05-26-2003 12:29 AM - edited 03-02-2019 07:37 AM
I want to use callback with a 3640 and Microsoft IAS. I configured Radius but is seems that the 3640 does not uderstand Radius Attribute 19. When I debug raduis I see some hex strings. I use IOS 12.2(8)T.
05-26-2003 12:41 AM
Attribute 19 is, I believe, callback number. IOS should understand that. So what exactly is the problem? Could you send the following :
debug ppp nego, debug ppp chap, debug aaa authen, debug aaa authoriz, debug radius.
~Zulfi
05-26-2003 01:24 AM
Hi,
Here the debug information Part 1 (because of size)
Citrix#sh debugging
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
Radius protocol debugging is on
Radius packet protocol debugging is on
Citrix#
May 26 11:01:23: AAA/ACCT/DS0: channel=0, ds1=0, t3=0, slot=0, ds0=0
May 26 11:01:23: %LINK-3-UPDOWN: Interface Serial0/0:0, changed state to up
May 26 11:01:23: Se0/0:0 PPP: Authorization required
May 26 11:01:23: Se0/0:0 PPP: Treating connection as a callin
May 26 11:01:23: Se0/0:0 PPP: Phase is ESTABLISHING, Passive Open
May 26 11:01:23: Se0/0:0 LCP: State is Listen
May 26 11:01:23: Se0/0:0 LCP: I CONFREQ [Listen] id 0 len 44
May 26 11:01:23: Se0/0:0 LCP: MagicNumber 0x15C466A0 (0x050615C466A0)
May 26 11:01:23: Se0/0:0 LCP: PFC (0x0702)
May 26 11:01:23: Se0/0:0 LCP: ACFC (0x0802)
May 26 11:01:23: Se0/0:0 LCP: Callback 6 (0x0D0306)
May 26 11:01:23: Se0/0:0 LCP: MRRU 1614 (0x1104064E)
May 26 11:01:23: Se0/0:0 LCP: EndpointDisc 1 Local
May 26 11:01:23: Se0/0:0 LCP: (0x13170127C0A489CAEA4C59958073E82C)
May 26 11:01:23: Se0/0:0 LCP: (0xDA871B00000000)
May 26 11:01:23: Se0/0:0 LCP: O CONFREQ [Listen] id 46 len 14
May 26 11:01:23: Se0/0:0 LCP: AuthProto PAP (0x0304C023)
May 26 11:01:23: Se0/0:0 LCP: MagicNumber 0xC3B18B89 (0x0506C3B18B89)
May 26 11:01:23: Se0/0:0 LCP: O CONFREJ [Listen] id 0 len 8
May 26 11:01:23: Se0/0:0 LCP: MRRU 1614 (0x1104064E)
May 26 11:01:23: Se0/0:0 LCP: I CONFACK [REQsent] id 46 len 14
May 26 11:01:23: Se0/0:0 LCP: AuthProto PAP (0x0304C023)
May 26 11:01:23: Se0/0:0 LCP: MagicNumber 0xC3B18B89 (0x0506C3B18B89)
May 26 11:01:23: Se0/0:0 LCP: I CONFREQ [ACKrcvd] id 1 len 40
May 26 11:01:23: Se0/0:0 LCP: MagicNumber 0x15C466A0 (0x050615C466A0)
May 26 11:01:23: Se0/0:0 LCP: PFC (0x0702)
May 26 11:01:23: Se0/0:0 LCP: ACFC (0x0802)
May 26 11:01:23: Se0/0:0 LCP: Callback 6 (0x0D0306)
May 26 11:01:23: Se0/0:0 LCP: EndpointDisc 1 Local
May 26 11:01:23: Se0/0:0 LCP: (0x13170127C0A489CAEA4C59958073E82C)
May 26 11:01:23: Se0/0:0 LCP: (0xDA871B00000000)
