I removed the ppp authentication CHAP for the PRI but it still doesn't work.

Here are the ISDN outputs:

szertr5#u all

All possible debugging has been turned off

szertr5#deb ppp neg

PPP protocol negotiation debugging is on

szertr5#

.Dec 16 12:29:29: %LINK-3-UPDOWN: Interface Serial3/1:16, changed state to up

.Dec 16 12:29:29.528: Se3/1:16 PPP: Treating connection as a callin

.Dec 16 12:29:29.528: Se3/1:16 PPP: Phase is ESTABLISHING, Passive Open

.Dec 16 12:29:29.528: Se3/1:16 LCP: State is Listen

.Dec 16 12:29:30.076: Se3/1:16 LCP: I CONFREQ [Listen] id 85 len 6

.Dec 16 12:29:30.076: Se3/1:16 LCP: VendorSpecific OUI (0x0002)

.Dec 16 12:29:30.076: Se3/1:16 LCP: O CONFREQ [Listen] id 7 len 29

.Dec 16 12:29:30.076: Se3/1:16 LCP: AuthProto CHAP (0x0305C22305)

.Dec 16 12:29:30.076: Se3/1:16 LCP: MagicNumber 0x3EF7FCD9 (0x05063EF7FCD9)

.Dec 16 12:29:30.076: Se3/1:16 LCP: MRRU 1524 (0x110405F4)

.Dec 16 12:29:30.076: Se3/1:16 LCP: EndpointDisc 1 Local (0x130A01737A6572747235)

.Dec 16 12:29:30.076: Se3/1:16 LCP: O CONFREJ [Listen] id 85 len 6

.Dec 16 12:29:30.076: Se3/1:16 LCP: VendorSpecific OUI (0x0002)

.Dec 16 12:29:32.076: Se3/1:16 LCP: TIMEout: State REQsent

.Dec 16 12:29:32.076: Se3/1:16 LCP: O CONFREQ [REQsent] id 8 len 29

.Dec 16 12:29:32.076: Se3/1:16 LCP: AuthProto CHAP (0x0305C22305)

.Dec 16 12:29:32.076: Se3/1:16 LCP: MagicNumber 0x3EF7FCD9 (0x05063EF7FCD9)

.Dec 16 12:29:32.076: Se3/1:16 LCP: MRRU 1524 (0x110405F4)

.Dec 16 12:29:32.076: Se3/1:16 LCP: EndpointDisc 1 Local (0x130A01737A6572747235)

.Dec 16 12:29:32.088: Se3/1:16 LCP: I CONFREJ [REQsent] id 8 len 18

.Dec 16 12:29:32.088: Se3/1:16 LCP: MRRU 1524 (0x110405F4)

.Dec 16 12:29:32.088: Se3/1:16 LCP: EndpointDisc 1 Local (0x130A01737A6572747235)

.Dec 16 12:29:32.088: Se3/1:16 LCP: O CONFREQ [REQsent] id 9 len 15

.Dec 16 12:29:32.088: Se3/1:16 LCP: AuthProto CHAP (0x0305C22305)

.Dec 16 12:29:32.088: Se3/1:16 LCP: MagicNumber 0x3EF7FCD9 (0x05063EF7FCD9)

.Dec 16 12:29:32.112: Se3/1:16 LCP: I CONFACK [REQsent] id 9 len 15

.Dec 16 12:29:32.112: Se3/1:16 LCP: AuthProto CHAP (0x0305C22305)

.Dec 16 12:29:32.112: Se3/1:16 LCP: MagicNumber 0x3EF7FCD9 (0x05063EF7FCD9)

.Dec 16 12:29:32.116: Se3/1:16 LCP: I CONFREQ [ACKrcvd] id 2 len 13

.Dec 16 12:29:32.116: Se3/1:16 LCP: MagicNumber 0x7D795992 (0x05067D795992)

.Dec 16 12:29:32.116: Se3/1:16 LCP: Callback 6 (0x0D0306)

.Dec 16 12:29:32.116: Se3/1:16 LCP: O CONFREJ [ACKrcvd] id 2 len 7

.Dec 16 12:29:32.116: Se3/1:16 LCP: Callback 6 (0x0D0306)

.Dec 16 12:29:32.132: Se3/1:16 LCP: I CONFREQ [ACKrcvd] id 3 len 10

.Dec 16 12:29:32.132: Se3/1:16 LCP: MagicNumber 0x7D795992 (0x05067D795992)

.Dec 16 12:29:32.132: Se3/1:16 LCP: O CONFACK [ACKrcvd] id 3 len 10

.Dec 16 12:29:32.136: Se3/1:16 LCP: MagicNumber 0x7D795992 (0x05067D795992)

.Dec 16 12:29:32.136: Se3/1:16 LCP: State is Open

.Dec 16 12:29:32.140: Se3/1:16 PPP: Phase is AUTHENTICATING, by this end

.Dec 16 12:29:32.140: Se3/1:16 CHAP: O CHALLENGE id 3 len 28 from "szertr5"

