[VPN] VPN3000 RADIUS authentication
kazuki kamiya
kazuki.kamiya at uniadex.co.jp
Wed Nov 13 05:57:50 EST 2002
Hi,
Thans for your rely.
I added VPN3000 VSA's to Ascend RADIUS dictionay,and tested it.
(not DTC RADIUS,because I found Ascend RADIUS 1.16 today,and I
use it now. I need to do VPN3000 athentication test with Ascend R
ADIUS.)
When restart radiusd , radiusd complain some attributes is too long.
So I comment (#) few attributes,and restart radiusd,no errer occured.
But when I start authentication test,error occured.
######################################################
request: CVPN3000-Access-Hours = "rad"
request: CVPN3000-Simultaneous-Logins = -639753748
request: CVPN3000-Primary-DNS = 0.0.4.1
request: CVPN3000-Secondary-DNS = 0.0.0.2
request: CVPN3000-Primary-WINS = 0.0.0.1
request: Tunnel-Client-Endpoint = "172.16.1.100"
request: NAS-Identifier = 192.168.2.1
request: NAS-Port-Type = Virtual
Nov 13 19:03:47.482 radiusd[8643] rad_authenticate
Nov 13 19:03:47.482 radiusd[8643] userinfo_close: fclosing fp=0x80684b8
Nov 13 19:03:47.482 radiusd[8643] Authenticate: 192.168.2.11037, id=
21: INTERNAL: No Valid Reply Attributes: rad
Nov 13 19:03:47.482 radiusd[8643] send_reject: 192.168.2.11037, id=21
###########################################################
I think my way of adding VSA'a to dictinary file is not correct.
Attribute ID is conflicting,so ("username="rad") changes (CVPN3000-Access-
Hours = "rad")
I only added below to the bottom of Ascend dictionary file.
I did not do another operation.
Does someone teach me what shold I do?
I'm sorry for asking basic question.
##########################################################################
ATTRIBUTE CVPN3000-Access-Hours 1 string
ATTRIBUTE CVPN3000-Simultaneous-Logins 2 integer
ATTRIBUTE CVPN3000-Primary-DNS 5 ipaddr
ATTRIBUTE CVPN3000-Secondary-DNS 6 ipaddr
ATTRIBUTE CVPN3000-Primary-WINS 7 ipaddr
ATTRIBUTE CVPN3000-Secondary-WINS 8 ipaddr
ATTRIBUTE CVPN3000-SEP-Card-Assignment 9 integer
ATTRIBUTE CVPN3000-Tunneling-Protocols 11 integer
ATTRIBUTE CVPN3000-IPSec-Sec-Association 12 string
ATTRIBUTE CVPN3000-IPSec-Authentication 13 integer
ATTRIBUTE CVPN3000-IPSec-Banner1 15 string
#ATTRIBUTE CVPN3000-IPSec-Allow-Passwd-Store 16 integer
ATTRIBUTE CVPN3000-Use-Client-Address 17 integer
ATTRIBUTE CVPN3000-PPTP-Encryption 20 integer
ATTRIBUTE CVPN3000-L2TP-Encryption 21 integer
#ATTRIBUTE CVPN3000-IPSec-Split-Tunnel-List 27 string
ATTRIBUTE CVPN3000-IPSec-Default-Domain 28 string
ATTRIBUTE CVPN3000-IPSec-Tunnel-Type 30 integer
ATTRIBUTE CVPN3000-IPSec-Mode-Config 31 integer
ATTRIBUTE CVPN3000-IPSec-User-Group-Lock 33 integer
ATTRIBUTE CVPN3000-IPSec-Over-UDP 34 integer
ATTRIBUTE CVPN3000-IPSec-Over-UDP-Port 35 integer
ATTRIBUTE CVPN3000-IPSec-Banner2 36 string
ATTRIBUTE CVPN3000-PPTP-MPPC-Compression 37 integer
ATTRIBUTE CVPN3000-L2TP-MPPC-Compression 38 integer
ATTRIBUTE CVPN3000-IPSec-IP-Compression 39 integer
#ATTRIBUTE CVPN3000-IPSec-IKE-Peer-ID-Check 40 integer
ATTRIBUTE CVPN3000-IKE-Keep-Alives 41 integer
ATTRIBUTE CVPN3000-IPSec-Auth-On-Rekey 42 integer
#ATTRIBUTE CVPN3000-Required-Client-Firewall-Vendor-Code 45 integer
#ATTRIBUTE CVPN3000-Required-Client-Firewall-Product-Code 46 integer
#ATTRIBUTE CVPN3000-Required-Client-Firewall-Description 47 string
#ATTRIBUTE CVPN3000-Require-HW-Client-Auth 48 integer
#ATTRIBUTE CVPN3000-Require-Individual-User-Auth 49 integer
#ATTRIBUTE CVPN3000-Authenticated-User-Idle-Timeout 50 integer
ATTRIBUTE CVPN3000-Cisco-IP-Phone-Bypass 51 integer
ATTRIBUTE CVPN3000-User-Auth-Server-Name 52 string
ATTRIBUTE CVPN3000-User-Auth-Server-Port 53 integer
#ATTRIBUTE CVPN3000-User-Auth-Server-Secret 54 string
#ATTRIBUTE CVPN3000-IPSec-Split-Tunneling-Policy 55 integer
#ATTRIBUTE CVPN3000-IPSec-Required-Client-Firewall-Capabilty 56 integer
#ATTRIBUTE CVPN3000-IPSec-Client-Firewall-Filter-Name 57 string
#ATTRIBUTE CVPN3000-IPSec-Client-Firewall-Filter-Optional 58 integer
ATTRIBUTE CVPN3000-IPSec-Backup-Servers 59 integer
#ATTRIBUTE CVPN3000-IPSec-Backup-Server-List 60 string
ATTRIBUTE CVPN3000-Strip-Realm 135 integer
############################################################################
-----Original Message-----
From: Yang Lee [mailto:ylee at net50.com]
Sent: Wednesday, November 13, 2002 3:11 AM
To: kazuki kamiya
Cc: vpn at lists.shmoo.com
Subject: RE: [VPN] VPN3000 RADIUS authentication
Do you get any other error messages when restarting DCT radiusd? I'm
assuming if there are formating errors in the dictionary file, the radiusd
will complain about them when loading them.
I didn't use DCT radiusd before. So I don't have knowledge about the real
cause of your problem. But if I'm in your situation, I'll try to
contact the vendor support to find out the meaning of the error
messages. I'll also download
a copy of free Radius http://www.freeradius.org/, loading the same
dictionary, and do a comparison test.
Thanks and regards,
############################################
#Yang Lee #
#Sr. Engineer, Net2phone #
#Tel. 973-438-3836 #
#Email. ylee at net2phone.com #
# #
# #
#Disclaimer: #
#My opinion here does not represent my #
#employer's in any way #
# #
############################################
On Tue, 12 Nov 2002, kazuki kamiya wrote:
>
> Thank you for your reply.
>
> I added the VPN300 VSA's to dictinary file and tested authentication,
> but error occured.
>
> ------------------------------------------------------------------------
> Nov 12 18:28:38.467 radiusd[1329] check_packet: attribute
> CVPN3000-Simultaneous-Logins
> has bad length (18)
> Nov 12 18:28:38.467 radiusd[1329] handle_radius_request: invalid radius
> packet
> ------------------------------------------------------------------------
>
> Does this error message mean the RADIUS which I'm using do not support
long
> attribute like
> "CVPN3000-Simultaneous-Logins"?
>
> I 'm using Ascend Base RADIUS.(DCT RADIUS).
>
>
>
>
>
>
> -----Original Message-----
> From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com]On
> Behalf Of Yang Lee
> Sent: Monday, November 11, 2002 9:48 AM
> To: kazuki kamiya; vpn at lists.shmoo.com
> Subject: RE: [VPN] VPN3000 RADIUS authentication
>
>
> Hi Kazuki,
>
> From the radiusd log file you provided, it seems like the radiusd server
> needs more attribute definition for the VPN3000 client:
>
> ------------------------------------------------------------------------
> Nov 8 18:48:12.232 radiusd[1160] Authenticate:IINTERNAL: No Valid
> Reply Attribute for rad : 192.168.2.1.1025, id=4
> ------------------------------------------------------------------------
>
> You may need to add Cisco VPN3000 radius attributes into your dictionary.
> Please contact Cisco TAC for the dictionary definition file.
>
> Hope this help,
>
> Regards,
>
> -Yang Lee
> -----Original Message-----
> From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com]On
Behalf
> Of kazuki kamiya
> Sent: Friday, November 08, 2002 3:28 AM
> To: vpn at lists.shmoo.com
> Subject: [VPN] VPN3000 RADIUS authentication
>
>
>
> Hi all
>
> I'm trying VPN3000 to authenticate with Free RADIUS.
> But I have a trouble.
> Dose someone teach me what debug log mean,and what should
> I do?
> Should I add some attribute to dictionary file or users file ?
>
>
> RADIUS which I'm using is DTC RADIUS(Based on Ascend RADIUS).
>
>
> #### Users file ##########################################
> rad Password="rad"
>
>
> #### RADIUS debug log ###################################
> request : User-Name ="rad"
> request : Use-Password ="XXXXXX"
> request : NAS-Port = 1009
> request : Service-Type = Framed-User
> request : Framed-Protocol = PPP
> request : Tunnel-Client-Endpoint = " 172.16.1.100"
> request : NAS-IP-Address = 192.168.2.1
> request : NAS-Port-Type = Virtual
> user_parse : Password = "rad"
> Nov 8 18:48:12.232 radiusd[1160] Authenticate:IINTERNAL: No Valid
> Reply Attribute for rad : 192.168.2.1.1025, id=4
> Nov 8 18:48:12.251 radiusd[1160]send_reject:192.168.2.1.1024.id =1
> Nov 8 18:48:12.251 radiusd[1160]send_answer:Req IP = 192.168.2.1,
> NAS IP = 192.168.2.1]
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>
More information about the VPN
mailing list