May 26 11:01:23: Se0/0:0 LCP: O CONFACK [ACKrcvd] id 1 len 40
May 26 11:01:23: Se0/0:0 LCP: MagicNumber 0x15C466A0 (0x050615C466A0)
May 26 11:01:23: Se0/0:0 LCP: PFC (0x0702)
May 26 11:01:23: Se0/0:0 LCP: ACFC (0x0802)
May 26 11:01:23: Se0/0:0 LCP: Callback 6 (0x0D0306)
May 26 11:01:23: Se0/0:0 LCP: EndpointDisc 1 Local
May 26 11:01:23: Se0/0:0 LCP: (0x13170127C0A489CAEA4C59958073E82C)
May 26 11:01:23: Se0/0:0 LCP: (0xDA871B00000000)
May 26 11:01:23: Se0/0:0 LCP: State is Open
May 26 11:01:23: Se0/0:0 PPP: Phase is AUTHENTICATING, by this end
May 26 11:01:23: Se0/0:0 LCP: I IDENTIFY [Open] id 2 len 18 magic 0x15C466A0 MSRASV5.00
May 26 11:01:23: Se0/0:0 LCP: I IDENTIFY [Open] id 3 len 22 magic 0x15C466A0 MSRAS-1-DT0027
May 26 11:01:23: Se0/0:0 PAP: I AUTH-REQ id 0 len 25 from "BoetsRu"
May 26 11:01:23: Se0/0:0 PAP: Authenticating peer BoetsRu
May 26 11:01:23: AAA/AUTHEN/PPP (000000B3): Pick method list 'default'
May 26 11:01:23: Se0/0:0 PPP: Sent PAP LOGIN Request to AAA
May 26 11:01:23: RADIUS/ENCODE(000000B3): acct_session_id: 179
May 26 11:01:23: RADIUS(000000B3): sending
May 26 11:01:23: RADIUS: Send to unknown id 148 192.168.0.22:1645, Access-Request, len 99
May 26 11:01:23: RADIUS: authenticator B9 5E 51 6C 03 CC DF 39 - C0 57 2C 41 64 CA A6 CF
May 26 11:01:23: RADIUS: Framed-Protocol [7] 6 PPP [1]
May 26 11:01:23: RADIUS: User-Name [1] 9 "BoetsRu"
May 26 11:01:23: RADIUS: User-Password [2] 18 *
May 26 11:01:23: RADIUS: NAS-Port [5] 6 20000
May 26 11:01:23: RADIUS: NAS-Port-Type [61] 6 ISDN [2]
May 26 11:01:23: RADIUS: Called-Station-Id [30] 11 "598468583"
May 26 11:01:23: RADIUS: Calling-Station-Id [31] 11 "598423582"
May 26 11:01:23: RADIUS: Service-Type [6] 6 Framed [2]
May 26 11:01:23: RADIUS: NAS-IP-Address [4] 6 192.168.10.251
May 26 11:01:23: RADIUS: Received from id 148 192.168.0.22:1645, Access-Accept, len 94
May 26 11:01:23: RADIUS: authenticator D9 B9 8F 46 8D A0 D9 74 - 04 35 77 05 E2 46 6E 41
May 26 11:01:23: RADIUS: Framed-Protocol [7] 6 PPP [1]
May 26 11:01:23: RADIUS: Port-Limit [62] 6 1
May 26 11:01:23: RADIUS: Service-Type [6] 6 Callback Framed [4]
May 26 11:01:23: RADIUS: Class [25] 32
May 26 11:01:23: RADIUS: 47 73 05 33 00 00 01 37 00 01 C0 A8 00 16 01 C3 [Gs?3???7????????]
May 26 11:01:23: RADIUS: 1F C9 69 51 7C 02 00 00 00 00 00 00 [??iQ|???????]
May 26 11:01:23: RADIUS: Vendor, Microsoft [26] 12
May 26 11:01:23: RADIUS: MS-MPPE-Enc-Policy [7] 6
May 26 11:01:23: RADIUS: 00 [?]
May 26 11:01:23: RADIUS: Vendor, Microsoft [26] 12
May 26 11:01:23: RADIUS: MS-MPPE-Enc-Type [8] 6
May 26 11:01:23: RADIUS: 00 [?]
May 26 11:01:23: RADIUS: Received from id B3
May 26 11:01:23: Se0/0:0 PPP: Received LOGIN Response from AAA = PASS
May 26 11:01:23: Se0/0:0 PPP/AAA: Check Attr: Framed-Protocol
May 26 11:01:23: Se0/0:0 PPP/AAA: Check Attr: Port-Limit
May 26 11:01:23: Se0/0:0 PPP/AAA: Check Attr: service-type
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/LCP: Process Author
May 26 11:01:23: Se0/0:0 PAP: O AUTH-ACK id 0 len 5
May 26 11:01:23: Se0/0:0 MCB: Callback not authorized for this user BoetsRu
May 26 11:01:23: Serial0/0:0 PPP: O MCB Request(1) id 39 len 6
May 26 11:01:23: Serial0/0:0 MCB: O 1 27 0 6 1 2
May 26 11:01:23: Se0/0:0 MCB: O Request Id 39 Callback Type None
May 26 11:01:23: Se0/0:0 PPP: Phase is CBCP
May 26 11:01:23: Serial0/0:0 PPP: I MCB Response(2) id 39 len 6
May 26 11:01:23: Serial0/0:0 MCB: I 2 27 0 6 1 2
May 26 11:01:23: Se0/0:0 MCB: Received response
May 26 11:01:23: Se0/0:0 MCB: Response CBK-None 1 2
May 26 11:01:23: Serial0/0:0 PPP: O MCB Ack(3) id 40 len 6
May 26 11:01:23: Serial0/0:0 MCB: O 3 28 0 6 1 2
May 26 11:01:23: Se0/0:0 MCB: O Ack Id 40 Callback Type None
May 26 11:01:23: Se0/0:0 MCB: No Callback negotiated; Exit
May 26 11:01:23: Se0/0:0 PPP: Phase is UP
05-26-2003 01:28 AM
Part 2
PART 2
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: FSM authorization not needed
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/FSM: We can start IPCP
May 26 11:01:23: Se0/0:0 IPCP: O CONFREQ [Closed] id 28 len 10
May 26 11:01:23: Se0/0:0 IPCP: Address 10.10.10.62 (0x03060A0A0A3E)
May 26 11:01:23: Se0/0:0 CCP: I CONFREQ [Not negotiated] id 4 len 10
May 26 11:01:23: Se0/0:0 CCP: MS-PPC supported bits 0x00000001 (0x120600000001)
May 26 11:01:23: Se0/0:0 LCP: O PROTREJ [Open] id 47 len 16 protocol CCP(0x80FD0104000A120600000001)
May 26 11:01:23: Se0/0:0 IPCP: I CONFREQ [REQsent] id 5 len 40
May 26 11:01:23: Se0/0:0 IPCP: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
May 26 11:01:23: Se0/0:0 IPCP: Address 0.0.0.0 (0x030600000000)
May 26 11:01:23: Se0/0:0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
May 26 11:01:23: Se0/0:0 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
May 26 11:01:23: Se0/0:0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
May 26 11:01:23: Se0/0:0 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: Authorization succeeded
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0
May 26 11:01:23: Se0/0:0 IPCP: Pool returned 10.10.10.41
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for primary dns
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for primary wins
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for seconday dns
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for seconday wins
May 26 11:01:23: Se0/0:0 IPCP: O CONFREJ [REQsent] id 5 len 10
May 26 11:01:23: Se0/0:0 IPCP: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
May 26 11:01:23: Se0/0:0 IPCP: I CONFACK [REQsent] id 28 len 10
May 26 11:01:23: Se0/0:0 IPCP: Address 10.10.10.62 (0x03060A0A0A3E)
May 26 11:01:23: Se0/0:0 IPCP: I CONFREQ [ACKrcvd] id 6 len 34
May 26 11:01:23: Se0/0:0 IPCP: Address 0.0.0.0 (0x030600000000)
May 26 11:01:23: Se0/0:0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
May 26 11:01:23: Se0/0:0 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
May 26 11:01:23: Se0/0:0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
May 26 11:01:23: Se0/0:0 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for primary dns
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for primary wins
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for seconday dns
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for seconday wins
May 26 11:01:23: Se0/0:0 IPCP: O CONFNAK [ACKrcvd] id 6 len 34
May 26 11:01:23: Se0/0:0 IPCP: Address 10.10.10.41 (0x03060A0A0A29)
May 26 11:01:23: Se0/0:0 IPCP: PrimaryDNS 192.168.0.22 (0x8106C0A80016)
May 26 11:01:23: Se0/0:0 IPCP: PrimaryWINS 192.168.1.2 (0x8206C0A80102)
May 26 11:01:23: Se0/0:0 IPCP: SecondaryDNS 192.168.4.204 (0x8306C0A804CC)
May 26 11:01:23: Se0/0:0 IPCP: SecondaryWINS 192.168.4.200 (0x8406C0A804C8)
May 26 11:01:23: Se0/0:0 IPCP: I CONFREQ [ACKrcvd] id 7 len 34
May 26 11:01:23: Se0/0:0 IPCP: Address 10.10.10.41 (0x03060A0A0A29)
May 26 11:01:23: Se0/0:0 IPCP: PrimaryDNS 192.168.0.22 (0x8106C0A80016)
May 26 11:01:23: Se0/0:0 IPCP: PrimaryWINS 192.168.1.2 (0x8206C0A80102)
May 26 11:01:23: Se0/0:0 IPCP: SecondaryDNS 192.168.4.204 (0x8306C0A804CC)
May 26 11:01:23: Se0/0:0 IPCP: SecondaryWINS 192.168.4.200 (0x8406C0A804C8)
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for primary dns
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for primary wins
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for seconday dns
May 26 11:01:23: Se0/0:0 AAA/AUTHOR/IPCP: no author-info for seconday wins
May 26 11:01:23: Se0/0:0 IPCP: O CONFACK [ACKrcvd] id 7 len 34
May 26 11:01:23: Se0/0:0 IPCP: Address 10.10.10.41 (0x03060A0A0A29)
May 26 11:01:23: Se0/0:0 IPCP: PrimaryDNS 192.168.0.22 (0x8106C0A80016)
May 26 11:01:23: Se0/0:0 IPCP: PrimaryWINS 192.168.1.2 (0x8206C0A80102)
May 26 11:01:23: Se0/0:0 IPCP: SecondaryDNS 192.168.4.204 (0x8306C0A804CC)
May 26 11:01:23: Se0/0:0 IPCP: SecondaryWINS 192.168.4.200 (0x8406C0A804C8)
May 26 11:01:23: Se0/0:0 IPCP: State is Open
May 26 11:01:23: Di1 IPCP: Install route to 10.10.10.41
May 26 11:01:23: Se0/0:0 IPCP: Add link info for cef entry 10.10.10.41
May 26 11:01:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0:0, changed state to up
May 26 11:01:29: %ISDN-6-CONNECT: Interface Serial0/0:0 is now connected to 598423582 BoetsRu
May 26 11:01:37: AAA/AUTHEN/LOGIN (000000B4): Pick method list 'Permanent Local'
May 26 11:01:40: AAA/AUTHOR (000000B4): Method list id=0 not configured. Skip author
May 26 11:01:41: AAA: parse name=tty131 idb type=-1 tty=-1
May 26 11:01:41: AAA: name=tty131 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=131 channel=0
May 26 11:01:41: AAA/MEMORY: create_user (0x6174348C) user='beheer' ruser='NULL' ds0=0 port='tty131'
rem_addr='10.10.10.41' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0'
May 26 11:01:41: AAA/AUTHEN/START (141876048): port='tty131' list='' action=LOGIN service=ENABLE
May 26 11:01:41: AAA/AUTHEN/START (141876048): non-console enable - default to enable password
May 26 11:01:41: AAA/AUTHEN/START (141876048): Method=ENABLE
May 26 11:01:41: AAA/AUTHEN(141876048): Status=GETPASS
May 26 11:01:43: AAA/AUTHEN/CONT (141876048): continue_login (user='(undef)')
May 26 11:01:43: AAA/AUTHEN(141876048): Status=GETPASS
May 26 11:01:43: AAA/AUTHEN/CONT (141876048): Method=ENABLE
May 26 11:01:43: AAA/AUTHEN(141876048): Status=PASS
May 26 11:01:43: AAA/MEMORY: free_user (0x6174348C) user='NULL' ruser='NULL' port='tty131' rem_addr=
'10.10.10.41' authen_type=ASCII service=ENABLE priv=15
May 26 11:03:22: Se0/0:0 LCP: I TERMREQ [Open] id 8 len 16 (0x15C466A0003CCD7400000000)
May 26 11:03:22: Se0/0:0 LCP: O TERMACK [Open] id 8 len 4
May 26 11:03:22: Se0/0:0 IPCP: Remove link info for cef entry 10.10.10.41
May 26 11:03:22: Se0/0:0 IPCP: State is Closed
May 26 11:03:22: Se0/0:0 PPP: Phase is TERMINATING
May 26 11:03:22: Di1 IPCP: Remove route to 10.10.10.41
May 26 11:03:22: %ISDN-6-DISCONNECT: Interface Serial0/0:0 disconnected from 598423582 BoetsRu, cal
l lasted 119 seconds
May 26 11:03:22: %LINK-3-UPDOWN: Interface Serial0/0:0, changed state to down
May 26 11:03:22: Se0/0:0 LCP: State is Closed
May 26 11:03:22: Se0/0:0 PPP: Phase is DOWN
May 26 11:03:22: AAA/ACCT/DS0: channel=0, ds1=0, t3=0, slot=0, ds0=0
05-26-2003 01:45 AM
Do you have "aaa authorization network" set in your config?