.Dec 16 12:29:32.152: Se3/1:16 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x7D795992 MSRASV5.00

.Dec 16 12:29:32.156: Se3/1:16 LCP: I IDENTIFY [Open] id 5 len 24 magic 0x7D795992 MSRAS-1-SZE7090L

.Dec 16 12:29:32.164: Se3/1:16 CHAP: I RESPONSE id 3 len 35 from "europe\test1"

.Dec 16 12:29:32.240: Se3/1:16 CHAP: Unable to validate Response. Username europe\test1: Authenti

cation failure

.Dec 16 12:29:32.244: Se3/1:16 CHAP: O FAILURE id 3 len 14 msg is "RejectedJM"

.Dec 16 12:29:32.244: Se3/1:16 PPP: Phase is TERMINATING

.Dec 16 12:29:32.244: Se3/1:16 LCP: O TERMREQ [Open] id 10 len 4

.Dec 16 12:29:32: %ISDN-6-CONNECT: Interface Serial3/1:16 is now connected to unknown

.Dec 16 12:29:32: %ISDN-6-DISCONNECT: Interface Serial3/1:16 disconnected from unknown , call laste

d 3 seconds

.Dec 16 12:29:32: %LINK-3-UPDOWN: Interface Serial3/1:16, changed state to down

.Dec 16 12:29:32.844: Se3/1:16 LCP: State is Closed

.Dec 16 12:29:32.844: Se3/1:16 PPP: Phase is DOWN

szertr5#

szertr5#

szertr5#u all

All possible debugging has been turned off

szertr5#

szertr5#deb ppp error

PPP protocol errors debugging is on

szertr5#

.Dec 16 12:30:02: %LINK-3-UPDOWN: Interface Serial3/1:26, changed state to up

.Dec 16 12:30:05: %ISDN-6-CONNECT: Interface Serial3/1:26 is now connected to unknown

.Dec 16 12:30:05: %ISDN-6-DISCONNECT: Interface Serial3/1:26 disconnected from unknown , call laste

d 3 seconds

.Dec 16 12:30:05: %LINK-3-UPDOWN: Interface Serial3/1:26, changed state to down

szertr5#

szertr5#

szertr5#u all

All possible debugging has been turned off

szertr5#

szertr5#deb ppp authen

PPP authentication debugging is on

szertr5#

.Dec 16 12:30:36: %LINK-3-UPDOWN: Interface Serial3/1:27, changed state to up

.Dec 16 12:30:36.836: Se3/1:27 PPP: Treating connection as a callin

.Dec 16 12:30:39.468: Se3/1:27 CHAP: O CHALLENGE id 2 len 28 from "szertr5"

.Dec 16 12:30:39.496: Se3/1:27 CHAP: I RESPONSE id 2 len 35 from "europe\test1"

.Dec 16 12:30:39.596: Se3/1:27 CHAP: Unable to validate Response. Username europe\test1: Authenti

cation failure

.Dec 16 12:30:39.596: Se3/1:27 CHAP: O FAILURE id 2 len 14 msg is "RejectedJM"

.Dec 16 12:30:40: %ISDN-6-CONNECT: Interface Serial3/1:27 is now connected to unknown

.Dec 16 12:30:40: %ISDN-6-DISCONNECT: Interface Serial3/1:27 disconnected from unknown , call laste

d 3 seconds

.Dec 16 12:30:40: %LINK-3-UPDOWN: Interface Serial3/1:27, changed state to down

szertr5#

szertr5#u all

All possible debugging has been turned off

szertr5#

szertr5#deb aaa authen

AAA Authentication debugging is on

szertr5#

.Dec 16 12:31:10: %LINK-3-UPDOWN: Interface Serial3/1:13, changed state to up

.Dec 16 12:31:13.072: AAA: parse name=Serial3/1:13 idb type=13 tty=-1

.Dec 16 12:31:13.072: AAA: name=Serial3/1:13 flags=0x55 type=1 shelf=0 slot=3 adapter=0 port=1 chann

el=13

.Dec 16 12:31:13.072: AAA: parse name= idb type=-1 tty=-1

.Dec 16 12:31:13.072: AAA/MEMORY: create_user (0x6134F4E8) user='europe\test1' ruser='' port='Seri

al3/1:13' rem_addr='/000' authen_type=CHAP service=PPP priv=1

.Dec 16 12:31:13.072: AAA/AUTHEN/START (4068851079): port='Serial3/1:13' list='' action=LOGIN servic

e=PPP

.Dec 16 12:31:13.072: AAA/AUTHEN/START (4068851079): using "default" list

.Dec 16 12:31:13.072: AAA/AUTHEN/START (4068851079): Method=LOCAL

.Dec 16 12:31:13.076: AAA/AUTHEN (4068851079): status = ERROR

.Dec 16 12:31:13.076: AAA/AUTHEN/START (4068851079): Method=radius (radius)

