freeradius + cisco asa vpn

Hello,

I'm trying to setup dynamic split tunnels in my VPN with Cisco ASA.
I setup into radreply database the config:

|      id      |      username      |            attribute                  |       op      |      value            |
---------------------------------------------------------------------------------------------------------------------------------
|      1      |      userX            |      CVPN3000-IPSec-Split-Tunnel-List      |      =      |      acl-name      |


But when I test the loggin, radius debbuging says:
    rlm_sql: Failed to create the pair: Invalid octet string "acl-name" for attribute name " cVPN3000-IPSec-Split-Tunnel-List"
And user is rejected for access.

Does anyone know how to setup this correctly?

Thanks!
LVL 4
jhclementeAsked:
Who is Participating?
 
jhclementeConnect With a Mentor Author Commented:
I finally found the problem.... everything was right in the database.
The problem was with dictionary file.... it had commented out the line for including dictionary.cisco.vpn3000
I removed the comment and it worked.
0
 
arnoldCommented:

Check the attribute files to make sure you have the correct definition for the attribute.

https://supportforums.cisco.com/thread/217951;jsessionid=B99ED992EF545E8F08583BFAB9DC1CAB.node0
Have you looked at trying to use ipsec-split-tunnel-list instead?
0
 
jhclementeAuthor Commented:
Yes, even with "ipsec-split-tunnel-list" I get the same error.

I found in dictionary.cisco.vpn3000 this:

      ATTRIBUTE         CVPN3000-IPSec-Split-Tunnel-List      27      string

And my client is defined this way:

      client IPAddr {
            shortname = shortNameOfClient
            secret = secretPass
            nastype = Cisco-VPN3000
      }


Any idea why I get that error?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
arnoldCommented:
The error seems to suggest that acl-name is an invalid string.
Could you check whether the op should be := rather than =?

0
 
arnoldCommented:
run the radiusd in debug mode to see what it is doing right before this error.

0
 
jhclementeAuthor Commented:
Both operators ( := and = ) do the same

This is the debug output:

[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql]       expand: %{User-Name} -> USERNAME
[sql] sql_set_user escaped user --> 'USERNAME'
rlm_sql (sql): Reserving sql socket id: 9
[sql]       expand: --------- REMOVED QUERY -------------
[sql] User found in radcheck table
[sql]       expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}'             ORDER BY id  ->  SELECT id, username, attribute, value, op FROM radreply WHERE username = 'USERNAME' ORDER BY id
rlm_sql: Failed to create the pair: Invalid octet string "acl-name" for attribute name "CVPN3000-IPSec-Split-Tunnel-List"
rlm_sql (sql): Error getting data from database
[sql] SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 9
++[sql] returns fail
0
 
arnoldCommented:
can you try aclname and see if it makes a difference?
Also what is the output
SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' order by id
presumably USERNAME in the above was commented out for a valid username.

0
All Courses

From novice to tech pro — start learning today.