~Zulfi
05-26-2003 01:58 AM
Yes, i have.
Here the complet config
version 12.2
service exec-callback
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname Citrix
!
logging buffered 8000 debugging
aaa new-model
!
!
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa session-id common
enable secret ????????????????????
!
username beheer password ???????????????????????
memory-size iomem 15
modem country mica netherlands
ip subnet-zero
!
!
no ip domain-lookup
!
async-bootp dns-server 192.168.0.22 192.168.4.204
async-bootp nbns-server 192.168.1.2 192.168.4.200
isdn switch-type primary-net5
isdn voice-call-failure 0
isdn tei-negotiation first-call
modemcap entry TAC1:MSC=&F&D2S34=18000S40=10S54=172
!
controller E1 0/0
framing NO-CRC4
pri-group timeslots 1-31
!
!
!
interface FastEthernet0/0
description To LAN
ip address 192.168.10.251 255.255.255.0
speed 100
full-duplex
!
interface Serial0/0:15
no ip address
encapsulation ppp
ip mroute-cache
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no fair-queue
no cdp enable
ppp callback accept
!
interface Group-Async1
ip unnumbered FastEthernet0/0
no ip mroute-cache
dialer in-band
dialer rotary-group 2
async mode interactive
no fair-queue
group-range 33 44
!
interface Dialer1
description ISDN inbellers
ip address 10.10.10.62 255.255.255.224
encapsulation ppp
no ip split-horizon
no ip mroute-cache
dialer in-band
dialer idle-timeout 900
dialer-group 1
peer default ip address pool isdn-inbellers
no fair-queue
no cdp enable
ppp callback accept
ppp authentication pap chap ms-chap
!
interface Dialer2
description PSTN inbellers
ip address 10.10.10.30 255.255.255.224
encapsulation ppp
no ip split-horizon
no ip mroute-cache
dialer in-band
dialer idle-timeout 900
dialer-group 2
peer default ip address pool pstn-inbellers
no fair-queue
no cdp enable
ppp callback accept
ppp authentication ms-chap
!
router ospf 1
log-adjacency-changes
redistribute static
network 10.10.10.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
!
ip local pool isdn-inbellers 10.10.10.33 10.10.10.61
ip local pool pstn-inbellers 10.10.10.1 10.10.10.29
ip default-gateway 192.168.3.254
no ip classless
no ip http server
ip pim bidir-enable
!
!
logging 192.168.5.1
dialer-list 1 protocol ip permit
radius-server host 192.168.0.22 auth-port 1645 acct-port 1646 key 7 1046080A171616021917
radius-server retransmit 3
!
line con 0
exec-timeout 0 0
login authentication CONSOLE
line 33 44
exec-timeout 0 0
modem InOut
modem autoconfigure type mica
transport input all
autoselect during-login
autoselect ppp
callback forced-wait 6
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
session-timeout 3600
password ?????????????
!
end
05-27-2003 09:00 AM
Your config looks fine. You might want to open up a TAC case to further investigate into this.
~Zulfi
05-27-2003 12:17 PM
Zulfi,
Thanks, I will open a case via our support department.
Greetings
Luc
06-02-2003 05:28 AM
The config looks like it's missing a chat script to dial the callback number.
add this in global:-
chat-script offhook "" "ATH1" OK
chat-script callback ABORT ERROR ABORT BUSY "" "ATZ" OK "ATDT \T" TIMEOUT 60 CONNECT \c
and then under line 33-44 add:-
line 33 44
script modem-off-hook offhook
script callback callback
Looking at your debug output though, I also noticed that the user is not authorised for callback. After authentication, look for the line:-
May 26 11:01:23: Se0/0:0 MCB: Callback not authorized for this user BoetsRu
You will need to give the user callback permission in the user account (dialin tab).
If all else fails, have a look at the radius attribute/value pairs in the IAS logs (found in \\ias-server\RASLogFiles). This should give you reasons for failing to callback.
Also, the client will need to configure callback in advanced dialin properties.
Hope this helps.
ps If anyone knows how to get callback working with isdn(bri) with ppp multilink, please let me know.
Mike
Hope this helps
06-04-2003 12:43 AM
HI,
You're running into the following bug: CSCea11487
The Work-arounds:
Using Callback with Cisco-AV-pair and the empty dialstring option.
Best regard,
Ad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide