Mailing List Archive

What does your tunnel profile look like on the RADIUS server? Did you
define both the NAS and the Home Gateway password?

Dennis

Bob Arthurs [bob_arthurs@hotmail.com] wrote:
> hi
>
> i have configured an l2f nas with a tunnel definition on a radius server
> but i get an error like 'sendpass not supported' (sorry i'm not near the
> box now). my aaa config is -
>
> aaa authentication ppp default group radius local
> aaa authorization network default group radius
>
> not sure what is going wrong - i'm sure this works with l2tp (sure i've
> seen this config with l2tp).
>
> any ideas what is wrong ?- and is this problem limited to l2f - would this
> aaa config work with l2tp.
>
> many thanks
>
> bob
>
> _________________________________________________________________
> Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas

dennis

thanks very much for replying

i did define both of the passwords. i also found this on cco

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800d97ca.html#1003583

in part called Misconfigured AAA Authentication it seems to talk about this
issue. but i'm not really sure i understand. is this my problem do you
think?

bob


>From: Dennis Peng <dpeng@cisco.com>
>To: Bob Arthurs <bob_arthurs@hotmail.com>
>CC: cisco-nas@puck.nether.net
>Subject: Re: [cisco-nas] Sendpass not supported - l2f -- please help...
>Date: Tue, 2 Sep 2003 11:31:48 -0700
>
>What does your tunnel profile look like on the RADIUS server? Did you
>define both the NAS and the Home Gateway password?
>
>Dennis
>
>Bob Arthurs [bob_arthurs@hotmail.com] wrote:
> > hi
> >
> > i have configured an l2f nas with a tunnel definition on a radius server
> > but i get an error like 'sendpass not supported' (sorry i'm not near the
> > box now). my aaa config is -
> >
> > aaa authentication ppp default group radius local
> > aaa authorization network default group radius
> >
> > not sure what is going wrong - i'm sure this works with l2tp (sure i've
> > seen this config with l2tp).
> >
> > any ideas what is wrong ?- and is this problem limited to l2f - would
>this
> > aaa config work with l2tp.
> >
> > many thanks
> >
> > bob
> >
> > _________________________________________________________________
> > Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile
> >
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas

_________________________________________________________________
Find a cheaper internet access deal - choose one to suit you.
http://www.msn.co.uk/internetaccess

As long as the tunnel profile is properly defined, you should not run
into the "SENDPASS" error. That error occurs when the AAA subsystem
needs to respond with a password to an authentication request we have
received and we attempt to get it from RADIUS. Unlike TACACS+, the
RADUIS protocol only specifies a mechanism for verifying inbound
authentication responses, not for providing outbound authentication
responses. So the attempt will fail with the SENDPASS error. Your
profile should look something like:

l2f.com Password=="cisco", Service-Type==Outbound-User
Tunnel-Type = L2F,
Tunnel-Medium-Type = IP,
Tunnel-Client-Auth-Id = "NAS",
Tunnel-Server-Endpoint = 10.1.1.1,
Cisco-AVPair = "vpdn:nas-password=cisco",
Cisco-AVPair = "vpdn:gw-password=cisco",

If this is what your profile looks like and you are still seeing this
error, please send me your version and config, your RADIUS tunnel
profile, and "debug ppp negot", "debug vpdn l2x-ev", "debug radius",
"debug aaa authen", and "debug aaa author" when you make a L2F
call. Thanks.

Dennis

Bob Arthurs [bob_arthurs@hotmail.com] wrote:
> dennis
>
> thanks very much for replying
>
> i did define both of the passwords. i also found this on cco
>
> http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800d97ca.html#1003583
>
> in part called Misconfigured AAA Authentication it seems to talk about this
> issue. but i'm not really sure i understand. is this my problem do you
> think?
>
> bob
>
>
> >From: Dennis Peng <dpeng@cisco.com>
> >To: Bob Arthurs <bob_arthurs@hotmail.com>
> >CC: cisco-nas@puck.nether.net
> >Subject: Re: [cisco-nas] Sendpass not supported - l2f -- please help...
> >Date: Tue, 2 Sep 2003 11:31:48 -0700
> >
> >What does your tunnel profile look like on the RADIUS server? Did you
> >define both the NAS and the Home Gateway password?
> >
> >Dennis
> >
> >Bob Arthurs [bob_arthurs@hotmail.com] wrote:
> >> hi
> >>
> >> i have configured an l2f nas with a tunnel definition on a radius server
> >> but i get an error like 'sendpass not supported' (sorry i'm not near the
> >> box now). my aaa config is -
> >>
> >> aaa authentication ppp default group radius local
> >> aaa authorization network default group radius
> >>
> >> not sure what is going wrong - i'm sure this works with l2tp (sure i've
> >> seen this config with l2tp).
> >>
> >> any ideas what is wrong ?- and is this problem limited to l2f - would
> >this
> >> aaa config work with l2tp.
> >>
> >> many thanks
> >>
> >> bob
> >>
> >> _________________________________________________________________
> >> Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile
> >>
> >> _______________________________________________
> >> cisco-nas mailing list
> >> cisco-nas@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nas
>
> _________________________________________________________________
> Find a cheaper internet access deal - choose one to suit you.
> http://www.msn.co.uk/internetaccess

