Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

freeradius + cisco asa vpn

Posted on 2010-09-01
Last Modified: 2012-05-10

I'm trying to setup dynamic split tunnels in my VPN with Cisco ASA.
I setup into radreply database the config:

|      id      |      username      |            attribute                  |       op      |      value            |
|      1      |      userX            |      CVPN3000-IPSec-Split-Tunnel-List      |      =      |      acl-name      |

But when I test the loggin, radius debbuging says:
    rlm_sql: Failed to create the pair: Invalid octet string "acl-name" for attribute name " cVPN3000-IPSec-Split-Tunnel-List"
And user is rejected for access.

Does anyone know how to setup this correctly?

Question by:jhclemente
  • 4
  • 3
LVL 77

Expert Comment

ID: 33586266

Check the attribute files to make sure you have the correct definition for the attribute.

Have you looked at trying to use ipsec-split-tunnel-list instead?

Author Comment

ID: 33588775
Yes, even with "ipsec-split-tunnel-list" I get the same error.

I found in dictionary.cisco.vpn3000 this:

      ATTRIBUTE         CVPN3000-IPSec-Split-Tunnel-List      27      string

And my client is defined this way:

      client IPAddr {
            shortname = shortNameOfClient
            secret = secretPass
            nastype = Cisco-VPN3000

Any idea why I get that error?
LVL 77

Expert Comment

ID: 33588967
The error seems to suggest that acl-name is an invalid string.
Could you check whether the op should be := rather than =?

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

LVL 77

Expert Comment

ID: 33589086
run the radiusd in debug mode to see what it is doing right before this error.


Author Comment

ID: 33591626
Both operators ( := and = ) do the same

This is the debug output:

[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql]       expand: %{User-Name} -> USERNAME
[sql] sql_set_user escaped user --> 'USERNAME'
rlm_sql (sql): Reserving sql socket id: 9
[sql]       expand: --------- REMOVED QUERY -------------
[sql] User found in radcheck table
[sql]       expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}'             ORDER BY id  ->  SELECT id, username, attribute, value, op FROM radreply WHERE username = 'USERNAME' ORDER BY id
rlm_sql: Failed to create the pair: Invalid octet string "acl-name" for attribute name "CVPN3000-IPSec-Split-Tunnel-List"
rlm_sql (sql): Error getting data from database
[sql] SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 9
++[sql] returns fail
LVL 77

Expert Comment

ID: 33591895
can you try aclname and see if it makes a difference?
Also what is the output
SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' order by id
presumably USERNAME in the above was commented out for a valid username.


Accepted Solution

jhclemente earned 0 total points
ID: 33600868
I finally found the problem.... everything was right in the database.
The problem was with dictionary file.... it had commented out the line for including dictionary.cisco.vpn3000
I removed the comment and it worked.

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS Design\Cisco Meraki 4 34
Use packet tracer to verify anyconnect VPN 11 59
Deny permission ACL 16 26
Ceiling heights max for internal antennas - Cisco 3702i access points 6 15
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question