Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

aaa-radius and call back

Hi all,

I have 3660 router and some dialin user with Radius server under NT 2000 (Internet Authentication Service).

User is authenticated by the Radius server (I see the Radius log and Event log at NT), but Cisco router returns : "Apr 29 10:10:33 10.10.10.11 19293: Apr 29 10:09:57: RADIUS: no appropriate authorization type for user."

3660 config. :

aaa new-model

aaa group server radius fat_radius

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa authentication login login-lst1 local group fat_radius

aaa authentication ppp default local group fat_radius

aaa authentication ppp dial-lst1 local group fat_radius

aaa authorization exec default group radius if-authenticated

aaa authorization network dial-lst1 local group fat_radius

aaa accounting network fat-acc start-stop group fat-radius

Thank you a lot for the help.

LE Han

5 REPLIES
Cisco Employee

Re: aaa-radius and call back

Here is the link which discuss the same for your consif reference purpose.

http://www.cisco.com/warp/public/793/access_dial/async_ppp.html

http://www.cisco.com/warp/public/471/ppp-callback-aaa.html

http://www.cisco.com/warp/public/480/pppcallback_tac.html

We need to see the debug as mentioned on those links for verification if things still dosen't work

New Member

Re: aaa-radius and call back

Hi,

Thank you for the info.

Here are the debug at 3660 router :

FAT-BXL#sh deb

General OS:

Modem control/process activation debugging is on

AAA Authentication debugging is on

AAA Authorization debugging is on

CSM Modem Management:

Modem Management Call Switching Module debugging is on

PPP:

PPP protocol negotiation debugging is on

Callback:

Callback activity debugging is on

Radius protocol debugging is on

FAT-BXL#

FAT-BXL#

Apr 30 11:41:49: AAA/ACCT/DS0: channel=24, ds1=0, t3=0, slot=3, ds0=50331672

Apr 30 11:41:49: CSM: MODEM_REPORT from 3/0:24, call_id=0x3F08, event=0x1, cause

=0x0, dchan_idb=0x62460B90

Apr 30 11:41:49: CSM: Next free modem = 4/6; statbits = 10020

Apr 30 11:41:49: Modem 4/6 CSM: modem is allocated, modems free=16

Apr 30 11:41:49: Modem 4/6 CSM: Incoming call from 25115696 to 25501350, id 0x3F

08

Apr 30 11:41:49: Modem 4/6 CSM: (CSM_PROC_IDLE)<--ISDN_CALL

Apr 30 11:41:50: CSM: MODEM_REPORT from 3/0:24, call_id=0x3F08, event=0x4, cause

=0x0, dchan_idb=0x62460B90

Apr 30 11:41:50: Modem 4/6 CSM: MODEM_REPORT rcvd DEV_CONNECTED for call_id 0x3F

08

FAT-BXL#

Apr 30 11:41:50: Modem 4/6 CSM: (CSM_PROC_MODEM_RESERVED)<--ISDN_CONNECTED

Apr 30 11:41:50: Modem 4/6 Mica: configured for Answer mode, with Null signaling

, 0x0 tone detection.

Apr 30 11:41:50: Modem 4/6 Mica: in modem state CALL_SETUP

Apr 30 11:41:51: Modem 4/6 Mica: in modem state CONNECT

Apr 30 11:41:55: Modem 4/6 Mica: in modem state LINK

Apr 30 11:42:07: Modem 4/6 Mica: in modem state TRAINUP

Apr 30 11:42:12: Modem 4/6 Mica: in modem state EC_NEGOTIATING

Apr 30 11:42:13: Modem 4/6 CSM: (CSM_PROC_WAIT_FOR_CARRIER)<--MODEM_CONNECTED

Apr 30 11:42:13: Modem 4/6 Mica: in modem state STEADY

Apr 30 11:42:13: Modem 4/6 Mica: CONNECT at 45333/31200 (Tx/Rx), V90, LAPM, V42b

is

Apr 30 11:42:13: TTY135: DSR came up

Apr 30 11:42:13: tty135: Modem: IDLE->(unknown)

Apr 30 11:42:13: TTY135: EXEC creation

Apr 30 11:42:13: AAA/ACCT/DS0: channel=24, ds1=0, t3=0, slot=3, ds0=50331672

Apr 30 11:42:13: AAA/MEMORY: create_user (0x6260DB78) user='' ruser='' port='tty

135' rem_addr='25115696/25501350' authen_type=ASCII service=LOGIN priv=1 initial

_task_id='0'

Apr 30 11:42:13: TTY135: set timer type 10, 30 seconds

Apr 30 11:42:15: TTY135: Autoselect(2) sample 7E

Apr 30 11:42:15: TTY135: Autoselect(2) sample 7EFF

Apr 30 11:42:15: TTY135: Autoselect(2) sample 7EFF7D

Apr 30 11:42:15: TTY135: Autoselect(2) sample 7EFF7D23

Apr 30 11:42:15: TTY135 Autoselect cmd: ppp negotiate

Apr 30 11:42:15: AAA/MEMORY: free_user (0x6260DB78) user='' ruser='' port='tty13

5' rem_addr='25115696/25501350' authen_type=ASCII service=LOGIN priv=1

Apr 30 11:42:15: TTY135: EXEC creation

Apr 30 11:42:15: TTY135: create timer type 1, 600 seconds

Apr 30 11:42:15: TTY135: destroy timer type 1

Apr 30 11:42:15: TTY135: no timer type 0 to destroy

Apr 30 11:42:22: Modem 4/6 Mica: PPP escape_map: Tx map = 0, Rx map = 0

Apr 30 11:42:22: AAA/ACCT/DS0: channel=24, ds1=0, t3=0, slot=3, ds0=50331672

Apr 30 11:42:22: AAA/MEMORY: create_user (0x6260DB78) user='drdatest' ruser='' p

ort='Async135' rem_addr='25115696/25501350' authen_type=PAP service=PPP priv=1 i

nitial_task_id='0'

Apr 30 11:42:22: RADIUS: ustruct sharecount=1

Apr 30 11:42:22: Radius: radius_port_info() success=1 radius_nas_port=1

Apr 30 11:42:22: RADIUS: Initial Transmit Async135 id 51 10.10.1.32:1645, Access

-Request, len 98

Apr 30 11:42:22: Attribute 4 6 0A0A0A0B

Apr 30 11:42:22: Attribute 5 6 00000087

Apr 30 11:42:22: Attribute 61 6 00000000

Apr 30 11:42:22: Attribute 1 10 64726461

Apr 30 11:42:22: Attribute 30 10 32353530

Apr 30 11:42:22: Attribute 31 10 32353131

Apr 30 11:42:22: Attribute 2 18 DED29F39

Apr 30 11:42:22: Attribute 6 6 00000002

Apr 30 11:42:22: Attribute 7 6 00000001

Apr 30 11:42:22: RADIUS: Received from id 51 10.10.1.32:1645, Access-Accept, len

100

Apr 30 11:42:22: Attribute 7 6 00000001

Apr 30 11:42:22: Attribute 15 6 00000001

Apr 30 11:42:22: Attribute 16 6 00000425

Apr 30 11:42:22: Attribute 6 6 00000004

Apr 30 11:42:22: Attribute 25 32 35870423

Apr 30 11:42:22: Attribute 26 12 0000013707060000

Apr 30 11:42:22: Attribute 26 12 0000013708060000

Apr 30 11:42:22: RADIUS: saved authorization data for user 6260DB78 at 62445EAC

Apr 30 11:42:22: As135 AAA/AUTHOR/LCP (4137015450): found list "dial-lst1"

Apr 30 11:42:22: RADIUS: no appropriate authorization type for user.

Apr 30 11:42:22: AAA/MEMORY: free_user (0x6260DB78) user='drdatest' ruser='' por

t='Async135' rem_addr='25115696/25501350' authen_type=PAP service=PPP priv=1

Apr 30 11:42:22: TTY135: Async Int reset: Dropping DTR

Apr 30 11:42:22: Modem 4/6 CSM: (CSM_PROC_CONNECTED)<--ASYNC_DTR_DOWN

Apr 30 11:42:22: Modem 4/6 Mica: PPP escape_map: Tx map = FFFFFFFF, Rx map = 0

Apr 30 11:42:22: Modem 4/6 Mica: in modem state TERMINATING

Apr 30 11:42:22: Modem 4/6 CSM: (CSM_PROC_DISCONNECTED)<--MODEM_DISCONNECTED

Apr 30 11:42:22: Modem 4/6 Mica: in modem state IDLE

Apr 30 11:42:22: Modem 4/6 CSM: (CSM_PROC_DISCONNECTED)<--QUEUED_DISCONNECT

Apr 30 11:42:22: Modem 4/6 CSM: CSM_MODEM_DEALLOCATE: modem is deallocated

Apr 30 11:42:22: AAA/ACCT/DS0: channel=24, ds1=0, t3=0, slot=3, ds0=50331672

Apr 30 11:42:22: Modem 4/6 Mica: DISCONNECT after 00:00:32, due to reason (0xDF0

0) Host Disconnect.

And here are msgs at Radius server :

User drdatest was granted access.

Fully-Qualified-User-Name = domain/Users/drdatest

NAS-IP-Address = x.x.x.x

NAS-Identifier =

Client-Friendly-Name = DIALIN 3660

Client-IP-Address = x.x.x.x

NAS-Port-Type = Async

NAS-Port = 135

Policy-Name = Allow access if dial-in permission is enabled

Authentication-Type = PAP

EAP-Type =

The Radius server is configured withe these parm. :

Framed-protocol=PPP

Service-Type=Callback Framed

Login-TCP-Port=1061

Login-Service=Rlogin

I have same probleme if Login-Service=Telnet

The callback works fine if the user is defined in the local database (--> without AAA with Radius server)

Thank you again.

New Member

Re: aaa-radius and call back

check that the IAS server is sending

Cisco-AVPair = "lcp:callback-dialstring=number_to_callback")

to the routeur ....

bye

New Member

Re: aaa-radius and call back

Hi,

I added this def. in IAS config, but the router returns :

May 07 08:49:09 10.10.10.11 20709: May 7 08:48:16: RADIUS: cisco AVPair ""lcp:callback-dialstring=025115696"" not applied for lcp

May 07 08:49:09 10.10.10.11 20710: May 7 08:48:16: RADIUS: no appropriate authorization type for user.

The version of Cisco router is :

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(1), RELEASE SOFTWARE (fc2)

Copyright (c) 1986-2001 by cisco Systems, Inc.

Compiled Fri 27-Apr-01 00:04 by cmong

Image text-base: 0x60008960, data-base: 0x611C0000

ROM: System Bootstrap, Version 12.0(6r)T, RELEASE SOFTWARE (fc1)

FAT-BXL uptime is 5 weeks, 4 days, 10 hours, 48 minutes

System returned to ROM by reload at 23:00:00 gmt Sun Mar 30 2003

System restarted at 00:02:05 gmt Mon Mar 31 2003

System image file is "flash:c3660-is-mz.122-1.bin"

cisco 3660 (R527x) processor (revision C0) with 56320K/9216K bytes of memory.

Processor board ID JAB0452C00T

R527x CPU at 225Mhz, Implementation 40, Rev 10.0, 2048KB L2 Cache

Channelized E1, Version 1.0.

MICA-6DM Firmware: CP ver 2720 - 5/30/2000, SP ver 2720 - 5/30/2000.

Bridging software.

X.25 software, Version 3.0.0.

SuperLAT software (copyright 1990 by Meridian Technology Corp).

Primary Rate ISDN software, Version 1.1.

Thanks for the help

Cisco Employee

Re: aaa-radius and call back

Assuming that the "callback " is negotiated during LCP. Looking on the debug

RADIUS: no appropriate authorization type for user.

First you need to make sure that the default list is selected for authentication and authorization. Try to add following command as well.

aaa authorization network default group radius

Now i have decoded the response from radius server and it reply with two vendor-specific attributes # 26. Not sure what is that.

I don't know much about IAS but make sure that its configured like the attributes required as mentioned on following url.

http://www.cisco.com/warp/public/471/ppp-callback-aaa.html

158
Views
0
Helpful
5
Replies
CreatePlease to create content