Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

as5300 dnis problem

Hello I am trying to configure my AS5300 access server to authenticate to a certain radius server if our customers dial into a specific dialin number by a aaa dnis map.

So far I can dial into this number and the 5300 will send a request to the proper radius server. Our radius server is receiving the request and displaying a login OK but I do not get logged in. When looking at some debugs on the 5300 the user doesn't get authorized.

The default configuration of the 5300 still works fine and authenticates people on our other radius server.

-------This is what our radius server says when I try to dialin

Thu Jul 31 14:50:46 2003: Auth: Login OK: [mememe] (from nas xxx-test/S50) socket 0 (0 sec)

-------This is what the debug of the 5300 from the same dialin

3w3d: As49 LCP: O CONFACK [ACKrcvd] id 5 len 20

3w3d: As49 LCP: ACCM 0x000A0000 (0x0206000A0000)

3w3d: As49 LCP: MagicNumber 0x004A4BFB (0x0506004A4BFB)

3w3d: As49 LCP: PFC (0x0702)

3w3d: As49 LCP: ACFC (0x0802)

3w3d: As49 LCP: State is Open

3w3d: As49 PPP: Phase is AUTHENTICATING, by this end

3w3d: As49 PAP: I AUTH-REQ id 1 len 20 from "mememe"

3w3d: As49 PAP: Authenticating peer mememe

3w3d: As49 PAP: O AUTH-NAK id 1 len 25 msg is "Authorization failed"

3w3d: As49 PPP: Phase is TERMINATING

3w3d: As49 LCP: O TERMREQ [Open] id 204 len 4

3w3d: As49 LCP: I TERMACK [TERMsent] id 204 len 4

3w3d: As49 LCP: State is Closed

3w3d: As49 PPP: Phase is DOWN

--------This is a copy of the config of the 5300

Building configuration...

Current configuration : 3851 bytes

!

! Last configuration change at 14:47:44 CDT Thu Jul 31 2003 by operator

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname xsxsxs

!

boot system flash c5300-i-mz.121-10.bin

no logging console

aaa new-model

aaa group server radius test1

server 222.222.222.222 auth-port 1812 acct-port 1813

!

aaa authentication login default group radius local

aaa authentication login consoleport local

aaa authentication login virtualterminal local

aaa authentication login auxiliaryport local

aaa authentication ppp default if-needed group radius

aaa authorization network default group radius

aaa accounting update newinfo

aaa accounting network default wait-start group radius

aaa dnis map enable

aaa dnis map 1111111 authentication ppp group test1

aaa dnis map 1111111 accounting network wait-start group test1

enable secret 5 xxxxxxxxxxxxxxxxxxxxxx/

!

username sssssss password 7 xxxxxxxxxxxxxx

spe 1/0 1/3

firmware location mica-modem-pw.2.7.3.0.bin

spe 2/0 2/3

firmware location mica-modem-pw.2.7.3.0.bin

!

ip address-pool local

modemcap entry mica2.7.3.0:MSC=&F&D2S34=18000S40=10S54=456debugthismodemS71=4

!

controller T1 0

clock source line primary

ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis

cas-custom 0

!

controller T1 1

shutdown

ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis

cas-custom 0

!

controller T1 2

shutdown

clock source line secondary 2

!

controller T1 3

shutdown

clock source line secondary 3

!

!

interface FastEthernet0

ip address xxx.xxx.xxx.113 255.255.255.128

duplex auto

speed auto

no cdp enable

!

interface Group-Async1

ip unnumbered FastEthernet0

encapsulation ppp

ip tcp header-compression passive

async mode interactive

peer default ip address pool async

ppp authentication pap chap

group-range 1 96

!

ip local pool async 112.112.112.65 112.112.112.94

ip classless

ip route 0.0.0.0 0.0.0.0 112.112.112.1

ip route 0.0.0.0 0.0.0.0 Null0 255

no ip http server

!

dialer-list 1 protocol ip permit

dialer-list 1 protocol netbios deny

radius-server host 111.111.111.111 auth-port 1812 acct-port 1813

radius-server host 222.222.222.222 auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server timeout 3

radius-server key XXXXXXXX

!

line con 0

logging synchronous

login authentication consoleport

line 1 96

modem Dialin

modem autoconfigure type mica2.7.3.0

transport input all

autoselect during-login

autoselect ppp

line aux 0

login authentication auxiliaryport

line vty 0 4

exec-timeout 30 0

login authentication virtualterminal

2 REPLIES
Silver

Re: as5300 dnis problem

We see an authorization failure, can you please add:

aaa dnis map 1111111 authorization network group test1.

If this fails only with one particular radius server then need to check that it's correctly configured.

deb aaa authen / deb aaa author / deb radius will be useful.

Thanks, Mak.

New Member

Re: as5300 dnis problem

I added the following line to my configuration and it seems to work now.

aaa dnis map 1111111 authentication login group test1

I thought I tried it with this line in before but maybe I did something wrong.

I tried to add the line that you gave me but it wasn't accepted.

xsxsxs(config)#aaa dnis map 1111111 ?

accounting Accounting configurations parameters.

authentication Authentication configurations parameters.

xsxsxs(config)#aaa dnis map 1111111 authentication ?

login Set authentication lists for login.

ppp Set authentication lists for ppp.

Thanks

AL

125
Views
4
Helpful
2
Replies