.Dec 16 12:31:13.144: AAA/AUTHEN (4068851079): status = FAIL

.Dec 16 12:31:13.148: AAA/MEMORY: free_user (0x6134F4E8) user='europe\test1' ruser='' port='Serial

3/1:13' rem_addr='/000' authen_type=CHAP service=PPP priv=1

.Dec 16 12:31:13: %ISDN-6-CONNECT: Interface Serial3/1:13 is now connected to unknown

.Dec 16 12:31:13: %ISDN-6-DISCONNECT: Interface Serial3/1:13 disconnected from unknown , call laste

d 2 seconds

.Dec 16 12:31:13: %LINK-3-UPDOWN: Interface Serial3/1:13, changed state to down

szertr5#

szertr5#u all

All possible debugging has been turned off

szertr5#deb radiu

Radius protocol debugging is on

szertr5#

.Dec 16 12:31:57: %LINK-3-UPDOWN: Interface Serial3/1:29, changed state to up

.Dec 16 12:32:00.312: RADIUS: ustruct sharecount=1

.Dec 16 12:32:00.316: RADIUS: added cisco VSA 2 len 12 "Serial3/1:29"

.Dec 16 12:32:00.316: RADIUS: Initial Transmit Serial3/1:29 id 49 A.B.87.236:1645, Access-Reques

t, len 110

.Dec 16 12:32:00.316: Attribute 4 6 9BF87CF6

.Dec 16 12:32:00.316: Attribute 5 6 00004EA1

.Dec 16 12:32:00.316: Attribute 26 20 00000009020E5365

.Dec 16 12:32:00.316: Attribute 61 6 00000002

.Dec 16 12:32:00.316: Attribute 1 16 6575726F

.Dec 16 12:32:00.316: Attribute 30 5 30303003

.Dec 16 12:32:00.316: Attribute 3 19 0378CDCC

.Dec 16 12:32:00.316: Attribute 6 6 00000002

.Dec 16 12:32:00.316: Attribute 7 6 00000001

.Dec 16 12:32:00.364: RADIUS: Received from id 49 A.B.87.236:1645, Access-Reject, len 32

.Dec 16 12:32:00.364: Attribute 18 12 52656A65

.Dec 16 12:32:00: %ISDN-6-CONNECT: Interface Serial3/1:29 is now connected to unknown

.Dec 16 12:32:00: %ISDN-6-DISCONNECT: Interface Serial3/1:29 disconnected from unknown , call laste

d 3 seconds

.Dec 16 12:32:00: %LINK-3-UPDOWN: Interface Serial3/1:29, changed state to down

szertr5#

szertr5#

I realized from deb outputs that the routers excepts CHAP authentication although that is configured for MS-CHAP.

This is a router config. I altered only the usernames and the class B address:

wr t

Building configuration...

Current configuration : 8840 bytes

!

! Last configuration change at 12:11:47 UTC Mon Dec 16 2002 by test1

!

version 12.1

no service single-slot-reload-enable

service timestamps debug datetime msec

service timestamps log datetime

service password-encryption

!

hostname szertr5

!

logging buffered 8196 debugging

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default local group radius

aaa authentication ppp Dradius if-needed group radius local

aaa authorization exec default group tacacs+ none

aaa authorization network default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

enable secret 5 xxxxxxxxxxxxxxxxxxx

!

username aaaaa password 7 011E55574F5A080870

username szertr5 password 7 14161E060D022B

username bbbbb password 7 075E3248400F0B0D

username ccccc password 7 091D5D0D1703051A

username ddddd password 7 15130701052C2A

username eeeee password 7 06571C2542481B11

username fffff password 7 141A41581855242C75

username ggggg password 7 0702721F5A58170246

username hhhhh password 7 00051F0B055D0A

username iiiii password 7 020708560A000E

!

!

!

!

clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00

ip subnet-zero

ip ftp username dump

ip ftp password 7 141307061C557878

ip domain-name net.eur.alcoa.com

ip name-server A.B.98.11

!

async-bootp dns-server A.B.98.11 A.B.124.30 A.B.184.4

async-bootp nbns-server A.B.184.10 A.B.84.246

isdn switch-type primary-net5

chat-script offhook "" "ATH1" OK

chat-script reset "" "atz" OK

chat-script default-dialscript ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" "ATZ" OK "ATDT\T" TIMEOUT

90 CONNECT \c

chat-script dial ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" "ATZ" OK "ATDT\T" TIMEOUT 90 CONNECT \c

!

controller E1 3/0

shutdown

!

controller E1 3/1

pri-group timeslots 1-31

!

!

!

interface Loopback0

description MODEM loopback

ip address A.B.170.1 255.255.255.0

!

interface Loopback1

description ISDN Loopback

ip address A.B.232.34 255.255.255.224

!

interface Loopback2

ip address A.B.199.165 255.255.255.255

!

interface Loopback3

no ip address

!

interface Ethernet0/0

ip address A.B.124.246 255.255.255.0

!

interface Serial0/0

description *** Direct cable connection to szertr ***

bandwidth 2000

ip address A.B.253.254 255.255.255.252

no ip mroute-cache

shutdown

bridge-group 1

!

interface Serial3/1:15

no ip address

encapsulation ppp

no ip route-cache

dialer pool-member 1

isdn switch-type primary-net5

isdn incoming-voice modem

no fair-queue

no cdp enable

ppp authentication chap

ppp multilink

!

interface Group-Async1

bandwidth 115

ip unnumbered Loopback0

encapsulation ppp

no ip route-cache

no ip mroute-cache

load-interval 30

dialer in-band

dialer idle-timeout 3600

dialer-group 1

async mode interactive

peer default ip address pool dialin_pool

fair-queue 1024 32 64

no cdp enable

ppp authentication ms-chap

group-range 65 82

!

interface Dialer0

ip unnumbered Loopback0

encapsulation ppp

no ip route-cache

ip tcp header-compression passive

no ip mroute-cache

load-interval 30

dialer-group 1

peer default ip address pool dialin_pool

fair-queue 1024 32 64

no cdp enable

ppp authentication ms-chap callin

ppp multilink

hold-queue 200 in

!

interface Dialer3

description *** ISDN backup interface for MRH (Mor, Hungary) ***

bandwidth 128

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name aaaaa

dialer idle-timeout 3600

dialer-group 1

priority-group 1

no cdp enable

ppp authentication chap

ppp multilink

bridge-group 1

bridge-group 1 path-cost 5700

!

interface Dialer4

description *** ISDN backup interface for SZR (Szekesfehervar, Hungary) ***

bandwidth 16

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name ddddd

dialer idle-timeout 3600

dialer-group 1

no cdp enable

ppp authentication chap

!

interface Dialer5

description *** ISDN backup interface for TSM (Torokszentmiklos, Hungary) ***

bandwidth 16

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name eeeee

dialer idle-timeout 3600

dialer-group 1

no cdp enable

ppp authentication chap

bridge-group 1

bridge-group 1 path-cost 5700

!

interface Dialer6

bandwidth 16

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

shutdown

dialer pool 1

dialer remote-name ggggg

dialer idle-timeout 3600

dialer-group 1

no cdp enable

ppp authentication chap

!

interface Dialer7

description *** ISDN backup interface for NAD (Nadab, Romania) ***

bandwidth 16

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name iiiii

dialer idle-timeout 3600

dialer-group 1

no cdp enable

ppp authentication chap

ppp multilink

!

interface Dialer8

description *** ISDN backup interface for Synergon ***

bandwidth 16

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name hhhhh

dialer idle-timeout 3600

dialer-group 1

no cdp enable

ppp authentication chap

!

interface Dialer13

ip unnumbered Ethernet0/0

no ip redirects

ip directed-broadcast

encapsulation ppp

no ip mroute-cache

dialer pool 1

dialer idle-timeout 1800

dialer-group 1

peer default ip address pool dialin_pool

no fair-queue

compress mppc ignore-pfc

no cdp enable

ppp authentication ms-chap callin Dradius

ppp ipcp dns A.B.98.11 A.B.124.30

ppp ipcp wins A.B.184.10 A.B.84.246

!

interface Dialer98

description ***** Aluminium Warehouse, Budapest ***

ip unnumbered Loopback0

encapsulation ppp

no ip split-horizon

dialer pool 1

dialer remote-name szewh

dialer-group 9

peer default ip address pool dialin_pool

pulse-time 0

no cdp enable

ppp authentication chap pap callin

ppp multilink

!

interface Dialer99

description connected to Dial-inPCs(ISDN)

ip unnumbered Loopback0

encapsulation ppp

no ip split-horizon

dialer pool 1

dialer remote-name vpntest

dialer-group 9

peer default ip address pool dialin_pool

no cdp enable

ppp authentication chap pap callin

ppp multilink

!

router eigrp 200

redistribute rip

passive-interface Dialer0

passive-interface Dialer98

network A.B.0.0

auto-summary

no eigrp log-neighbor-changes

!

ip local pool dialin_pool A.B.170.2 A.B.170.31

ip default-gateway A.B.124.254

ip classless

ip route 0.0.0.0 0.0.0.0 A.B.232.33 255

ip tacacs source-interface Loopback2

no ip http server

!

logging source-interface Loopback2

logging A.B.124.21

logging A.B.124.19

access-list 1 permit A.B.87.236

access-list 1 permit A.B.124.0 0.0.0.31

access-list 3 permit A.B.0.0 0.0.255.255

access-list 112 permit ip any host A.B.246.10

access-list 112 permit tcp any any eq telnet

access-list 112 permit tcp any eq telnet any

access-list 188 deny ip 0.0.0.0 255.255.255.128 host A.B.191.188

access-list 188 permit ip any any

access-list 199 deny eigrp any any

access-list 199 permit ip any any

priority-list 1 protocol ip high list 112

dialer-list 1 protocol ip permit

dialer-list 1 protocol bridge permit

dialer-list 9 protocol ip permit

tacacs-server host A.B.87.236

tacacs-server host A.B.124.27

tacacs-server timeout 10

tacacs-server key test

snmp-server community spice RO 1

snmp-server community mars RW 1

snmp-server queue-length 20

snmp-server enable traps snmp

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps hsrp

snmp-server enable traps entity

snmp-server enable traps envmon

snmp-server enable traps frame-relay

snmp-server enable traps syslog

snmp-server host A.B.124.19 snmp

snmp-server host A.B.124.21 snmp

radius-server host A.B.87.236 auth-port 1645 acct-port 1646

radius-server host A.B.124.27 auth-port 1645 acct-port 1646

radius-server retransmit 4

radius-server timeout 6

radius-server key test

radius-server vsa send authentication

bridge 1 protocol dec

banner motd ^C

For Maintenance call: +36 22 53 1666

^C

!

line con 0

access-class 3 in

password 7 14141B180F0B

line 65 82

session-timeout 60 output

access-class 3 in

access-class 37 out

script dialer dial

script callback dial

modem InOut

rotary 1

transport input all

autoselect during-login

autoselect ppp

callback forced-wait 5

line aux 0

modem DTR-active

terminal-type vt100

transport input all

line vty 0 4

exec-timeout 30 0

length 25

history size 200

!

exception protocol ftp

exception dump A.B.124.21

ntp clock-period 17179843

ntp server A.B.87.254

end

szertr5#

szertr5#

szertr5#

During dial with ISDN TA the ACS reports the "CS CHAP password invalid" message.

Is it possible to accomodate all dialin facility (even backup) into one router?

Regards,

Balázs

Have the ISDN TA users dialed in succesfully with async calls from the same Windows machine? If both fail, you may have an issue with v2 like in Win2k.

From your debugs, note the method for authentication used is local first then RADIUS. This tells me the call terminates on a dialer interface other than the one you wish to use, which is in Dialer 13 I believe.

If you add:

europe\test1 password xxxxxxxx

does it work?

If so, remove the local username and add the ppp authentication ms-chap Dradius statement to int dialer 0 and see if it works.

I forgot to mention, send the output of debug dialer event to see which dialer profile the TA calls bind to if you still have issues.

I tried both method(asyn and ISDN) from the same W2k machine.

To avoid the conflict I configured the Dialer0 interface for the same as Dialer 13 and shut down the other unused Dialer interfaces.

Te deb dialer event commend doesn't provide any result regarding the call which dialer interface binds to. See the debug below. But once again, the only possible interface is Dialer 0.

I've added the correspondig username europe\test1 password xxxx to the config and got the following result:

szertr5#

szertr5#undeb all

All possible debugging has been turned off

szertr5#

szertr5#ter mon

szertr5#deb dialer event

Dial on demand events debugging is on

szertr5#

Dec 17 07:30:00: %LINK-3-UPDOWN: Interface Serial3/1:11, changed state to up

Dec 17 07:30:03: %ISDN-6-CONNECT: Interface Serial3/1:11 is now connected to unknown

Dec 17 07:30:03: %ISDN-6-DISCONNECT: Interface Serial3/1:11 disconnected from unknown , call lasted

3 seconds

Dec 17 07:30:03: %LINK-3-UPDOWN: Interface Serial3/1:11, changed state to down

szertr5#

szertr5#

szertr5#

szertr5#

szertr5#conf t

Enter configuration commands, one per line. End with CNTL/Z.

szertr5(config)#

szertr5(config)#username europe\test1 password xxxxx

szertr5(config)#

Dec 17 07:30:42: %LINK-3-UPDOWN: Interface Serial3/1:25, changed state to up

Dec 17 07:30:45: %ISDN-6-CONNECT: Interface Serial3/1:25 is now connected to europe\test1

Dec 17 07:30:45: %ISDN-6-DISCONNECT: Interface Serial3/1:25 disconnected from europe\test1, call

lasted 2 seconds

Dec 17 07:30:45: %LINK-3-UPDOWN: Interface Serial3/1:25, changed state to down

szertr5(config)#

szertr5#

szertr5#

szertr5#deb ppp neg

PPP protocol negotiation debugging is on

szertr5#

Dec 17 07:31:15: %LINK-3-UPDOWN: Interface Serial3/1:22, changed state to up

Dec 17 07:31:18: %ISDN-6-CONNECT: Interface Serial3/1:22 is now connected to europe\test1

Dec 17 07:31:18: %ISDN-6-DISCONNECT: Interface Serial3/1:22 disconnected from europe\test1, call

lasted 2 seconds

Dec 17 07:31:18: %LINK-3-UPDOWN: Interface Serial3/1:22, changed state to down

szertr5#

szertr5#sh deb

Dial on demand:

Dial on demand events debugging is on

PPP:

PPP protocol negotiation debugging is on

szertr5#

Dec 17 07:31:45: %LINK-3-UPDOWN: Interface Serial3/1:12, changed state to up

Dec 17 07:31:48: %ISDN-6-CONNECT: Interface Serial3/1:12 is now connected to europe\test1

Dec 17 07:31:48: %ISDN-6-DISCONNECT: Interface Serial3/1:12 disconnected from europe\test1, call

lasted 2 seconds

Dec 17 07:31:48: %LINK-3-UPDOWN: Interface Serial3/1:12, changed state to downu ll all

All possible debugging has been turned off

szertr5#

szertr5#

szertr5#

szertr5#deb aaa authen

AAA Authentication debugging is on

szertr5#

Dec 17 07:32:18: %LINK-3-UPDOWN: Interface Serial3/1:5, changed state to up

Dec 17 07:32:24.538: AAA: parse name= idb type=-1 tty=-1

Dec 17 07:32:24.538: AAA/MEMORY: create_user (0x6134DC78) user='europe\test1' ruser='' port='Seria

l3/1:5' rem_addr='/000' authen_type=CHAP service=PPP priv=1

Dec 17 07:32:24.538: AAA/AUTHEN/START (4183270362): port='Serial3/1:5' list='' action=LOGIN service=

PPP

Dec 17 07:32:24.538: AAA/AUTHEN/START (4183270362): using "default" list

Dec 17 07:32:24.538: AAA/AUTHEN/START (4183270362): Method=LOCAL

Dec 17 07:32:24.538: AAA/AUTHEN (4183270362): status = PASS

Dec 17 07:32:24: %ISDN-6-CONNECT: Interface Serial3/1:5 is now connected to unknown

Dec 17 07:32:25.174: TAC+: (1988103800): received author response status = PASS_ADD

Dec 17 07:32:25: %ISDN-6-DISCONNECT: Interface Serial3/1:5 disconnected from europe\test1, call

lasted 6 seconds

Dec 17 07:32:25: %LINK-3-UPDOWN: Interface Serial3/1:5, changed state to down

Dec 17 07:32:25.642: AAA/MEMORY: free_user (0x6134DC78) user='europe\test1' ruser='' port='Serial3

/1:5' rem_addr='/000' authen_type=CHAP service=PPP priv=1

Well, the local authentication seems to be success but I got the following error message: "error 619, the specific port is not connected" on my laptop. In that case the authentication is OK (see debug output above) but the client will be disconnected in seconds. And the authentication method is still CHAP although MS-CHAP is configured for Dialer 0 interface.

The config after the modofication:

version 12.1

no service single-slot-reload-enable

service timestamps debug datetime msec

service timestamps log datetime

service password-encryption

!

hostname szertr5

!

logging buffered 8196 debugging

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default local group radius

aaa authentication ppp Dradius if-needed group radius local

aaa authorization exec default group tacacs+ none

aaa authorization network default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

enable secret 5 $1$2ZF1$BLo42nqJn7jvAwls/H/GM/

!

username aaaaa password 7 011E55574F5A080870

username szertr5 password 7 14161E060D022B

username bbbbb password 7 075E3248400F0B0D

username ccccc password 7 091D5D0D1703051A

username ddddd password 7 15130701052C2A

username eeeee password 7 06571C2542481B11

username fffff password 7 141A41581855242C75

username ggggg password 7 0702721F5A58170246

username hhhhh password 7 00051F0B055D0A

username iiiii password 7 020708560A000E

username europe\test1 password 7 11191B160D13090351

!

!

!

!

clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00

ip subnet-zero

ip ftp username dump

ip ftp password 7 141307061C557878

ip domain-name net.eur.alcoa.com

ip name-server A.B.98.11

!

async-bootp dns-server A.B.98.11 A.B.124.30 A.B.184.4

async-bootp nbns-server A.B.184.10 A.B.84.246

isdn switch-type primary-net5

chat-script offhook "" "ATH1" OK

chat-script reset "" "atz" OK

chat-script default-dialscript ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" "ATZ" OK "ATDT\T" TIMEOUT

90 CONNECT \c

chat-script dial ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" "ATZ" OK "ATDT\T" TIMEOUT 90 CONNECT \c

!

controller E1 3/0

shutdown

!

controller E1 3/1

pri-group timeslots 1-31

!

!

