missing in Access-Request & Acct-Start messages
We have a Cisco 7206(IOS12.2(33)) equipment associated with freeRadius server2.1.10. Upon PPPOE client start, dynamic IP is assigned from the IP-Pool to the PPPOE client. However this IP address, is not included in the Frame-IP-Address AVP sent in the Access-Request or Acct-Start message from the NAS. It is sent only in Acct-Update or Acct-Stop messages though, I have enabled this AVP inclusion with the NAS command, radius-server attribute 8 include-in-access-req
Also i have attached the configuration used in NAS for your reference. Request to provide your inputs to get this resolved at the earliest.
Appreciate your inputs.
thanks,
RajIt worked well, after adding "aaa accounting delay-start" to the conf file.
thanks,
Raj -
PPPoE problem with Authorization of the ip-address (Framed-IP)
Hi!
This week I changed our PPPoE dial-in router from a Cisco 3660 (SW: 12.4.25) to a Cisco 2901 (SW 151-2.T2-Universal Image).
Now I have the problem that I could not make a dial-in connection to this router. I get an error in the PPP-Authorization.
I want to get the IP-Address per radiusattribut "Framed-IP-Address". With the version 12.4. it works fine.
DEBUG:
Nov 10 09:35:23.277: ppp29 PPP: Using AAA Unique Id = 104
Nov 10 09:35:23.277: ppp29 PPP: Authorization required
Nov 10 09:35:25.289: ppp29 PPP: Sent PAP LOGIN Request
Nov 10 09:35:25.301: ppp29 PPP: Received LOGIN Response PASS
Nov 10 09:35:25.301: ppp29 PPP AUTHOR: Author Data NOT Available
Nov 10 09:35:25.301: ppp29 PPP: Sent LCP AUTHOR Request
Nov 10 09:35:25.301: ppp29 PPP: Sent IPCP AUTHOR Request
Nov 10 09:35:25.301: ppp29 LCP: Received AAA AUTHOR Response PASS
Nov 10 09:35:25.301: ppp29 PPP: Receive Attrs from[author] Keep[LCP] MERGE
Nov 10 09:35:25.301: ppp29 PPP: Keep Attr: service-type 2 [Framed]
Nov 10 09:35:25.301: ppp29 PPP: Updated the attr service-type in datalist
Nov 10 09:35:25.301: ppp29 PPP: Skip Attr: addr-pool "pool-edsl"
Nov 10 09:35:25.301: ppp29 PPP: Skip Attr: addr 213.174.251.199
Nov 10 09:35:25.305: ppp29 IPCP: Received AAA AUTHOR Response PASS
Nov 10 09:35:25.305: ppp29 PPP: Receive Attrs from[SSS] Keep[NCPs] MERGE
Nov 10 09:35:25.305: ppp29 PPP: Skip Attr: service-type 2 [Framed]
Nov 10 09:35:25.305: ppp29 PPP: Keep Attr: addr-pool "pool-edsl"
Nov 10 09:35:25.305: ppp29 PPP: Updated the attr addr-pool in datalist
Nov 10 09:35:25.305: ppp29 PPP: Keep Attr: addr 213.174.251.199
Nov 10 09:35:25.305: ppp29 PPP: Updated the attr addr in datalist
Nov 10 09:35:25.313: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Nov 10 09:35:25.313: Vi3 LCP AUTHOR: Process LCP Author Data
Nov 10 09:35:25.313: Vi3 LCP AUTHOR: Process Attr: service-type
Nov 10 09:35:25.313: Vi3 LCP AUTHOR: Authorization succeeded
Nov 10 09:35:25.313: Vi3 PPP: Store Author Attr: addr-pool
Nov 10 09:35:25.313: Vi3 PPP: Store Author Attr: addr
Nov 10 09:35:25.317: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Nov 10 09:35:25.317: Vi3 IPCP AUTHOR: Start. Her address 0.0.0.0, we want 0.0.0.0
Nov 10 09:35:25.317: % IPCP AUTHOR Vi3: Attributes addr and addr-pool are mutually exclusive
---->> I think this is my problem - have anyone an idea?
Nov 10 09:35:25.317: Vi3 IPCP AUTHOR: Authorization denied
Nov 10 09:35:25.317: Vi3 IPCP AUTHOR: Done. Her address 0.0.0.0, we want 213.174.251.199
Nov 10 09:35:25.357: Vi3 PPP: Sending Acct Event[Down] id[104]
Nov 10 09:35:25.365: Vi3 PPP: Clearing AAA Unique Id = 104
Thanks,
HannesHi Shelley!
Thanks for your answer. We have solved the problem.
It was a wrong configuration in the templete.
The attribut "Framed-IP-Address" was configured in the templete and in the default-attributes of the radius-server.
Thanks for help!
Hannes -
2504 WebAuth and IPv6 RADIUS Accounting (IPv6-Framed-Address)
Hi Board,
I'm playing around with RADIUS Accounting in combination with local web authentication on the wireless LAN controller.
So far so good - everything works well, but I'm missing the "IPv6-Framed-Address" in the RADIUS accounting messages.
The only thing I can see is the v4 framed IP address and the "Framed-IPv6-Prefix". According to the configuration guide
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101001.html#ID807
the "IPv6-Framed-Address" should be sent by the WLC. I took a capture on a span port of the WLC to verify this. Anybody else experiencing this behavior or is it a simple misconfiguration on my side? In the client details I can see the global IPv6 addresses and the link-local.
I tested it on a WLC 2504 with 8.0.100.0 code.
Cheers
JohannesHi Board,
I'm playing around with RADIUS Accounting in combination with local web authentication on the wireless LAN controller.
So far so good - everything works well, but I'm missing the "IPv6-Framed-Address" in the RADIUS accounting messages.
The only thing I can see is the v4 framed IP address and the "Framed-IPv6-Prefix". According to the configuration guide
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101001.html#ID807
the "IPv6-Framed-Address" should be sent by the WLC. I took a capture on a span port of the WLC to verify this. Anybody else experiencing this behavior or is it a simple misconfiguration on my side? In the client details I can see the global IPv6 addresses and the link-local.
I tested it on a WLC 2504 with 8.0.100.0 code.
Cheers
Johannes -
ISE web auth for non-cisco switch(D-link 3528)
Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
And the wired users will get full network access after they pass the web auth.you can use ISE ln-line posture node with 3rd part switches
RADIUS access device must supply the following RADIUS attributes:
Calling-Station-Id (for MAC_ADDRESS)
User-Name
NAS-Port-Type
RADIUS accounting message must have the Framed-IP-Address attribute
VLAN, DACL features can be used but again it depends on switch models let us know specific switch models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,
Maybe you are looking for
-
Tops of Signatures get cut off...
Can anyone tell me why or, better yet, how to fix the following issue I keep having? When using Adobe Reader and the "Sign>I Need To Sign>Place Signature" function with "Signature Style 4" the top of some of the letters of signatures gets cut off (se
-
Is there someone have a problem in temple run
I downloaded the game in my Nokia Lumia 620, and it sometimes exit by itself, I can't get a high score, is there any one facing that problem or just me in the world?
-
Non-US keyboard layout problem with VNC
Hi everyone, I've got an arch box at work running tigervnc through an ssh tunnel so that I can work from home when I need to. Everything is great, as long as I'm using and ASCII keyboard layout. When I switch layouts, the keystrokes just don't get th
-
Kdenlive not rendering with title clip
After doing a system upgrade kdelive will no longer render my project, which rendered fine before the upgrade. After I click render, it either gets stuck in "waiting" or it gives an error saying that rendering crashed. If I turn off the title clip, r
-
Good stand for Macbook pro 15"
I am looking for a good stand for playing live. Tired of using whatever I can muster up at each show. Cheers -Allan