08-04-2002 02:44 PM - edited 03-02-2019 12:25 AM
I'm just setting up our new AS5300, and analog & ISDN dialin works fine with dynamic IP addresses from the pool, authentication & accounting from Vircom Radius server. However, using static Radius assigned addresses fails for both analog and ISDN. Any ideas? Any other comments regarding the setup?
All we need is analog and ISDN dialip using the radius server, both dynamic IP addresses from the pool and static IP addresses (with 32- and less bit subnet masks) assigned by Radius server. Radius server should be ok since we've been running it with our Portmaster PM3's for years.
qnet-as5300-hki1#sh run
Building configuration...
Current configuration : 4279 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname qnet-as5300-hki1
!
aaa new-model
aaa authentication login default enable
aaa authentication ppp default group radius none
aaa accounting network default start-stop group radius
aaa processes 10
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx.
enable password yyyyyyyyyyy
!
username administrator privilege 15 password 0 xxxxxxxxx
username admin privilege 15 password 0 xxxxxxxxxx
username root password 0 xxxxxxxxx
spe 1/0 1/9
firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
!
call rsvp-sync
clock timezone EET 2
calltracker enable
calltracker history max-size 30
calltracker call-record verbose
syscon address 194.251.131.22 xxxxxxxxxxx
syscon shelf-id 0
modem call-record terse
modem country mica finland
ip subnet-zero
no ip source-route
ip name-server 194.251.131.5
ip name-server 194.251.131.10
!
async-bootp dns-server 194.251.131.5 194.251.131.10
isdn switch-type primary-net5
!
!
!
!
!
fax interface-type modem
mta receive maximum-recipients 0
!
controller E1 0
clock source line primary
pri-group timeslots 1-31
!
controller E1 1
clock source line secondary 1
pri-group timeslots 1-31
!
controller E1 2
clock source line secondary 2
pri-group timeslots 1-31
!
controller E1 3
clock source line secondary 3
pri-group timeslots 1-31
!
controller E1 4
shutdown
clock source line secondary 4
!
controller E1 5
shutdown
clock source line secondary 5
!
controller E1 6
shutdown
clock source line secondary 6
!
controller E1 7
shutdown
clock source line secondary 7
!
!
!
interface Loopback0
ip address 194.252.112.33 255.255.255.224
no ip mroute-cache
!
interface Ethernet0
no ip address
no ip mroute-cache
shutdown
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial1
no ip address
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial2
no ip address
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial3
no ip address
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial0:15
ip unnumbered FastEthernet0
encapsulation ppp
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
peer default ip address pool dialin_pool
ppp authentication chap pap
ppp multilink
!
interface Serial1:15
ip unnumbered FastEthernet0
encapsulation ppp
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn T321 40000
isdn T310 4000
peer default ip address pool dialin_pool
ppp authentication chap pap
ppp multilink
!
interface Serial2:15
ip unnumbered FastEthernet0
encapsulation ppp
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn T321 40000
isdn T310 4000
peer default ip address pool dialin_pool
ppp authentication chap pap
ppp multilink
!
interface Serial3:15
ip unnumbered FastEthernet0
encapsulation ppp
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn T321 40000
isdn T310 4000
peer default ip address pool dialin_pool
ppp authentication chap pap
ppp multilink
!
interface FastEthernet0
ip address 194.251.131.22 255.255.255.0
ip rip send version 1
no ip mroute-cache
duplex auto
speed auto
no mop enabled
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
ip tcp header-compression passive
no ip mroute-cache
async mode interactive
peer default ip address pool dialin_pool
ppp authentication pap chap
group-range 1 120
!
ip local pool dialin_pool 194.252.112.34 194.252.112.62
ip classless
ip route 0.0.0.0 0.0.0.0 194.251.131.1
no ip http server
ip pim bidir-enable
!
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
!
radius-server host 194.251.131.15 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server timeout 10
radius-server attribute 8 include-in-access-req
radius-server attribute 44 include-in-access-req
radius-server key xxxxxxxxxxx
!
gateway
!
