07-17-2002 12:47 AM - edited 03-01-2019 11:57 PM
We currently have a cisco 3620 and purchased a 16 port analog modem:
We wish the router to accept the call, get authenticated via the RADIUS server.
Some configuration was done by the team, but with no luck.
here is the sample config
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname dasma-router
!
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login default group radius local
aaa authentication login line line
aaa authentication login console enable
aaa authentication ppp default if-needed group radius local
enable secret 5 $1$yQJx$Md8BVZAWWKnhSw8AovoGP1
!
username mac password 7 000906010155525456
username tina password 7 000B04030A4F030F0120
username cisco1 password 7 045802150C2E
username line password 7 060A062F49
memory-size iomem 10
modem country microcom_hdms philippines
ip subnet-zero
!
!
no ip finger
ip domain-name dasma.dlsu.edu.ph
ip name-server 61.9.12.130
!
call rsvp-sync
!
!
interface FastEthernet0/0
ip address 61.9.12.129 255.255.255.192 secondary
ip address 61.9.126.84 255.255.255.248 secondary
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
bandwidth 1024
ip address 192.168.132.22 255.255.255.252
ip accounting output-packets
ip nat outside
!
interface Group-Async1
ip unnumbered FastEthernet0/0
ip nat inside
encapsulation ppp
async mode interactive
peer default ip address pool bidir_dial_pool
no fair-queue
ppp authentication chap pap
group-range 33 48
!
ip local pool bidir_dial_pool 172.16.1.1 172.16.1.5
ip nat inside source list 1 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 61.9.6.102 255.255.255.255 61.9.12.131
ip route 61.9.126.80 255.255.255.248 61.9.12.131
ip route 172.16.0.0 255.255.0.0 Serial0/0
no ip http server
!
logging trap warnings
access-list 1 permit 172.16.0.0 0.0.255.255
radius-server host 192.168.16.1 auth-port 1645 acct-port 1646 key 7 14161E1B04
05
radius-server retransmit 3
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
login authentication console
transport input none
line 33 48
exec-timeout 0 0
autoselect ppp
login authentication console
modem Dialin
modem autoconfigure type microcom_hdms
rotary 1
transport input all
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 05080F1C22431C5C4854454A
login authentication line
!
end
thanks in advance
m.campos
07-17-2002 08:25 AM
config is nearly ok..If its just for dialin, then you don't need "rotary 1" under the line..Also you can add "aaa authorization network default radius local" if you want authorization from radius..Anyway, we need to know whats going on when the call comes in the router..For that pl. enable following debug
debug modem
debug ppp negotiation
debug aaa authentication
debug aaa authorization
term mon
Pl. post it here to see why the dialin dosen't work..Tejal
07-17-2002 05:47 PM
Hi! i kept on getting this message 1w4d: AAA/AUTHOR: config command authorization not enabled
when i entered "aaa authorization network default radius local"
thanks
m.campos
07-17-2002 08:28 PM
Don't worry about it. Its just a warning message...Let us know the debug..Tejal
07-22-2002 06:44 PM
hi tejal, i tried to debug the router
and here is the debug options
General OS:
Modem control/process activation debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP protocol negotiation debugging is on
Asynchronous interfaces:
Async interface state changes debugging is on
and i tried to connect to the modem, and there is no "fax tone" the number just rang continuously. i tried to see if there is any output debug, there is none.
thanks,
m.campos
07-23-2002 08:38 AM
Try to console in the router and enter the following command
conf t
logging on
loggin console
If its just "ring" but no answer then i would check the line first..Plug a telephone at that line and dial the same number and see you get ring on that telephone and try to talk..
Now try the following config first under the line and see if that makes any difference..
line 33 48
autoselect ppp
login authentication console
modem inout
transport input all
flowcontrol hardware
With above config, modem should alteast answer the incoming call..and move forward.
Tejal
07-29-2002 04:46 PM
hi tejal,
i did look at the routers interfaces, and i found out that my group-async was down.
Group-Async1 is down, line protocol is down
Hardware is Async Group Serial
Interface is unnumbered. Using address of FastEthernet0/0 (192.168.10.1)
MTU 1500 bytes, BW 1000 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive not set
DTR is pulsed for 5 seconds on reset
LCP Closed
Closed: IPCP
Last input never, output never, output hang never
Last clearing of "show interface" counters 22:19:11
Queueing strategy: fifo
Output queue 0/10, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
* and tejal, i tried to go to console the router, go to the interface and entered the "no shutdown" command to enable that interface. but still it wont go up.
thanks!
m.campos
01-07-2003 11:18 PM
hi tejal,
its me again... still with the router problem... heres
the config
#sho ru
Building configuration...
Current configuration : 2349 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname dasma-router
!
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login default group radius local
aaa authentication login line line
aaa authentication login console enable
aaa authentication ppp default if-needed group radius local
aaa authorization network default local
enable secret 5 $1$yQJx$Md8BVZAWWKnhSw8AovoGP1
!
username mac password 7 000906010155525456
username tina password 7 000B04030A4F030F0120
username line password 7 060A062F49
memory-size iomem 10
modem country microcom_hdms philippines
ip subnet-zero
!
!
no ip finger
ip domain-name dasma.dlsu.edu.ph
ip name-server 61.9.12.130
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 61.9.12.129 255.255.255.192 secondary
ip address 61.9.126.84 255.255.255.248 secondary
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
bandwidth 1024
ip address 192.168.132.22 255.255.255.252
ip accounting output-packets
ip nat outside
!
interface Group-Async1
ip unnumbered FastEthernet0/0
ip nat inside
encapsulation ppp
dialer in-band
async mode interactive
peer default ip address pool bidir_dial_pool
no fair-queue
ppp authentication chap pap
group-range 33 48
!
ip local pool bidir_dial_pool 172.16.1.1 172.16.1.5
ip nat inside source list 1 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 61.9.6.102 255.255.255.255 61.9.12.131
ip route 61.9.12.128 255.255.255.192 FastEthernet0/0
ip route 61.9.126.80 255.255.255.248 61.9.12.131
ip route 172.16.0.0 255.255.0.0 Serial0/0
no ip http server
!
logging trap warnings
access-list 1 permit 172.16.0.0 0.0.255.255
dialer-list 1 protocol ip permit
radius-server host 61.9.12.152 auth-port 1645 acct-port 1646
radius-server retransmit 3
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
login authentication console
transport input none
line 33 48
exec-timeout 0 0
autoselect ppp
login authentication console
modem Dialin
transport input all
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 05080F1C22431C5C4854454A
login authentication line
!
end
**** I did get a "fax tone" right now... unlike the former problem..
- the router is properly ground (i think)
here is the data
02:24:20: Modem 1/10 Mcom: in modem state 'Idle'
02:24:33: Modem 1/10 Mcom: in modem state 'Dialing/Answering'
02:24:34: Modem 1/10 Mcom: in modem state 'Incoming ring'
02:24:36: Modem 1/10 Mcom: in modem state 'Waiting for Carrier'
02:25:35: Modem 1/10 Mcom: in modem state 'Disconnecting'
02:25:35: Modem 1/10 Mcom: DISCONNECT, duration = 00:00:00, reason (0x2) No carrier
Additional Data
*here is the status of the Async 33, why is it spoofing???
my-router#sho interfaces Async 33
Async33 is up (spoofing), line protocol is up (spoofing)
modem(slot/port):1/0, csm_state:IDLE_STATE,
bchan_num:-1 csm_status(0): CSM_STATUS_UNLOCKED
Hardware is MCOM Integrated Modem Controller
Interface is unnumbered. Using address of FastEthernet0/0 (192.168.10.1)
MTU 1500 bytes, BW 9 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive not set
DTR is pulsed for 5 seconds on reset
LCP Closed
Closed: IPCP
Last input never, output never, output hang never
Last clearing of "show interface" counters 02:36:16
Queueing strategy: fifo
Output queue 0/10, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
*hope the cisco community could help us. any infos and inputs will be very helpful.
thanks.
Marck Jay B. Campos
Network Head
Information Technology Center
De La Salle University
08-26-2002 10:56 PM
hi
i also intend to implement a solution on radius or tacacs.
could u please tell me how the setup should be and how u are going about the implementation.and a brief idea of what steps are involved in configuring .
.i feel there is a 8 port modem whisch is connected to a router and to the lan on a router we connect radius server.and we access the local host thru this modem.and is the dial in access limited to no of ports on the modem
thanking u in anticipation
pravash
01-08-2003 10:02 AM
Hi guys!
I have radius working with a 3620 and a 3640, here are some suggestions and feedback.
1) if you using win2k with active directory, setup the radius server on one of the Win2k servers. You can then tie in the active directory accounts to the radius, this way anyone dialing in can use the same id. Also make sure the users using radius have the dialin option checked in thier active directory account.
2) make sure your router and server can communicate without any issues or ports being blocked.
3) I noticed on the config above the group was not defined for pap under the interface.
4) Here is part of the config I used for our 3620 router.
aaa group server radius ser-rad-group
server x.x.1.234 auth-port 1645 acct-port 1646
server x.x.1.235 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login no-authen none
aaa authentication login log-radius group ser-rad-group
aaa authentication ppp default local
aaa authentication ppp use-radius group ser-rad-group
aaa session-id common
!
ip dhcp-server x.x.1.234 :if your user need DHCP
interface Group-Async1
ip unnumbered FastEthernet1/0 ::easier for routing purposes
encapsulation ppp
no ip mroute-cache
dialer in-band
dialer idle-timeout 3600
async mode dedicated
peer default ip address dhcp ::if your using dhcp
no fair-queue
compress mppc ::if your using Microsoft compression
ppp max-bad-auth 3
ppp authentication pap use-radius :define radius group
group-range 1 8
radius-server host x.x.1.234 auth-port 1645 acct-port 1646
radius-server host x.x.1.235 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key ????????? :make sure key is same on radius server
to verfiy, uncheck need for key on rad ser radius-server authorization permit missing Service-Type
line 1 8
session-timeout 60
exec-timeout 0 0
modem InOut
modem autoconfigure discovery
no exec
transport preferred none
transport output none
autoselect ppp
flowcontrol hardware
If you have any questions let me know.
Randy McIver, CCNP
Cap Gemini Ernst & Young Consulting
Good luck !! : ))
01-12-2003 04:55 PM
thanks randy,
I'll try these configurations ASAP..
thanks
marck campos
01-08-2003 10:19 AM
Hello again!
Try just using pap on your Async Interface, if you get it working then enable chap and disable pap.
Questions:
1) do you need to directly loding to the async interfaces or just pass user through? if you only need users to login into radius and then be passed through, get rid of all the exec login information on the line 33 48. look at the post I made just before this.
2)Why do you need nat on the group async 1 interface ?? Can you not use a range from your 192.168.10.1?
3) why do you have the rotary under your line 33 48 ??
4)put in the following aaa group
"aaa authentication ppp use-radius group ser-rad-group"
then change the ppp authentication line to:
"ppp authentication pap use-radius"
turn off chap on your client device and just use pap until you get it working.
Have fun ! : ))
check out the reply and post I did futher on in you discussion.
--Only issue I have with my config is I can only get the modems to connect at 21600 bps, so if any one can help me on that, check out the conversation I posted yesterday. Thanks!!
Randy McIver, CCNP
Cap Gemini Ernst & Young Consulting
01-14-2003 12:38 AM
Hi Marck,
Are you using a NM-16A/M module? (Module with internal modems)
This module is very sensitive to grounding so you should have a good grounding for the modems to work properly.
I would suggest you start troubleshooting from the lower layers going up.
From the router you can verify the connectivity with the modem through a reverse telnet session, below is the URL:
If your test was successful then proceed to PPP test between dial-up client and the router. If you haven't tried it yet, I would suggest that you test your dialup connection to the router with local authentication first prior to using radius authentication.
Comment: From the config that you have posted, under the "line 33 48", you have a "login authentication console" which means teh router will search for the login group named "console" from the aaa configuration lines in the upper part of your config. Try using "login authetication default" (you may not be able to see this command under the "line 33 48" since it is the default.
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: