Framed-IP-Address in auth

i have Cisco 7206VXR IOS 12.2(6c)
setted up for pptp users and aaa (Radius) accounting...
now i have to check source IP of the client during the authorization... But can't find it in auth packets. Only in start/stop/alive (Tunnel-Client-IP or something like this)...
I've tried to set
radius-server attribute 8 include-in-access-req
but no changes...
How can i find the source ip of the client during aaa auth in RADIUS?
Anyone can help? Thenk you.

Hi ,
Try using:
aaa accounting delay-start
Regards,
~JG
Do rate helpful posts

Similar Messages

  • Framed-IP-Address in RADIUS Access Request for WLC web-auth users

    We have a web-auth WLAN (with 7.6.130.0 software on a 2504 WLC) configured to authenticate users through RADIUS. The Framed-IP-Address attribute, representing the client device's IP address is sent in the Accounting Request, as expected. However, this information should be available at the WLC before sending the RADIUS Access Request, since the device is already having an IP address. 
    So is there a way to configure the WLC to send the Framed-IP-Address attribute in the RADIUS Access Request as well?

    Hi ,
    Try using:
    aaa accounting delay-start
    Regards,
    ~JG
    Do rate helpful posts

  • L2TP and fixed Framed IP Address for VPN user

    Hi,
    I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
    The radius server is returning the correct parameters, I think.
    I hope someone can help me.
    It´s a Cisco 892 Integrated Service Router.
    Router Config:
    =============================================================
    Current configuration : 8239 bytes
    ! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    service internal
    hostname vpngw2
    boot-start-marker
    boot config usbflash0:CVO-BOOT.CFG
    boot-end-marker
    logging buffered 51200 warnings
    enable secret 5 secret
    aaa new-model
    aaa authentication login default local group radius
    aaa authentication login userauthen local group radius
    aaa authentication ppp default group radius local
    aaa authorization exec default local
    aaa authorization network groupauthor local
    aaa accounting delay-start
    aaa accounting update newinfo
    aaa accounting exec default
    action-type start-stop
    group radius
    aaa accounting network default
    action-type start-stop
    group radius
    aaa accounting resource default
    action-type start-stop
    group radius
    aaa session-id common
    clock timezone CET 1 0
    clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
    ip domain name aspect-online.de
    ip name-server 10.28.1.31
    ip inspect WAAS flush-timeout 10
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip cef
    no ipv6 cef
    virtual-profile if-needed
    multilink bundle-name authenticated
    async-bootp dns-server 10.28.1.31
    async-bootp nbns-server 10.28.1.31
    vpdn enable
    vpdn authen-before-forward
    vpdn authorize directed-request
    vpdn-group L2TP
    ! Default L2TP VPDN group
    accept-dialin
      protocol l2tp
      virtual-template 1
    no l2tp tunnel authentication
    license udi pid -K9 sn FCZ
    username root password 7 secret
    ip ssh source-interface FastEthernet8
    ip ssh version 2
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 3600
    crypto isakmp key mykey address 0.0.0.0         no-xauth
    crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac
    mode transport
    crypto dynamic-map config-map-l2tp 10
    set nat demux
    set transform-set configl2tp
    crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    isdn termination multidrop
    interface FastEthernet0
    no ip address
    spanning-tree portfast
    interface FastEthernet1
    no ip address
    spanning-tree portfast
    <snip>
    interface FastEthernet7
    no ip address
    spanning-tree portfast
    interface FastEthernet8
    ip address 10.28.1.97 255.255.255.0
    ip access-group vpn_to_lan out
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface Virtual-Template1
    ip unnumbered GigabitEthernet0
    ip access-group vpn_to_inet_lan in
    ip nat inside
    ip virtual-reassembly in
    peer default ip address pool l2tpvpnpool
    ppp encrypt mppe 128
    ppp authentication chap
    interface GigabitEthernet0
    description WAN Port
    ip address x.x.x.39 255.255.255.0
    ip access-group from_inet in
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map vpnl2tp
    interface Vlan1
    no ip address
    shutdown
    ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199
    ip local pool remotepool 192.168.252.240 192.168.252.243
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat log translations syslog
    ip nat inside source route-map natmap interface GigabitEthernet0 overload
    ip route 0.0.0.0 0.0.0.0 x.x.x.33
    ip access-list extended from_inet
    <snip>
    ip access-list extended nat_clients
    permit ip 192.168.252.0 0.0.0.255 any
    ip access-list extended vpn_to_inet_lan
    <snip>
    ip access-list extended vpn_to_lan
    <snip>
    deny   ip any any log-input
    logging trap debugging
    logging facility local2
    logging 10.28.1.42
    no cdp run
    route-map natmap permit 10
    match ip address nat_clients
    radius-server attribute 8 include-in-access-req
    radius-server host 10.27.1.228 auth-port 1812 acct-port 1813
    radius-server key 7 mykey
    radius-server vsa send accounting
    radius-server vsa send authentication
    control-plane
    mgcp profile default
    banner login ^C
    Hostname: vpngw2
    Model: Cisco 892 Integrated Service Router
    Description: L2TP/IPsec VPN Gateway with Radius Auth
    ^C
    line con 0
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    =============================================================
    User Config in Radius (tying multiple attributes):
    =============================================================
    Attribute          | op | Value
    Service-Type       | =  | Framed-User
    Cisco-AVPair       | =  | vpdn:ip-addresses=192.168.252.220
    Framed-IP-Address  | := | 192.168.252.221
    Cisco-AVPair       | =  | ip:addr-pool=remotepool
    =============================================================
    Debug Log from freeradius2:
    =============================================================
    rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100
            Framed-Protocol = PPP
            User-Name = "me1"
            CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8
            Connect-Info = "100000000"
            NAS-Port-Type = Sync
            NAS-Port = 10007
            NAS-Port-Id = "Uniq-Sess-ID7"
            Service-Type = Framed-User
            NAS-IP-Address = 10.28.1.97
    # Executing section authorize from file /etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    [chap] Setting 'Auth-Type := CHAP'
    ++[chap] returns ok
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "me1", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] returns noop
    [files] users: Matched entry DEFAULT at line 172
    ++[files] returns ok
    [sql]   expand: %{User-Name} -> me1
    [sql] sql_set_user escaped user --> 'me1'
    rlm_sql (sql): Reserving sql socket id: 4
    [sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'me1'           ORDER BY id
    [sql] User found in radcheck table
    [sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'me1'           ORDER BY id
    [sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'me1'           ORDER BY priority
    rlm_sql (sql): Released sql socket id: 4
    ++[sql] returns ok
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = CHAP
    # Executing group from file /etc/raddb/sites-enabled/default
    +- entering group CHAP {...}
    [chap] login attempt by "me1" with CHAP password
    [chap] Using clear text password "test" for user me1 authentication.
    [chap] chap user me1 authenticated succesfully
    ++[chap] returns ok
    Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)
    # Executing section post-auth from file /etc/raddb/sites-enabled/default
    +- entering group post-auth {...}
    ++[exec] returns noop
    Sending Access-Accept of id 7 to 10.28.1.97 port 1645
            Framed-Protocol = PPP
            Framed-Compression = Van-Jacobson-TCP-IP
            Framed-IP-Address := 192.168.252.221
            Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"
            Service-Type = Framed-User
    Finished request 0.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213
            Acct-Session-Id = "00000011"
            Tunnel-Type:0 = L2TP
            Tunnel-Medium-Type:0 = IPv4
            Tunnel-Server-Endpoint:0 = "x.x.x.39"
            Tunnel-Client-Endpoint:0 = "x.x.x.34"
            Tunnel-Assignment-Id:0 = "L2TP"
            Tunnel-Client-Auth-Id:0 = "me1"
            Tunnel-Server-Auth-Id:0 = "vpngw2"
            Framed-Protocol = PPP
            Framed-IP-Address = 192.168.252.9
            User-Name = "me1"
            Cisco-AVPair = "connect-progress=LAN Ses Up"
            Acct-Authentic = RADIUS
            Acct-Status-Type = Start
            Connect-Info = "100000000"
            NAS-Port-Type = Sync
            NAS-Port = 10007
            NAS-Port-Id = "Uniq-Sess-ID7"
            Service-Type = Framed-User
            NAS-IP-Address = 10.28.1.97
            Acct-Delay-Time = 0
    # Executing section preacct from file /etc/raddb/sites-enabled/default
    +- entering group preacct {...}
    ++[preprocess] returns ok
    [acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
    [acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
    ++[acct_unique] returns ok
    [suffix] No '@' in User-Name = "me1", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    ++[files] returns noop
    # Executing section accounting from file /etc/raddb/sites-enabled/default
    +- entering group accounting {...}
    [detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
    [detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail]        expand: %t -> Fri Mar 30 11:20:07 2012
    ++[detail] returns ok
    ++[unix] returns ok
    [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
    [radutmp]       expand: %{User-Name} -> me1
    ++[radutmp] returns ok
    [sql]   expand: %{User-Name} -> me1
    [sql] sql_set_user escaped user --> 'me1'
    [sql]   expand: %{Acct-Delay-Time} -> 0
    [sql]   expand:            INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
    rlm_sql (sql): Reserving sql socket id: 3
    rlm_sql (sql): Released sql socket id: 3
    ++[sql] returns ok
    ++[exec] returns noop
    [attr_filter.accounting_response]       expand: %{User-Name} -> me1
    attr_filter: Matched entry DEFAULT at line 12
    ++[attr_filter.accounting_response] returns updated
    Sending Accounting-Response of id 19 to 10.28.1.97 port 1646
    Finished request 1.
    Cleaning up request 1 ID 19 with timestamp +53
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407
            Acct-Session-Id = "00000011"
            Tunnel-Type:0 = L2TP
            Tunnel-Medium-Type:0 = IPv4
            Tunnel-Server-Endpoint:0 = "x.x.x.39"
            Tunnel-Client-Endpoint:0 = "x.x.x.34"
            Tunnel-Assignment-Id:0 = "L2TP"
            Tunnel-Client-Auth-Id:0 = "me1"
            Tunnel-Server-Auth-Id:0 = "vpngw2"
            Framed-Protocol = PPP
            Framed-IP-Address = 192.168.252.9
            Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
            User-Name = "me1"
            Acct-Authentic = RADIUS
            Cisco-AVPair = "connect-progress=LAN Ses Up"
            Cisco-AVPair = "nas-tx-speed=100000000"
            Cisco-AVPair = "nas-rx-speed=100000000"
            Acct-Session-Time = 5
            Acct-Input-Octets = 5980
            Acct-Output-Octets = 120
            Acct-Input-Packets = 47
            Acct-Output-Packets = 11
            Acct-Terminate-Cause = User-Request
            Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
            Acct-Status-Type = Stop
            Connect-Info = "100000000"
            NAS-Port-Type = Sync
            NAS-Port = 10007
            NAS-Port-Id = "Uniq-Sess-ID7"
            Service-Type = Framed-User
            NAS-IP-Address = 10.28.1.97
            Acct-Delay-Time = 0
    # Executing section preacct from file /etc/raddb/sites-enabled/default
    +- entering group preacct {...}
    ++[preprocess] returns ok
    [acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
    [acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
    ++[acct_unique] returns ok
    [suffix] No '@' in User-Name = "me1", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    ++[files] returns noop
    # Executing section accounting from file /etc/raddb/sites-enabled/default
    +- entering group accounting {...}
    [detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
    [detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail]        expand: %t -> Fri Mar 30 11:20:12 2012
    ++[detail] returns ok
    ++[unix] returns ok
    [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
    [radutmp]       expand: %{User-Name} -> me1
    ++[radutmp] returns ok
    [sql]   expand: %{User-Name} -> me1
    [sql] sql_set_user escaped user --> 'me1'
    [sql]   expand: %{Acct-Input-Gigawords} ->
    [sql]   ... expanding second conditional
    [sql]   expand: %{Acct-Input-Octets} -> 5980
    [sql]   expand: %{Acct-Output-Gigawords} ->
    [sql]   ... expanding second conditional
    [sql]   expand: %{Acct-Output-Octets} -> 120
    [sql]   expand: %{Acct-Delay-Time} -> 0
    [sql]   expand:            UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}' ->            UPDATE radacct SET              acctstoptime       = '2012-03-30 11:20:12',              acctsessiontime    = '5',              acctinputoctets    = '0' << 32 |                                   '5980',              acctoutputoctets   = '0' << 32 |
    rlm_sql (sql): Reserving sql socket id: 2
    rlm_sql (sql): Released sql socket id: 2
    ++[sql] returns ok
    ++[exec] returns noop
    [attr_filter.accounting_response]       expand: %{User-Name} -> me1
    attr_filter: Matched entry DEFAULT at line 12
    ++[attr_filter.accounting_response] returns updated
    Sending Accounting-Response of id 20 to 10.28.1.97 port 1646
    Finished request 2.
    Cleaning up request 2 ID 20 with timestamp +58
    Going to the next request
    Waking up in 0.1 seconds.
    Cleaning up request 0 ID 7 with timestamp +53
    Ready to process requests.
    =============================================================
    Log From Cisco Router:
    =============================================================
    Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN
    Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added
    Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0
    Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::
    Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
    Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17
    Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending
    Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
    Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100
    Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS:  authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22
    Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS:  User-Name           [1]   5   "me1"
    Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS:  CHAP-Password       [3]   19  *
    Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS:  Connect-Info        [77]  11  "100000000"
    Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
    Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS:  NAS-Port            [5]   6   10007
    Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
    Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
    Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet
    Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout
    Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85
    Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS:  authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16
    Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP Header Compressi[1]
    Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.221
    Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS:  Vendor, Cisco       [26]  41
    Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS:   Cisco AVpair       [1]   35  "vpdn:ip-addresses=192.168.252.220"
    Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7
    Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
    Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
    Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN
    Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0
    Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::
    Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending
    Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
    Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213
    Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS:  authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53
    Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS:  Acct-Session-Id     [44]  10  "00000011"
    Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS:  Tunnel-Type         [64]  6   00:
    Mar 30 11:20:07 vpngw2 1258: L2TP                   [3]
    Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
    Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS:  Tunnel-Server-Endpoi[67]  16  "x.x.x.39"
    Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS:  Tunnel-Client-Endpoi[66]  16  "x.x.x.34"
    Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS:  Tunnel-Assignment-Id[82]  6   "L2TP"
    Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS:  Tunnel-Client-Auth-I[90]  5   "me1"
    Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS:  Tunnel-Server-Auth-I[91]  8   "vpngw2"
    Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.9
    Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS:  User-Name           [1]   5   "me1"
    Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS:  Vendor, Cisco       [26]  35
    Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
    Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
    Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
    Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS:  Connect-Info        [77]  11  "100000000"
    Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
    Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS:  NAS-Port            [5]   6   10007
    Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
    Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
    Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS:  Acct-Delay-Time     [41]  6   0
    Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet
    Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout
    Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20
    Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS:  authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4
    Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN
    Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0
    Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::
    Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending
    Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
    Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407
    Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS:  authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12
    Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS:  Acct-Session-Id     [44]  10  "00000011"
    Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS:  Tunnel-Type         [64]  6   00:
    Mar 30 11:20:12 vpngw2 1292: L2TP                   [3]
    Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
    Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS:  Tunnel-Server-Endpoi[67]  16  "x.x.x.39"
    Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS:  Tunnel-Client-Endpoi[66]  16  "x.x.x.34"
    Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS:  Tunnel-Assignment-Id[82]  6   "L2TP"
    Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS:  Tunnel-Client-Auth-I[90]  5   "me1"
    Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS:  Tunnel-Server-Auth-I[91]  8   "vpngw2"
    Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.9
    Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  59
    Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   53  "ppp-disconnect-cause=Received LCP TERMREQ from peer"
    Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS:  User-Name           [1]   5   "me1"
    Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
    Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  35
    Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
    Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  30
    Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24  "nas-tx-speed=100000000"
    Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  30
    Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24  "nas-rx-speed=100000000"
    Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS:  Acct-Session-Time   [46]  6   5
    Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS:  Acct-Input-Octets   [42]  6   5980
    Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS:  Acct-Output-Octets  [43]  6   120
    Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS:  Acct-Input-Packets  [47]  6   47
    Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS:  Acct-Output-Packets [48]  6   11
    Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS:  Acct-Terminate-Cause[49]  6   user-request              [1]
    Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  39
    Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   33  "disc-cause-ext=PPP Receive Term"
    Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
    Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS:  Connect-Info        [77]  11  "100000000"
    Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
    Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS:  NAS-Port            [5]   6   10007
    Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
    Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
    Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS:  Acct-Delay-Time     [41]  6   0
    Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet
    Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout
    Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20
    Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS:  authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5
    Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
    Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
    =============================================================

    I found the failure.
    In the cisco config it must be
    aaa authorization network default group radius local
    not
    aaa authorization network groupauthor local

  • Vpn-framed-ip-address not working with anyconnect

    Hi Folks, please help me to verify if this case is a bug or a "not valid scenario".
    Scenario:
    ASA 5520, OS 9.1, SSL VPN with Anyconnect v3.x, static ip address for the client, and RSA token authentication (all the users/pin/passwords are in the RSA server, not in the ASA, but i need to create some users in the ASA in order to apply the vpn-framed-ip-address attribute for specific users).
    In fact the anyconnect ssl vpn with RSA auth works fine, the ssl connection works, the user is authenticated, the anyconnect works, traffic passing,  BUT.. the anyconnect its getting an ip address from the ip local pool INSTEAD of the static ip defined with the  vpn-framed-ip-address command.
    I'm trying to assign a static ip address for a user (defined locally on the ASA) that performs auth via RSA (aaa-server), by using the  vpn-framed-ip-address  command as an attribute for this local user. But it seems the command is not working.
    Already I´ve tried to resolve (with no success) by entering the
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    vpn-addr-assign local
    Also i´ve tried by removing the pool from tunnel-group in order to force all the connection session to use the static ip address, but in this case, the anyconnect sends a message "No Address Available for SVC Connection".  Meaning the ASA simply is ignoring the  vpn-framed-ip-address command.
    Its supposed the ASA implement the policies in this order, DAP > User policy > UserGrp policy > ConnProfile > DefGrpPolicy, and according to this, the vpn-framed-ip-address command should take effect first since its specified as User policy, overriding everything else. But its not working.
    At this point i think the issue is... since the user is locally defined but its password its being authenticated via RSA (not local), the user attributes (static ip) are being ignored by the ASA because its not expecting to receive an ip address from the aaa server (RSA), so jumps to the next policies falling to the pool. Anyway the user policies attributes SHOULD work according to cisco.
    Please your advise, or tell if its a bug? or a not valid scenario for this command to work with the ASA.
    This is the current config:
    ip local pool PoolSSL 192.168.229.10-192.168.229.19 mask 255.255.255.0
    aaa-server RSA protocol sdi
    aaa-server RSA (inside) host 192.168.12.1
     retry-interval 5
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    group-policy GroupPolicyABC internal
    group-policy GroupPolicyABC attributes
     wins-server none
     dns-server value 192.168.61.1 192.168.61.2
     vpn-tunnel-protocol ssl-client
     group-lock value TunnelGroupABC
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value ServersDB
     default-domain value my.domain.com
     split-tunnel-all-dns disable
     webvpn
      anyconnect ask none default anyconnect
    username USER1 password xHhacRZ56Uadqoq encrypted
    username USER1 attributes
     vpn-framed-ip-address 192.168.229.7 255.255.255.0
     group-lock value TunnelGroupABC
    tunnel-group TunnelGroupABC type remote-access
    tunnel-group TunnelGroupABC general-attributes
     address-pool PoolSSL
     authentication-server-group RSA
     default-group-policy GroupPolicyABC
    tunnel-group TunnelGroupABC webvpn-attributes
     group-alias AccessToDB enable
    I´ll wait for your answers, regards!

    https://tools.cisco.com/bugsearch/bug/CSCtf71671/
    you need AAA assignment, or at least you needed to have it a couple of years back. 

  • Framed-IP-Address in Start Accounting message

    We have a 5400 plataform configured with Radius Accounting and I am seeing that the attribute 8 (Framed-IP-Address) appears only in the Stop message.
    The cuestions is...how i can to do that the attribute 8 will be included in the Start message too?
    Regards
    CONFIGURATION
    ip radius source-interface GigabitEthernet0/0.63
    aaa new-model
    radius-server host 200.49.193.225 auth-port 1812 acct-port 1813
    radius-server key cisco1
    aaa group server radius RADIUS-VLZ1
    server 200.49.193.225
    aaa dnis map enable
    aaa dnis map 1151307063 authentication ppp group RADIUS-VLZ1
    aaa dnis map 1151307063 accounting network start-stop group RADIUS-VLZ1
    aaa authentication login default group RADIUS-VLZ1 local
    no aaa authentication ppp default local
    aaa authentication ppp default if-needed radius
    aaa authorization network radius
    aaa accounting exec default start-stop group RADIUS-VLZ1
    aaa accounting network default start-stop group RADIUS-VLZ1
    radius-server attribute 8 inc
    DEBUG RADIUS
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tabla normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    *Jul 15 16:56:32.856: RADIUS:  Acct-Session-Id     [44]  10  "00000192"
    *Jul 15 16:56:32.856: RADIUS:  User-Name           [1]   9   "italtel"
    *Jul 15 16:56:32.856: RADIUS:  Acct-Authentic      [45]  6   RADIUS
            [1]
    *Jul 15 16:56:32.856: RADIUS:  Acct-Status-Type    [40]  6   Start
            [1]
    *Jul 15 16:56:32.856: RADIUS:  Calling-Station-Id  [31]  12  "1147876876"
    *Jul 15 16:56:32.856: RADIUS:  Called-Station-Id   [30]  14  "541151307063"
    *Jul 15 16:56:32.856: RADIUS:  NAS-Port            [5]   6   544
    *Jul 15 16:56:32.856: RADIUS:  NAS-Port-Id         [87]  9   "tty4/04"
    *Jul 15 16:56:32.856: RADIUS:  NAS-Port-Type       [61]  6   Async
            [0]
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tabla normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    *Jul 15 16:55:23.508: RADIUS:  Framed-IP-Address   [8]   6   10.82.94.11
    *Jul 15 16:55:23.508: RADIUS:  User-Name           [1]   6   "pepe"
    *Jul 15 16:55:23.508: RADIUS:  Acct-Authentic      [45]  6   RADIUS
            [1]
    *Jul 15 16:55:23.508: RADIUS:  Acct-Session-Time   [46]  6   15
    *Jul 15 16:55:23.508: RADIUS:  Acct-Input-Octets   [42]  6   3613
    *Jul 15 16:55:23.508: RADIUS:  Acct-Output-Octets  [43]  6   118
    *Jul 15 16:55:23.508: RADIUS:  Acct-Input-Packets  [47]  6   55
    *Jul 15 16:55:23.508: RADIUS:  Acct-Output-Packets [48]  6   7
    *Jul 15 16:55:23.508: RADIUS:  Acct-Terminate-Cause[49]  6   user-request
            [1]
    *Jul 15 16:55:23.508: RADIUS:  Acct-Status-Type    [40]  6   Stop

    Hi ,
    Try using:
    aaa accounting delay-start
    Regards,
    ~JG
    Do rate helpful posts

  • AP 1252 in autonomous mode not sending framed-ip-address

    I was attempting to use the Websense RADIUS Agent to transparently map wireless users in it's database. This is done by passing the RADIUS accounting packets through the websense server where Websense can read them and map the username and password. This works for our Cisco VPN clients and Anyconnect clients. The problem I have is that the 1252 AP does not send the framed-ip-address in the RADIUS accounting packet. The AP should know the client IP since it can be seen with "show dot11 association".
    For whatever reason, the AP doesn't know the IP address. This is verified by enabling aaa acounting delay-start which delays the sending accounting packets until the peer IP is known. With this command in, no accounting packets are ever sent from the AP.
    Does anyone know why the AP doesn't include the framed-ip-address in the accounting packets? Or, why the AP is not able to learn the peer IP address from the client association information?
    Thanks,
    Mark

    For a session to be disconnected, the values in one or more of the key fields in the POD request must match the values for a session on one of the network access server ports. Which values must match depends on the auth-type attribute defined in the command. If noauth-type is specified, all four values must match. If no match is found, all connections remain intact and an error response is returned. The key fields are as follows:
    User-Name
    Framed-IP-Address
    Session-Id
    Server-Key

  • Vpn-framed-ip-address issue

    Hi Guys,
    I'm using a cisco 5510 ASA at the headoffice to provide the VPN (remote access vpn) connectivity to the branch offices.
    My local network is - 192.168.30.0 /24 and I've used a part of same segment for the vpn_pool as well ( i.e 192.168.30.152 -192.168.30.199). Further I'm using the vpn-framed-ip-address feature to allocate an unique ip address for each branch office when it connects.
    My problem is, though this setup worked fine at the begining, now sometimes when the vpn connections are established from remote branches, they take different ip addresses from the allocated vpn pool, rather than the specific ip address which is mentioned under the vpn-framed-ip-address command.
    Can anyone assist me with this issue?
    Regards,
    Suthakar

    Hi Javier,
    I think I have found out a solution for this problem.
    I've removed the ip vpn pool and its reference under tunnel group general-attributes
    ip local pool vpn_pool x.x.x.x - x.x.x.x
    tunnel-group x.x.x.x general-attributes
    address-pool vpn_pool
    since there is no ip-pool, now the remote client's are getting the exact individual ip addresses allocated for them with the vpn-framed-ip-address command.
    Thank you for your support.
    Regards,
    Suthakar

  • VPN pw mgmt plus framed IP address not working

    I am trying to configure AAA for an SSL VPN (ASA, 8.x) to support both password management and a framed IP address. Authentication server is AD.
    I can get the pw mgmt to work when using LDAP authentication against AD, and I can get the framed IP address to work with IAS (RADIUS on AD). But, I cannot get both to work at the same time with either method.
    Any help appreciated.

    The security appliance can use one or more of the following methods for assigning IP addresses to remote access clients. If you configure more than one address assignment method, the security appliance searches each of the options until it finds an IP address. By default, all methods are enabled. The following URL will help you
    http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/vpnadd.html
    http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/svc.html

  • CVPN3030 and FreeRADIUS - attribute "Framed-IP-Address"

    We are authenticating VPN users via a FreeRADIUS server (see www.freeradius.org). This works fine for username/password, but we don't seem to be able to pass RADIUS attributes back to the VPN, or at least not in a way that affects the user's session. I'm focussing on "Framed-IP-Address" (to assign the VPN client a specific IP); if I can get it working for this, I'm sure I can port the method to other attributes.
    Ayone out there doing this? With FreeRADIUS?
    Thanks!

    Hi!
    As far as i remember VPN3k don't understand neither "Framed-IP-Address" nor cisco-av-pair.
    I've used "Group Lock" feature to specify which ip-pool concentrator should use for authenticated user. It works like specifying "cisco-av-pair=ip:addr-pool" in Radius for usual (ios) NAS.
    In your Radius-server you should add "Class" attribute. When user authenticates he moves to a new group which has an associated address pool.
    For more detail look at the http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

  • Framed-IP-Address Problem

    I am trying to setup Single Sign On between wireless and a network filter.  The filter requires the <Framed-IP-Address> to be in the NPS servers (Server 2012 R2) log files.  I have manually checked and the username, etc is there but not
    the framed-ip-address.  This server currently handles DHCP, we added the NPS server for lack of a better place, and then made it do AD CS after finding out we needed that for PEAP authentication.  What would be the likely cause of the logs not having
    the framed-ip-address field.  This field should be unique for each user and submit the ip address they received when connecting to the wireless.  This is what our filter company is telling us.  Thoughts?

    Hi,
    Framed-IP-Address indicates the address to be configured for the user. It is used to assign static IP address to user. If we want NPS to log the Framed-IP-Address, we need to configure static IP address for user.
    To configure static IP address for user, please follow the steps below,
    Open Active Directory Users and Computers.
    In the console tree, click Users.
    In the details pane, right-click a user name, and then click Properties.
    On the Dial-in tab, select the Assign a Static IP Address check box, and then type the static IP address for this user.
    For detailed information, please refer to the link below,
    Configure static IP address assignment
    http://technet.microsoft.com/en-us/library/cc786213(v=WS.10).aspx
    Best Regards.
    Steven Lee
    TechNet Community Support

  • Using Framed IP Address in ISE AuthZ policy

    Hi,
    i have an issue when attempting to use the RADIUS-Framed-IP attribute in a User Authorisation policy. Essentially, when I try and map the Radius attribute to the user custom attribute in the AAuthZ profile, it will not let me as the RADIUS Framed IP has a data type of IPv4 and the user attribute i created has a data type of string.
    I cannot see the data type of IPv4 available when creating user attributes.
    Is there a way around this?
    Thanks
    Mario

    Which version of ISE / patch are you using
    The following was fixed in ISE 1.2 patch 3
    CSCuj14382 Cannot statically assign IP address as FramedAddress

  • Framed-Ip-Address missing in Access-Request & Acct-Start messages

    We have a Cisco 7206(IOS12.2(33)) equipment associated with freeRadius server2.1.10.  Upon PPPOE client start, dynamic IP is assigned from the IP-Pool to the PPPOE client. However this IP address, is not included in the Frame-IP-Address AVP sent in the Access-Request or Acct-Start message from the NAS. It is sent only in Acct-Update or Acct-Stop messages though,  I have enabled this AVP inclusion with the NAS command, radius-server attribute 8 include-in-access-req
    Also i have attached the configuration used in NAS for your reference. Request to provide your inputs to get this resolved at the earliest.
    Appreciate your inputs.
    thanks,
    Raj

    It worked well, after adding "aaa accounting delay-start" to the conf file.
    thanks,
    Raj

  • PPPoE problem with Authorization of the ip-address (Framed-IP)

    Hi!
    This week I changed our PPPoE dial-in router from a Cisco 3660 (SW: 12.4.25) to a Cisco 2901 (SW 151-2.T2-Universal Image).
    Now I have the problem that I could not make a dial-in connection to this router. I get an error in the PPP-Authorization.
    I want to get the IP-Address per radiusattribut "Framed-IP-Address". With the version 12.4. it works fine.
    DEBUG:
    Nov 10 09:35:23.277: ppp29 PPP: Using AAA Unique Id = 104
    Nov 10 09:35:23.277: ppp29 PPP: Authorization required
    Nov 10 09:35:25.289: ppp29 PPP: Sent PAP LOGIN Request
    Nov 10 09:35:25.301: ppp29 PPP: Received LOGIN Response PASS
    Nov 10 09:35:25.301: ppp29 PPP AUTHOR: Author Data NOT Available
    Nov 10 09:35:25.301: ppp29 PPP: Sent LCP AUTHOR Request
    Nov 10 09:35:25.301: ppp29 PPP: Sent IPCP AUTHOR Request
    Nov 10 09:35:25.301: ppp29 LCP: Received AAA AUTHOR Response PASS
    Nov 10 09:35:25.301: ppp29 PPP: Receive Attrs from[author] Keep[LCP] MERGE
    Nov 10 09:35:25.301: ppp29 PPP: Keep Attr: service-type         2 [Framed]
    Nov 10 09:35:25.301: ppp29 PPP: Updated the attr service-type in datalist
    Nov 10 09:35:25.301: ppp29 PPP: Skip Attr: addr-pool            "pool-edsl"
    Nov 10 09:35:25.301: ppp29 PPP: Skip Attr: addr                 213.174.251.199
    Nov 10 09:35:25.305: ppp29 IPCP: Received AAA AUTHOR Response PASS
    Nov 10 09:35:25.305: ppp29 PPP: Receive Attrs from[SSS] Keep[NCPs] MERGE
    Nov 10 09:35:25.305: ppp29 PPP: Skip Attr: service-type         2 [Framed]
    Nov 10 09:35:25.305: ppp29 PPP: Keep Attr: addr-pool            "pool-edsl"
    Nov 10 09:35:25.305: ppp29 PPP: Updated the attr addr-pool in datalist
    Nov 10 09:35:25.305: ppp29 PPP: Keep Attr: addr                 213.174.251.199
    Nov 10 09:35:25.305: ppp29 PPP: Updated the attr addr in datalist
    Nov 10 09:35:25.313: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
    Nov 10 09:35:25.313: Vi3 LCP AUTHOR: Process LCP Author Data
    Nov 10 09:35:25.313: Vi3 LCP AUTHOR: Process Attr: service-type
    Nov 10 09:35:25.313: Vi3 LCP AUTHOR: Authorization succeeded
    Nov 10 09:35:25.313: Vi3 PPP: Store Author Attr: addr-pool
    Nov 10 09:35:25.313: Vi3 PPP: Store Author Attr: addr
    Nov 10 09:35:25.317: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
    Nov 10 09:35:25.317: Vi3 IPCP AUTHOR: Start.  Her address 0.0.0.0, we want 0.0.0.0
    Nov 10 09:35:25.317: % IPCP AUTHOR Vi3: Attributes addr and addr-pool are mutually exclusive
       ---->> I think this is my problem - have anyone an idea?
    Nov 10 09:35:25.317: Vi3 IPCP AUTHOR: Authorization denied
    Nov 10 09:35:25.317: Vi3 IPCP AUTHOR: Done.  Her address 0.0.0.0, we want 213.174.251.199
    Nov 10 09:35:25.357: Vi3 PPP: Sending Acct Event[Down] id[104]
    Nov 10 09:35:25.365: Vi3 PPP: Clearing AAA Unique Id = 104
    Thanks,
    Hannes

    Hi Shelley!
    Thanks for your answer. We have solved the problem.
    It was a wrong configuration in the templete.
    The attribut "Framed-IP-Address" was configured in the templete and in the default-attributes of the radius-server.
    Thanks for help!
    Hannes

  • 2504 WebAuth and IPv6 RADIUS Accounting (IPv6-Framed-Address)

    Hi Board,
    I'm playing around with RADIUS Accounting in combination with local web authentication on the wireless LAN controller.
    So far so good - everything works well, but I'm missing the "IPv6-Framed-Address" in the RADIUS accounting messages.
    The only thing I can see is the v4 framed IP address and the "Framed-IPv6-Prefix". According to the configuration guide
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101001.html#ID807
    the "IPv6-Framed-Address" should be sent by the WLC. I took a capture on a span port of the WLC to verify this. Anybody else experiencing this behavior or is it a simple misconfiguration on my side? In the client details I can see the global IPv6 addresses and the link-local.
    I tested it on a WLC 2504 with 8.0.100.0 code.
    Cheers
    Johannes

    Hi Board,
    I'm playing around with RADIUS Accounting in combination with local web authentication on the wireless LAN controller.
    So far so good - everything works well, but I'm missing the "IPv6-Framed-Address" in the RADIUS accounting messages.
    The only thing I can see is the v4 framed IP address and the "Framed-IPv6-Prefix". According to the configuration guide
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101001.html#ID807
    the "IPv6-Framed-Address" should be sent by the WLC. I took a capture on a span port of the WLC to verify this. Anybody else experiencing this behavior or is it a simple misconfiguration on my side? In the client details I can see the global IPv6 addresses and the link-local.
    I tested it on a WLC 2504 with 8.0.100.0 code.
    Cheers
    Johannes

  • ISE web auth for non-cisco switch(D-link 3528)

    Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
    And the wired users will get full network access after they pass the web auth.

    you can use ISE ln-line posture node with 3rd part switches
    RADIUS access device must supply the following RADIUS attributes:
        Calling-Station-Id (for MAC_ADDRESS)
        User-Name
        NAS-Port-Type
        RADIUS accounting message must have the Framed-IP-Address attribute
    VLAN, DACL features can be used  but again it depends on switch models let us know  specific switch  models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,

Maybe you are looking for

  • Tops of Signatures get cut off...

    Can anyone tell me why or, better yet, how to fix the following issue I keep having? When using Adobe Reader and the "Sign>I Need To Sign>Place Signature" function with "Signature Style 4" the top of some of the letters of signatures gets cut off (se

  • Is there someone have a problem in temple run

    I downloaded the game in my Nokia Lumia 620, and it sometimes exit by itself, I can't get a high score, is there any one facing that problem or just me in the world?

  • Non-US keyboard layout problem with VNC

    Hi everyone, I've got an arch box at work running tigervnc through an ssh tunnel so that I can work from home when I need to. Everything is great, as long as I'm using and ASCII keyboard layout. When I switch layouts, the keystrokes just don't get th

  • Kdenlive not rendering with title clip

    After doing a system upgrade kdelive will no longer render my project, which rendered fine before the upgrade. After I click render, it either gets stuck in "waiting" or it gives an error saying that rendering crashed. If I turn off the title clip, r

  • Good stand for Macbook pro 15"

    I am looking for a good stand for playing live. Tired of using whatever I can muster up at each show. Cheers -Allan