Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

aaa authentication not working

Hi All,

I have a situation here which the aaa authentication is not working, while the aaa accounting is working fine. Here is the configs :

aaa new-model
!
!
aaa group server radius rad_gr
server 172.23.0.200 auth-port 1645 acct-port 1646
!
aaa authentication login test group rad_gr
aaa accounting connection test
action-type start-stop
group rad_gr
!
voice class aaa 1
authentication method test
accounting method test
!
voice translation-rule 111
rule 1 /111/ //
!
!
voice translation-profile 111
translate called 111
!

application
service clid_col_npw_npw
  param uid-len 10
  param pin-len 4
  param retry-count 2
!
!

gw-accounting aaa

!
voice-port 0/2/0
connection plar 111
!
dial-peer voice 1 pots
translation-profile incoming 111
service clid_col_npw_npw
voice-class aaa 1
incoming called-number 111
port 0/2/0
!

When I call in, I get this debug :

*Mar 27 11:54:19.935: //25/4FE654FB8022/VAAA:0/voip_start_ccapi_accounting:
*Mar 27 11:54:19.935: //25/4FE654FB8022/VAAA:0/voip_start_accounting_internal:
*Mar 27 11:54:19.935: //25/4FE654FB8022/VAAA:0/voip_start_accounting_internal: peer_tag=1
*Mar 27 11:54:19.935: //25/4FE654FB8022/VAAA:0/get_acct_params: suppressed=0
*Mar 27 11:54:19.935: //25/4FE654FB8022/VAAA:0/get_acct_params: Use method "test" set by peer 1
*Mar 27 11:54:19.935: //25/4FE654FB8022/VAAA:0/voip_start_accounting_internal: method: , cdrtag:
*Mar 27 11:54:19.935: //25/4FE654FB8022/VAAA:0/voip_start_accounting_internal: Getting new uid
*Mar 27 11:54:19.935: //25/4FE654FB8022/VAAA:0/voip_alloc_aaa_uid:
*Mar 27 11:54:19.935: //25/4FE654FB8022/VAAA:0/voip_aaa_acct_get_nas_port_details:
*Mar 27 11:54:19.935: //25/4FE654FB8022/VAAA:0/get_nas_port: avail=1 type=4 nas-port=FXO 0/2/0
*Mar 27 11:54:19.935: //-1//VAAA:0/voip_aaa_lock_adb: uid(21) count=1
*Mar 27 11:54:19.935: voip_start_accounting_internal: UID=21
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/voip_start_accounting_internal: UID=21
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/voip_start_accounting_internal: Telephony Leg
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/voip_start_accounting_internal: calling num: , called num: 111, account num:
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/voip_send_start_h323_sess_id_vsa: setup time      : *19:54:19.939 sgt Sat Mar 27 2010
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/voip_send_start_h323_sess_id_vsa: gateway id      : router.
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/voip_send_start_h323_sess_id_vsa: connection id   : 4FE654FB 38CE11DF 80228047 801BA3C1
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/voip_send_start_h323_sess_id_vsa: call origin     : answer
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/voip_send_start_h323_sess_id_vsa: call type       : Telephony
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/voip_send_start_h323_sess_id_vsa: incoming conn id: 4FE654FB 38CE11DF 80228047 801BA3C1
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/generate_feature_vsas:
*Mar 27 11:54:19.939: Inside generate_feature_vsas
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/generate_feature_vsas:
*Mar 27 11:54:19.939:  list is 47918058, list->featurename is 0,feat id is 9
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/generate_feature_vsas:
*Mar 27 11:54:19.939:  cur is 47918058
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/generate_feature_vsas:
*Mar 27 11:54:19.939:  fn:TWC,ft:03/27/2010 19:54:19.931,cgn:,cdn:111,frs:0,fid:9,fcid:4FE654FB38CE11DF80228047801BA3C1,legID:19
*Mar 27 11:54:19.939: //25/4FE654FB8022/VAAA:21/generate_feature_vsas:
*Mar 27 11:54:19.939:  building vsas done
*Mar 27 11:54:19.943: //25/4FE654FB8022/VAAA:21/acct_notif_init: (21):
*Mar 27 11:54:19.943: //25/4FE654FB8022/VAAA:21/acct_notif_init: no acct notif registeration required
*Mar 27 11:54:19.951: //-1//VAAA:0/voip_start_authentication: name:, service:ivr tcl authentication, method:
*Mar 27 11:54:19.951: //-1//VAAA:0/voip_alloc_aaa_uid:
*Mar 27 11:54:19.951: //-1//VAAA:0/voip_start_authentication: UID=22
*Mar 27 11:54:19.951: voip_aaa_get_method_index(0): ERROR: method "h323" not defined.
*Mar 27 11:54:19.951: //-1//VAAA:0/voip_start_authentication: No authen list
*Mar 27 11:54:19.951: //-1//VAAA:0/voip_set_release_source: src[8]

*Mar 27 11:54:19.955: //25/4FE654FB8022/VAAA:21/voip_connect_ccapi_accounting: (25): send update event
*Mar 27 11:54:24.399: //-1//VAAA:0/voip_start_authentication: name:65111, service:ivr tcl authentication, method:
*Mar 27 11:54:24.399: //-1//VAAA:0/voip_alloc_aaa_uid:
*Mar 27 11:54:24.399: //-1//VAAA:0/voip_start_authentication: UID=23
*Mar 27 11:54:24.403: voip_aaa_get_method_index(0): ERROR: method "h323" not defined.
*Mar 27 11:54:24.403: //-1//VAAA:0/voip_start_authentication: No authen list
*Mar 27 11:54:24.403: //-1//VAAA:0/voip_set_release_source: src[8]

From the output, the accounting is correct which is using "test" profile. But for authentication, it gets nothing which is going to default "h323" profile.

What is wrong with the configuration ? is there something missing ?

Thanks in advance.

7 REPLIES
Community Member

Re: aaa authentication not working

I am using advance ip services 12.4.24T1.

Thanks..

Cisco Employee

Re: aaa authentication not working

Try to use the following aaa line instead:

aaa authentication login h323 group rad_gr

Seems like matching bugID: CSCdy37043


Hope that helps.
Community Member

Re: aaa authentication not working

Hi Halijenn,

I confirm it is working with that command. But i have condition where I need to authenticate to different radius server by two different services. That is why I need to create separate aaa profiles. Do you know which IOS version is working good ? Appreciate it very much.

Thank you..

Cisco Employee

Re: aaa authentication not working

Unfortunately the bug has not been fixed yet. You would need to open a TAC case to further work on the bug fix.

When you mention, it needs to be used for 2 different services, are they both for H323? or for other authentication?

Community Member

Re: aaa authentication not working

Hi Halijenn,

let's say I have service A needs to authenticate to radius A, and service B needs to authenticate to radius B. How can we do that if we have only one aaa profile which is h323.

Thanks..

Cisco Employee

Re: aaa authentication not working

If you are referring to 2 H323 voice service, then you can't, due to the bug advised earlier.

If you are referring to 1 service for H323, that is done with the "aaa authentication login h323" command earlier, and another service for VPN authentication for example, you can configure specific "aaa authentication login " and assign it to your VPN service.

Hope that answers your question.

Community Member

Re: aaa authentication not working

Hi Halijenn,

Thank you for the information. I have two h323 services. I am thinking why cisco does not fix it as the bug has already been there since a long time ago. hmm!

Thanks for your help, halijenn!

671
Views
0
Helpful
7
Replies
CreatePlease to create content