!
line con 0
logging synchronous
autoselect ppp
line 1 120
modem Dialin
autoselect during-login
autoselect ppp
line aux 0
line vty 0 4
exec-timeout 30 0
password xxxxxxxxxx
!
scheduler interval 1000
end
08-04-2002 03:24 PM
Pl. enter following command for authorization
aaa authorization network default group radius local
for a router to accept authorization data from radius server (like ip address etc)..If it still dosen't work lets have following debug and post it here.
debug aaa per
debug aaa authentication
debug aaa authorization
debug radus
Thanks..Tejal
08-04-2002 03:39 PM
Thanks. I also just figured that out, browsing one more time through the "Configuring Authentication" manual, and typed it in... I'll know tomorrow if it helped.
08-09-2002 11:19 AM
Ok, I got the static problem sorted out, but I'm having another problem with my home Cisco 803 router and AS5300... After my original config which worked fine with Portmaster PM3 I've tried all the examples I've found from Ciscos site, without luck. It just woun't authenticate.
Here is the As5300 config and some debugging, the problem seems to be in the end, Vi1 MLP etc... but what does it exactly mean? The C803 is here using the plain NAT config found from Ciscos 800-804 software config manual.
Another problem I'm having, probably not related, is that my Viscom Radius server authenticates dialup users fine and even assigns static IP's if needed, but after that the server thinks all users are having 0.0.0.0 address. AS5300 "sh users" and well as clients "ipconfig" etc however show the addresses correctly, and the connection works fine. Any ideas?
qnet-as5300-hki1#sh run
Building configuration...
Current configuration : 4291 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname qnet-as5300-hki1
!
aaa new-model
!
!
aaa authentication login default enable
aaa authentication ppp default group radius none
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa session-id common
enable secret 5 $xxxxxxxxxxxxxxx.
enable password yyyyyyyyy
!
username administrator privilege 15 password 0 xxxxxyyyyy
username admin privilege 15 password 0 xxxxxyyyyy
username root password 0 xxxxxyyyyy
spe 1/0 1/9
firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
clock timezone EET 2
!
calltracker enable
calltracker history max-size 30
calltracker call-record verbose
syscon address 62.142.221.2 xxxxxyyyyy
syscon shelf-id 0
modem call-record terse
modem country mica finland
ip subnet-zero
no ip source-route
ip name-server 195.74.0.47
ip name-server 195.74.0.55
!
async-bootp dns-server 195.74.0.47 195.74.0.55
isdn switch-type primary-net5
!
!
!
!
!
!
fax interface-type modem
mta receive maximum-recipients 0
!
controller E1 0
clock source line primary
pri-group timeslots 1-31
!
controller E1 1
clock source line secondary 1
pri-group timeslots 1-31
!
controller E1 2
clock source line secondary 2
pri-group timeslots 1-31
!
controller E1 3
clock source line secondary 3
pri-group timeslots 1-31
!
controller E1 4
shutdown
clock source line secondary 4
!
controller E1 5
shutdown
clock source line secondary 5
!
controller E1 6
shutdown
clock source line secondary 6
!
controller E1 7
shutdown
clock source line secondary 7
!
!
!
interface Loopback0
ip address 62.142.220.129 255.255.255.128
no ip mroute-cache
!
interface Ethernet0
no ip address
no ip mroute-cache
shutdown
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial1
no ip address
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial2
no ip address
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial3
no ip address
no ip mroute-cache
shutdown
no fair-queue
clockrate 2015232
!
interface Serial0:15
ip unnumbered Loopback0
encapsulation ppp
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
peer default ip address pool dialin_pool
ppp authentication chap pap
ppp multilink
!
interface Serial1:15
ip unnumbered Loopback0
encapsulation ppp
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn T321 40000
isdn T310 4000
peer default ip address pool dialin_pool
ppp authentication chap pap
ppp multilink
!
interface Serial2:15
ip unnumbered Loopback0
encapsulation ppp
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn T321 40000
isdn T310 4000
peer default ip address pool dialin_pool
ppp authentication chap pap
ppp multilink
!
interface Serial3:15
ip unnumbered Loopback0
encapsulation ppp
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn T321 40000
isdn T310 4000
peer default ip address pool dialin_pool
ppp authentication chap pap
ppp multilink
!
interface FastEthernet0
ip address 62.142.221.2 255.255.255.248
no ip mroute-cache
duplex auto
speed auto
no mop enabled
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
ip tcp header-compression
no ip mroute-cache
async mode interactive
peer default ip address pool dialin_pool
ppp authentication pap chap
group-range 1 120
!
ip local pool dialin_pool 62.142.220.130 62.142.220.253
ip classless
ip route 0.0.0.0 0.0.0.0 62.142.221.1
no ip http server
!
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
radius-server host 194.251.131.15 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server timeout 10
radius-server attribute 8 include-in-access-req
radius-server attribute 44 include-in-access-req
radius-server key AS5300xz
call rsvp-sync
!
!
mgcp profile default
!
gateway
!
!
line con 0
logging synchronous
autoselect ppp
line 1 120
modem Dialin
autoselect during-login
autoselect ppp
line aux 0
line vty 0 4
exec-timeout 30 0
password xxxxxyyyyy
!
scheduler interval 1000
end
**********************************************
qnet-as5300-hki1#undeb all
All possible debugging has been turned off
qnet-as5300-hki1#term moni
qnet-as5300-hki1#debug dialer
Dial on demand events debugging is on
qnet-as5300-hki1#debug isdn q931
ISDN Q931 packets debugging is on
qnet-as5300-hki1#debug ppp neg
PPP protocol negotiation debugging is on
qnet-as5300-hki1#debug ppp auth
PPP authentication debugging is on
qnet-as5300-hki1#debug ip peer
IP peer address activity debugging is on
qnet-as5300-hki1#
07:27:31: ISDN Se0:15: RX <- SETUP pd = 8 callref = 0x6782
07:27:31: Bearer Capability i = 0x8890
07:27:31: Channel ID i = 0xA9839B
07:27:31: Date/Time i = 0x0208091538
07:27:31: Calling Party Number i = 0x0183, '063221964', Plan:ISDN, Typen
07:27:31: Called Party Number i = 0x81, '810', Plan:ISDN, Type:Unknown
07:27:31: %LINK-3-UPDOWN: Interface Serial0:26, changed state to up
07:27:31: ISDN Se0:15: TX -> CALL_PROC pd = 8 callref = 0xE782
07:27:31: Channel ID i = 0xA9839B
07:27:31: ISDN Se0:15: TX -> CONNECT pd = 8 callref = 0xE782
07:27:31: Channel ID i = 0xA9839B
07:27:31: Se0:26 PPP: Treating connection as a callin
07:27:31: Se0:26 PPP: Phase is ESTABLISHING, Passive Open
07:27:31: Se0:26 LCP: State is Listen
07:27:31: ISDN Se0:15: RX <- CONNECT_ACK pd = 8 callref = 0x6782
07:27:31: ISDN Se0:15: CALL_PROGRESS: CALL_CONNECTED call id 0x1D8, bchan 26, d0
07:27:32: Se0:26 LCP: I CONFREQ [Listen] id 13 len 25
07:27:32: Se0:26 LCP: MagicNumber 0x30F24F24 (0x050630F24F24)
07:27:32: Se0:26 LCP: MRRU 1524 (0x110405F4)
07:27:32: Se0:26 LCP: EndpointDisc 1 gw-qnet1 (0x130B0167772D716E657431)
07:27:32: Se0:26 PPP: Authorization required
07:27:32: Se0:26 LCP: O CONFREQ [Listen] id 11 len 38
07:27:32: Se0:26 LCP: AuthProto CHAP (0x0305C22305)
07:27:32: Se0:26 LCP: MagicNumber 0x321A7C12 (0x0506321A7C12)
07:27:32: Se0:26 LCP: MRRU 1524 (0x110405F4)
07:27:32: Se0:26 LCP: EndpointDisc 1 qnet-as5300-hki1
07:27:32: Se0:26 LCP: (0x131301716E65742D6173353330302D68)
07:27:32: Se0:26 LCP: (0x6B6931)
07:27:32: Se0:26 LCP: O CONFACK [Listen] id 13 len 25
07:27:32: Se0:26 LCP: MagicNumber 0x30F24F24 (0x050630F24F24)
07:27:32: Se0:26 LCP: MRRU 1524 (0x110405F4)
07:27:32: Se0:26 LCP: EndpointDisc 1 gw-qnet1 (0x130B0167772D716E657431)
07:27:32: Se0:26 LCP: I CONFACK [ACKsent] id 11 len 38
07:27:32: Se0:26 LCP: AuthProto CHAP (0x0305C22305)
07:27:32: Se0:26 LCP: MagicNumber 0x321A7C12 (0x0506321A7C12)
07:27:32: Se0:26 LCP: MRRU 1524 (0x110405F4)
07:27:32: Se0:26 LCP: EndpointDisc 1 qnet-as5300-hki1
07:27:32: Se0:26 LCP: (0x131301716E65742D6173353330302D68)
07:27:32: Se0:26 LCP: (0x6B6931)
07:27:32: Se0:26 LCP: State is Open
07:27:32: Se0:26 PPP: Phase is AUTHENTICATING, by this end
07:27:32: Se0:26 CHAP: O CHALLENGE id 6 len 37 from "qnet-as5300-hki1"
07:27:32: Se0:26 CHAP: I RESPONSE id 6 len 29 from "gw-qnet1"
07:27:32: Se0:26 PPP: Phase is FORWARDING, Attempting Forward
07:27:32: Se0:26 PPP: Phase is AUTHENTICATING, Unauthenticated User
07:27:32: Se0:26 PPP: Sent CHAP LOGIN Request
07:27:32: Se0:26 PPP: Received LOGIN Response PASS
07:27:32: Se0:26 PPP: Phase is FORWARDING, Attempting Forward
07:27:32: Se0:26 PPP: Phase is AUTHENTICATING, Authenticated User
07:27:32: Se0:26 DDR: Remote name for gw-qnet1
07:27:32: Se0:26 DDR: Authenticated host gw-qnet1 with no matching dialer map
07:27:32: Se0:26 CHAP: O SUCCESS id 6 len 4
07:27:32: Se0:26 PPP: Phase is VIRTUALIZED
07:27:32: Vi1 PPP: Phase is DOWN, Setup
07:27:32: Vi1 MLP: VP: Clone from AAA
07:27:32: Vi1 MLP: Invalid AAA cloning
07:27:32: Se0:26 PPP: Phase is TERMINATING
07:27:32: Se0:26 LCP: O TERMREQ [Open] id 12 len 4
07:27:32: Se0:26 LCP: I TERMACK [TERMsent] id 12 len 4
07:27:32: Se0:26 LCP: State is Closed
07:27:32: Se0:26 PPP: Phase is DOWN
07:27:32: Se0:26 DDR: disconnecting call
07:27:32: Se0:26 PPP: Phase is ESTABLISHING, Passive Open
07:27:32: Se0:26 LCP: State is Listen
07:27:32: %ISDN-6-CONNECT: Interface Serial0:26 is now connected to 063221964 g1
07:27:32: ISDN Se0:15: TX -> DISCONNECT pd = 8 callref = 0xE782
07:27:32: Cause i = 0x8090 - Normal call clearing
07:27:32: ISDN Se0:15: RX <- RELEASE pd = 8 callref = 0x6782
07:27:32: %LINK-3-UPDOWN: Interface Serial0:26, changed state to down
07:27:32: ISDN Se0:15: TX -> RELEASE_COMP pd = 8 callref = 0xE782
07:27:32: Se0:26 LCP: State is Closed
07:27:32: Se0:26 PPP: Phase is DOWN
07:27:32: Se0:26 DDR: disconnecting call
08-09-2002 03:57 PM
803 is trying to negotiate the multilink connection with as5300.."debug aaa authorization" will report more but AS5300 is trying to clone virtual access interface but since virtual template interface is not configured, its dropping the connection..Are you trying to pass authorization parameters from aaa to AS5300 for that user??
To fix this issue configure the following
conf t
multilink virtual-template 1
!
interface virtual-template 1
ip unnumbered Loopback0
encapsulation ppp
peer default ip address pool dialin_pool
ppp authentication chap pap
ppp multilink
!
Problem should be solved with that..If not need following debug
debug aaa authorization
debug aaa per-user
debug ppp negotiation
term mon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: