Solved

freeradius + cisco asa vpn

Posted on 2010-09-01
7
2,084 Views
Last Modified: 2012-05-10
Hello,

I'm trying to setup dynamic split tunnels in my VPN with Cisco ASA.
I setup into radreply database the config:

|      id      |      username      |            attribute                  |       op      |      value            |
---------------------------------------------------------------------------------------------------------------------------------
|      1      |      userX            |      CVPN3000-IPSec-Split-Tunnel-List      |      =      |      acl-name      |


But when I test the loggin, radius debbuging says:
    rlm_sql: Failed to create the pair: Invalid octet string "acl-name" for attribute name " cVPN3000-IPSec-Split-Tunnel-List"
And user is rejected for access.

Does anyone know how to setup this correctly?

Thanks!
0
Comment
Question by:jhclemente
  • 4
  • 3
7 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 33586266

Check the attribute files to make sure you have the correct definition for the attribute.

https://supportforums.cisco.com/thread/217951;jsessionid=B99ED992EF545E8F08583BFAB9DC1CAB.node0
Have you looked at trying to use ipsec-split-tunnel-list instead?
0
 
LVL 4

Author Comment

by:jhclemente
ID: 33588775
Yes, even with "ipsec-split-tunnel-list" I get the same error.

I found in dictionary.cisco.vpn3000 this:

      ATTRIBUTE         CVPN3000-IPSec-Split-Tunnel-List      27      string

And my client is defined this way:

      client IPAddr {
            shortname = shortNameOfClient
            secret = secretPass
            nastype = Cisco-VPN3000
      }


Any idea why I get that error?
0
 
LVL 76

Expert Comment

by:arnold
ID: 33588967
The error seems to suggest that acl-name is an invalid string.
Could you check whether the op should be := rather than =?

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 76

Expert Comment

by:arnold
ID: 33589086
run the radiusd in debug mode to see what it is doing right before this error.

0
 
LVL 4

Author Comment

by:jhclemente
ID: 33591626
Both operators ( := and = ) do the same

This is the debug output:

[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql]       expand: %{User-Name} -> USERNAME
[sql] sql_set_user escaped user --> 'USERNAME'
rlm_sql (sql): Reserving sql socket id: 9
[sql]       expand: --------- REMOVED QUERY -------------
[sql] User found in radcheck table
[sql]       expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}'             ORDER BY id  ->  SELECT id, username, attribute, value, op FROM radreply WHERE username = 'USERNAME' ORDER BY id
rlm_sql: Failed to create the pair: Invalid octet string "acl-name" for attribute name "CVPN3000-IPSec-Split-Tunnel-List"
rlm_sql (sql): Error getting data from database
[sql] SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 9
++[sql] returns fail
0
 
LVL 76

Expert Comment

by:arnold
ID: 33591895
can you try aclname and see if it makes a difference?
Also what is the output
SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' order by id
presumably USERNAME in the above was commented out for a valid username.

0
 
LVL 4

Accepted Solution

by:
jhclemente earned 0 total points
ID: 33600868
I finally found the problem.... everything was right in the database.
The problem was with dictionary file.... it had commented out the line for including dictionary.cisco.vpn3000
I removed the comment and it worked.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now