!

interface Loopback0

description MODEM loopback

ip address A.B.170.1 255.255.255.0

!

interface Loopback1

description ISDN Loopback

ip address A.B.232.34 255.255.255.224

!

interface Loopback2

ip address A.B.199.165 255.255.255.255

!

interface Loopback3

no ip address

!

interface Ethernet0/0

ip address A.B.124.246 255.255.255.0

!

interface Serial0/0

description *** Direct cable connection to szertr ***

bandwidth 2000

ip address A.B.253.254 255.255.255.252

no ip mroute-cache

shutdown

bridge-group 1

!

interface Serial3/1:15

no ip address

encapsulation ppp

no ip route-cache

dialer pool-member 1

isdn switch-type primary-net5

isdn incoming-voice modem

no fair-queue

no cdp enable

ppp authentication chap

ppp multilink

!

interface Group-Async1

bandwidth 115

ip unnumbered Loopback0

encapsulation ppp

no ip route-cache

no ip mroute-cache

load-interval 30

dialer in-band

dialer idle-timeout 3600

dialer-group 1

async mode interactive

peer default ip address pool dialin_pool

fair-queue 1024 32 64

no cdp enable

ppp authentication ms-chap

group-range 65 82

!

interface Dialer0

ip unnumbered Loopback0

encapsulation ppp

no ip route-cache

ip tcp header-compression passive

no ip mroute-cache

load-interval 30

dialer pool 1

dialer-group 1

peer default ip address pool dialin_pool

fair-queue 1024 32 64

no cdp enable

ppp authentication ms-chap callin Dradius

ppp ipcp dns A.B.98.11 A.B.124.30

ppp ipcp wins A.B.184.10 A.B.84.246

hold-queue 200 in

!

interface Dialer3

description *** ISDN backup interface for MRH (Mor, Hungary) ***

bandwidth 128

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name aaaaa

dialer idle-timeout 3600

dialer-group 1

priority-group 1

no cdp enable

ppp authentication chap

ppp multilink

bridge-group 1

bridge-group 1 path-cost 5700

!

interface Dialer4

description *** ISDN backup interface for SZR (Szekesfehervar, Hungary) ***

bandwidth 16

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name ddddd

dialer idle-timeout 3600

dialer-group 1

no cdp enable

ppp authentication chap

!

interface Dialer5

description *** ISDN backup interface for TSM (Torokszentmiklos, Hungary) ***

bandwidth 16

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name eeeee

dialer idle-timeout 3600

dialer-group 1

no cdp enable

ppp authentication chap

bridge-group 1

bridge-group 1 path-cost 5700

!

interface Dialer6

bandwidth 16

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

shutdown

dialer pool 1

dialer remote-name ggggg

dialer idle-timeout 3600

dialer-group 1

no cdp enable

ppp authentication chap

!

interface Dialer7

description *** ISDN backup interface for NAD (Nadab, Romania) ***

bandwidth 16

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name iiiii

dialer idle-timeout 3600

dialer-group 1

no cdp enable

ppp authentication chap

ppp multilink

!

interface Dialer8

description *** ISDN backup interface for Synergon ***

bandwidth 16

ip unnumbered Loopback1

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name hhhhh

dialer idle-timeout 3600

dialer-group 1

no cdp enable

ppp authentication chap

!

interface Dialer13

ip unnumbered Ethernet0/0

no ip redirects

ip directed-broadcast

encapsulation ppp

no ip mroute-cache

shutdown

dialer pool 1

dialer idle-timeout 1800

dialer-group 1

peer default ip address pool dialin_pool

no fair-queue

compress mppc ignore-pfc

no cdp enable

ppp authentication ms-chap callin Dradius

ppp ipcp dns A.B.98.11 A.B.124.30

ppp ipcp wins A.B.184.10 A.B.84.246

!

interface Dialer98

description ***** Aluminium Warehouse, Budapest ***

ip unnumbered Loopback0

encapsulation ppp

no ip split-horizon

dialer pool 1

dialer remote-name szewh

dialer-group 9

peer default ip address pool dialin_pool

pulse-time 0

no cdp enable

ppp authentication chap pap callin

ppp multilink

!

interface Dialer99

description connected to Dial-inPCs(ISDN)

ip unnumbered Loopback0

encapsulation ppp

no ip split-horizon

shutdown

dialer pool 1

dialer remote-name vpntest

dialer-group 9

peer default ip address pool dialin_pool

no cdp enable

ppp authentication chap pap callin

ppp multilink

!

router eigrp 200

redistribute rip

passive-interface Dialer0

passive-interface Dialer98

network A.B.0.0

auto-summary

no eigrp log-neighbor-changes

!

ip local pool dialin_pool A.B.170.2 A.B.170.31

ip default-gateway A.B.124.254

ip classless

ip route 0.0.0.0 0.0.0.0 A.B.232.33 255

ip tacacs source-interface Loopback2

no ip http server

!

logging source-interface Loopback2

logging A.B.124.21

logging A.B.124.19

access-list 1 permit A.B.87.236

access-list 1 permit A.B.124.0 0.0.0.31

access-list 3 permit A.B.0.0 0.0.255.255

access-list 112 permit ip any host A.B.246.10

access-list 112 permit tcp any any eq telnet

access-list 112 permit tcp any eq telnet any

access-list 188 deny ip 0.0.0.0 255.255.255.128 host A.B.191.188

access-list 188 permit ip any any

access-list 199 deny eigrp any any

access-list 199 permit ip any any

priority-list 1 protocol ip high list 112

dialer-list 1 protocol ip permit

dialer-list 1 protocol bridge permit

dialer-list 9 protocol ip permit

tacacs-server host A.B.87.236

tacacs-server host A.B.124.27

tacacs-server timeout 10

tacacs-server key test

snmp-server community spice RO 1

snmp-server community mars RW 1

snmp-server queue-length 20

snmp-server enable traps snmp

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps hsrp

snmp-server enable traps entity

snmp-server enable traps envmon

snmp-server enable traps frame-relay

snmp-server enable traps syslog

snmp-server host A.B.124.19 snmp

snmp-server host A.B.124.21 snmp

radius-server host A.B.87.236 auth-port 1645 acct-port 1646

radius-server host A.B.124.27 auth-port 1645 acct-port 1646

radius-server retransmit 4

radius-server timeout 6

radius-server key test

radius-server vsa send authentication

bridge 1 protocol dec

banner motd ^C

For Maintenance call: +36 22 53 1666

^C

!

line con 0

access-class 3 in

password 7 14141B180F0B

line 65 82

session-timeout 60 output

access-class 3 in

access-class 37 out

script dialer dial

script callback dial

modem InOut

rotary 1

transport input all

autoselect during-login

autoselect ppp

callback forced-wait 5

line aux 0

modem DTR-active

terminal-type vt100

transport input all

line vty 0 4

exec-timeout 30 0

length 25

history size 200

!

exception protocol ftp

exception dump A.B.124.21

ntp clock-period 17179850

ntp server A.B.87.254

end

szertr5#

szertr5#

szertr5#

And finally I removed the europe\test1 and dialed via ISDN again.

I got the same result as earlier: CS invalid password log in the ACS failed attemp section.

Any idee would be appreciated....

Regards,

Balázs

Does async work from this machine?

You are probably getting that error because you used TAC+ for network authorization yet, you are using local. If you removed the aaa authorization network default tacacs+ statement my guess is it would pass locally. You could see the failure with debug aaa authorization.

This is not your issue at present, but do you have any reason for using TAC+ for network authorization when you are using RADIUS for authentication?

Try debug dialer packet to see if that gives you anything.

When you post your debugs, please turn them all on at the same time and send the captured output: debug aaa authentication, debug aaa authorization, debug radius, debug ppp error, debug ppp negotiation, debug dialer packets.

The working config:

Virtual template intermface must be defined!!!

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default local group radius

aaa authentication ppp radiusz if-needed group radius local

aaa authorization exec default group tacacs+

aaa authorization network default none

virtual-profile virtual-template 1

virtual-profile aaa

interface Serial3/1:15

no ip address

encapsulation ppp

dialer pool-member 1

isdn switch-type primary-net5

isdn incoming-voice modem

no fair-queue

compress mppc

no cdp enable

ppp authentication ms-chap chap callin radiusz

interface Virtual-Template1

description *** Virtual interface foa dialin users ***

ip unnumbered Loopback1

no ip redirects

ip directed-broadcast

no ip route-cache

ip tcp header-compression

load-interval 30

peer default ip address pool dialin_pool

compress mppc

ppp authentication ms-chap callin radiusz

ppp authorization radiusz

ppp ipcp dns x.x.x.x

ppp ipcp wins y.y.y.y

hold-queue 200 in

!

interface Group-Async1

description *** Dialer interface for analogue dialin users ***

bandwidth 115

ip unnumbered Loopback0

encapsulation ppp

no ip route-cache

no ip mroute-cache

load-interval 30

dialer in-band

dialer idle-timeout 3600

dialer-group 1

async mode interactive

peer default ip address pool dialin_pool

fair-queue 1024 32 64

no cdp enable

ppp authentication ms-chap callin radiusz

ppp authorization radiusz

group-range 65 82

!

interface Dialer0

description *** Dialer interface for ISDN dialin users ***

ip unnumbered Loopback1

no ip redirects

ip directed-broadcast

encapsulation ppp

no ip route-cache

ip tcp header-compression passive

no ip mroute-cache

load-interval 30

dialer pool 1

peer default ip address pool dialin_pool

no fair-queue

pulse-time 0

compress mppc

no cdp enable

ppp authentication ms-chap callin radiusz

ppp authorization radiusz

ppp ipcp dns x.x.x.x

ppp ipcp wins y.y.y.y

ppp multilink

hold-queue 200 in