Cisco 2600 Terminal server with async NM-32 sending wrong characters

Unanswered Question

Dear List,


I have just installed an Out Of Band network in case  of major crashes for our company.


The architecture is the  following :


3 Cisco 2600 routers geared with async NM32 modules  and octal cables. Each console is connected to the console port of my  backbone routers.

The routers are NATed behind another ISP DSL line. Such kind of OOB  network comes in handy sometimes ;-)



My core routers are  configured to authenticate with our internal radius servers before  falling back to the enable password, just in case. Here is what I have  started seeing in my RADIUS logs :

*** Received from X.X.X.X port 47832 ....
Code:        Access-Request
Identifier: 83
Authentic:   <221>r<176>Z<189><221><25><8><

142>T<20>b<244>S<176>O
Attributes:
        User-Name = "CONS1.IX1>"
         User-Password =  "<161><2><22>s[jR<217>\<245>R<217><25><129><197><137>^<213>7<220><27>5=h,<192><158>9<1>T<31><196>"
         NAS-IP-Address = X.X.X.X


Wed Jun  2 01:40:19 2010:  DEBUG: Handling request with Handler ''
Wed Jun  2 01:40:19 2010:  DEBUG:  Deleting session for CONS1.IX1>, X.X.X.X,
Wed Jun  2  01:40:19 2010: DEBUG: Handling with Radius::AuthSQL
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL:
Wed  Jun  2 01:40:19 2010: DEBUG: Query is: 'SELECT password, is_staff,  is_staff FROM auth_user WHERE username='CONS1.IX1>' AND is_active IS  TRUE':
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthSQL looks for match with   CONS1.IX1> [CONS1.IX1>]
Wed Jun  2 01:40:19 2010: DEBUG:  Radius::AuthSQL REJECT: No such user: CONS1.IX1> [CONS1.IX1>]
Wed   Jun  2 01:40:19 2010: DEBUG: AuthBy SQL result: REJECT, No such user

Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthFILE:
Wed  Jun  2 01:40:19 2010: DEBUG: Reading users file  /etc/radiator/users-interne
Wed Jun  2 01:40:19 2010: DEBUG:  Radius::AuthFILE looks for match with CONS1.IX1> [CONS1.IX1>]Wed  Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE REJECT: No such user:  CONS1.IX1> [CONS1.IX1>]
Wed Jun  2 01:40:19 2010: DEBUG: AuthBy FILE result: REJECT, No such  user
Wed Jun  2 01:40:19 2010: INFO: Access rejected for  CONS1.IX1>: No such user
Wed Jun  2 01:40:19 2010: DEBUG: Packet  dump:
*** Sending to 77.246.80.138 port 47832 ....
Code:       Access-Reject
Identifier: 83
Authentic:   <221>r<176>Z<189><221><25><8><142>T<20>b<244>S<176>O
Attributes:
          Reply-Message = "Request Denied"


*** Received from X.X.X.X port 52229 ....
Code:         Access-Request
Identifier: 181
Authentic:   z5<183>6L<27>z`<191><221><22><6><213><20><13><143>
Attributes:
        User-Name = "CONS2.IX1> ### Login failed"
          User-Password =  "UP<214><250><11><158>%<245><251>jJ<195>M<145>c<2>"
         NAS-IP-Address = X.X.X.X


Wed Jun  2 01:40:19 2010:  DEBUG: Handling request with Handler ''
Wed Jun  2 01:40:19 2010:  DEBUG:  Deleting session for CONS2.IX1> ### Login failed, X.X.X.X,
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL
Wed  Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL:
Wed Jun   2 01:40:19 2010: DEBUG: Query is: 'SELECT password, is_staff, is_staff  FROM auth_user WHERE username='CONS2.IX1> ### Login failed' AND  is_active IS TRUE':
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthSQL looks for match with   CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed  Jun  2 01:40:19 2010: DEBUG: Radius::AuthSQL REJECT: No such user:  CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed Jun  2 01:40:19 2010: DEBUG: AuthBy SQL result: REJECT, No such user

Wed   Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthFILE:
Wed  Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE looks for match with  CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE REJECT: No such user:  CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed  Jun  2 01:40:19 2010: DEBUG: AuthBy FILE result: REJECT, No such user
Wed   Jun  2 01:40:19 2010: INFO: Access rejected for CONS2.IX1> ### Login  failed: No such user
Wed Jun  2 01:40:19 2010: DEBUG: Packet dump:


Where :


-  X.X.X.X is the source ip address of my core equipment used to reach the  internal RADIUS servers


- CONS1.IX1 and CONS2.IX1 are my console  routers' names.


The consoles keep on flooding the RADIUS servers with such a  like requests continuasly. For your information, we have been using  theese console routers for years now but they connected directly to the  backcone until tonight.


Here is the output of a sh version of the consoles :


CONS1.IX1#sh  version

Cisco Internetwork Operating System Software

IOS (tm)  C2600 Software (C2600-IK9S-M), Version 12.2(46a), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2007 by cisco Systems, Inc.

Compiled Wed 11-Jul-07  20:22 by pwade

Image text-base: 0x8000808C, data-base: 0x812948AC


ROM:  System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)


CONS1.IX1 uptime is 1 hour, 51 minutes

System returned to ROM by  reload

System image file is "flash:c2600-ik9s-mz.122-46a.

bin"



This  product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use.  Delivery of Cisco cryptographic products does not imply
third-party  authority to import, export, distribute or use encryption.
Importers,  exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree  to comply with applicable laws and regulations. If you are unable
to  comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be  found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If  you require further assistance please contact us by sending email to
[email protected].


cisco  2621 (MPC860) processor (revision 0x102) with 60416K/5120K bytes of  memory.
Processor board ID JAD04290CT0 (2953820044)
M860  processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2  FastEthernet/IEEE 802.3 interface(s)
32 terminal line(s)
32K bytes  of non-volatile configuration memory.
16384K bytes of processor  board System flash (Read/Write)

Configuration register is 0x2102



Here is my template of  configuration :



version 12.2
service  timestamps debug datetime msec
service timestamps log datetime msec
service  password-encryption
!
hostname CONS3.IX1
!
aaa new-model
aaa authentication  login default local enable
aaa authorization exec default local
enable  secret 5 $1$B6xi$Wvur3lYfDVqH8Ztaq9dg51
!
username XXXX privilege  15 password 7 120E041C131F09142F29252A3C202C
ip subnet-zero
ip cef
!
!
no ip domain-lookup
ip  domain-name XXXXX
ip host LOCALHOST 192.168.0.1
ip name-server  XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
!
ip ssh  time-out 60
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description  Link to Freebox
ip address 192.168.0.1 255.255.255.0
duplex  auto
speed auto
no shut
!
interface FastEthernet0/1
no  ip address
  shutdown
duplex auto
speed auto
!
ip classless
ip  route 0.0.0.0 0.0.0.0 192.168.0.254
no ip http server
!
!
menu  login text 1 se connecter sur BB1.IX1-SUP1
menu login command 1  telnet LOCALHOST 2033
menu login text 2 se connecter sur BB1.IX1-SUP2
menu login command 2  telnet LOCALHOST 2034
menu login text 3 se connecter sur LNS1.IX1
menu  login command 3 telnet LOCALHOST 2035
menu login text 4 se connecter  sur LNS2.IX1
menu login command 4 telnet LOCALHOST 2036
menu login text 5 se  connecter sur FW1.IX1
menu login command 5 telnet LOCALHOST 2037
menu  login text 6 se connecter sur FW2.IX1
menu login command 6 telnet  LOCALHOST 2038
menu login text 7 se connecter sur FW3.IX1
menu login command 7  telnet LOCALHOST 2039
menu login text 8 se connecter sur LNS7.IX1
menu  login command 8 telnet LOCALHOST 2040
menu login text 0 sortir du  menu
menu login command 0 menu-exit
!
dial-peer cor custom
!
!
!
!
!         
line con 0
line 33 64
exec-timeout 0 0
no exec
transport  input all
escape-character 3
stopbits 1
line aux 0
line vty 0 4
exec-timeout 30 0
logging synchronous
transport  input ssh
!
ntp server XXX.XXX.XXX.XXX
ntp server  XXX.XXX.XXX.XXX
end



Any ideas to what my problem might be ?


Thanks  in advance.

Best regards.


Y.
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Calin Chiorean Wed, 06/02/2010 - 06:24
User Badges:
  • Silver, 250 points or more

I see that your session is trying to authenticate against Radius (so, radius is reachable), but then this is

issuing a sql query for some user that it's not found.

Can you check if you have this user CONS1.IX1 configured properly?

Hello,


Actually, I must have mixed theese commands.


I am not trying to use radius to authenticate on the terminal consoles, only local authentication through a static user account reachable via SSH.


On the other hand, my core equipments are authenticated against internal radius servers and fallback on the enable password if not reachable.


I am close to figuring this out.


Any clues ?


Thanks.

Actions

This Discussion