dennis - thanks for explanation. my tunnel definition looks like (i think- i
am not near my radius sever now - just as i remember):

on a merit radius server:

abc.com Password = "cisco"
Service-Type = Outbound-User,
cisco-avpair = "vpdn:tunnel-id=l2f_nas",
cisco-avpair = "vpdn:ip-addresses=10.1.1.1",
cisco-avpair = "vpdn:nas-password=password",
cisco-avpair = "vpdn:gw-password=password"

thankyou again

bob


>From: Dennis Peng <dpeng@cisco.com>
>To: Bob Arthurs <bob_arthurs@hotmail.com>
>CC: cisco-nas@puck.nether.net
>Subject: Re: [cisco-nas] Sendpass not supported - l2f -- please help...
>Date: Tue, 2 Sep 2003 16:12:07 -0700
>
>As long as the tunnel profile is properly defined, you should not run
>into the "SENDPASS" error. That error occurs when the AAA subsystem
>needs to respond with a password to an authentication request we have
>received and we attempt to get it from RADIUS. Unlike TACACS+, the
>RADUIS protocol only specifies a mechanism for verifying inbound
>authentication responses, not for providing outbound authentication
>responses. So the attempt will fail with the SENDPASS error. Your
>profile should look something like:
>
>l2f.com Password=="cisco", Service-Type==Outbound-User
> Tunnel-Type = L2F,
> Tunnel-Medium-Type = IP,
> Tunnel-Client-Auth-Id = "NAS",
> Tunnel-Server-Endpoint = 10.1.1.1,
> Cisco-AVPair = "vpdn:nas-password=cisco",
> Cisco-AVPair = "vpdn:gw-password=cisco",
>
>If this is what your profile looks like and you are still seeing this
>error, please send me your version and config, your RADIUS tunnel
>profile, and "debug ppp negot", "debug vpdn l2x-ev", "debug radius",
>"debug aaa authen", and "debug aaa author" when you make a L2F
>call. Thanks.
>
>Dennis
>
>Bob Arthurs [bob_arthurs@hotmail.com] wrote:
> > dennis
> >
> > thanks very much for replying
> >
> > i did define both of the passwords. i also found this on cco
> >
> >
>http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800d97ca.html#1003583
> >
> > in part called Misconfigured AAA Authentication it seems to talk about
>this
> > issue. but i'm not really sure i understand. is this my problem do you
> > think?
> >
> > bob
> >
> >
> > >From: Dennis Peng <dpeng@cisco.com>
> > >To: Bob Arthurs <bob_arthurs@hotmail.com>
> > >CC: cisco-nas@puck.nether.net
> > >Subject: Re: [cisco-nas] Sendpass not supported - l2f -- please help...
> > >Date: Tue, 2 Sep 2003 11:31:48 -0700
> > >
> > >What does your tunnel profile look like on the RADIUS server? Did you
> > >define both the NAS and the Home Gateway password?
> > >
> > >Dennis
> > >
> > >Bob Arthurs [bob_arthurs@hotmail.com] wrote:
> > >> hi
> > >>
> > >> i have configured an l2f nas with a tunnel definition on a radius
>server
> > >> but i get an error like 'sendpass not supported' (sorry i'm not near
>the
> > >> box now). my aaa config is -
> > >>
> > >> aaa authentication ppp default group radius local
> > >> aaa authorization network default group radius
> > >>
> > >> not sure what is going wrong - i'm sure this works with l2tp (sure
>i've
> > >> seen this config with l2tp).
> > >>
> > >> any ideas what is wrong ?- and is this problem limited to l2f - would
> > >this
> > >> aaa config work with l2tp.
> > >>
> > >> many thanks
> > >>
> > >> bob
> > >>
> > >> _________________________________________________________________
> > >> Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile
> > >>
> > >> _______________________________________________
> > >> cisco-nas mailing list
> > >> cisco-nas@puck.nether.net
> > >> https://puck.nether.net/mailman/listinfo/cisco-nas
> >
> > _________________________________________________________________
> > Find a cheaper internet access deal - choose one to suit you.
> > http://www.msn.co.uk/internetaccess

_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile

That should work Bob (I tested it out just to make sure too). If you
could get the debugs and send it to me, that might help me pinpoint
the problem. Please add "debug vpdn l2x-er" to the list as
well. Thanks.

Dennis

Bob Arthurs [bob_arthurs@hotmail.com] wrote:
>
> dennis - thanks for explanation. my tunnel definition looks like (i think-
> i am not near my radius sever now - just as i remember):
>
> on a merit radius server:
>
> abc.com Password = "cisco"
> Service-Type = Outbound-User,
> cisco-avpair = "vpdn:tunnel-id=l2f_nas",
> cisco-avpair = "vpdn:ip-addresses=10.1.1.1",
> cisco-avpair = "vpdn:nas-password=password",
> cisco-avpair = "vpdn:gw-password=password"
>
> thankyou again
>
> bob
>
>
> >From: Dennis Peng <dpeng@cisco.com>
> >To: Bob Arthurs <bob_arthurs@hotmail.com>
> >CC: cisco-nas@puck.nether.net
> >Subject: Re: [cisco-nas] Sendpass not supported - l2f -- please help...
> >Date: Tue, 2 Sep 2003 16:12:07 -0700
> >
> >As long as the tunnel profile is properly defined, you should not run
> >into the "SENDPASS" error. That error occurs when the AAA subsystem
> >needs to respond with a password to an authentication request we have
> >received and we attempt to get it from RADIUS. Unlike TACACS+, the
> >RADUIS protocol only specifies a mechanism for verifying inbound
> >authentication responses, not for providing outbound authentication
> >responses. So the attempt will fail with the SENDPASS error. Your
> >profile should look something like:
> >
> >l2f.com Password=="cisco", Service-Type==Outbound-User
> > Tunnel-Type = L2F,
> > Tunnel-Medium-Type = IP,
> > Tunnel-Client-Auth-Id = "NAS",
> > Tunnel-Server-Endpoint = 10.1.1.1,
> > Cisco-AVPair = "vpdn:nas-password=cisco",
> > Cisco-AVPair = "vpdn:gw-password=cisco",
> >
> >If this is what your profile looks like and you are still seeing this
> >error, please send me your version and config, your RADIUS tunnel
> >profile, and "debug ppp negot", "debug vpdn l2x-ev", "debug radius",
> >"debug aaa authen", and "debug aaa author" when you make a L2F
> >call. Thanks.
> >
> >Dennis
> >
> >Bob Arthurs [bob_arthurs@hotmail.com] wrote:
> >> dennis
> >>
> >> thanks very much for replying
> >>
> >> i did define both of the passwords. i also found this on cco
> >>
> >>
> >http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800d97ca.html#1003583
> >>
> >> in part called Misconfigured AAA Authentication it seems to talk about
> >this
> >> issue. but i'm not really sure i understand. is this my problem do you
> >> think?
> >>
> >> bob
> >>
> >>
> >> >From: Dennis Peng <dpeng@cisco.com>
> >> >To: Bob Arthurs <bob_arthurs@hotmail.com>
> >> >CC: cisco-nas@puck.nether.net
> >> >Subject: Re: [cisco-nas] Sendpass not supported - l2f -- please help...
> >> >Date: Tue, 2 Sep 2003 11:31:48 -0700
> >> >
> >> >What does your tunnel profile look like on the RADIUS server? Did you
> >> >define both the NAS and the Home Gateway password?
> >> >
> >> >Dennis
> >> >
> >> >Bob Arthurs [bob_arthurs@hotmail.com] wrote:
> >> >> hi
> >> >>
> >> >> i have configured an l2f nas with a tunnel definition on a radius
> >server
> >> >> but i get an error like 'sendpass not supported' (sorry i'm not near
> >the
> >> >> box now). my aaa config is -
> >> >>
> >> >> aaa authentication ppp default group radius local
> >> >> aaa authorization network default group radius
> >> >>
> >> >> not sure what is going wrong - i'm sure this works with l2tp (sure
> >i've
> >> >> seen this config with l2tp).
> >> >>
> >> >> any ideas what is wrong ?- and is this problem limited to l2f - would
> >> >this
> >> >> aaa config work with l2tp.
> >> >>
> >> >> many thanks
> >> >>
> >> >> bob
> >> >>
> >> >> _________________________________________________________________
> >> >> Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile
> >> >>
> >> >> _______________________________________________
> >> >> cisco-nas mailing list
> >> >> cisco-nas@puck.nether.net
> >> >> https://puck.nether.net/mailman/listinfo/cisco-nas
> >>
> >> _________________________________________________________________
> >> Find a cheaper internet access deal - choose one to suit you.
> >> http://www.msn.co.uk/internetaccess
>
> _________________________________________________________________
> Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas