Hi! i kept on getting this message 1w4d: AAA/AUTHOR: config command authorization not enabled

when i entered "aaa authorization network default radius local"

thanks

m.campos

Don't worry about it. Its just a warning message...Let us know the debug..Tejal

hi tejal, i tried to debug the router

and here is the debug options

General OS:

Modem control/process activation debugging is on

AAA Authentication debugging is on

AAA Authorization debugging is on

PPP:

PPP protocol negotiation debugging is on

Asynchronous interfaces:

Async interface state changes debugging is on

and i tried to connect to the modem, and there is no "fax tone" the number just rang continuously. i tried to see if there is any output debug, there is none.

thanks,

m.campos

Try to console in the router and enter the following command

conf t

logging on

loggin console

If its just "ring" but no answer then i would check the line first..Plug a telephone at that line and dial the same number and see you get ring on that telephone and try to talk..

Now try the following config first under the line and see if that makes any difference..

line 33 48

autoselect ppp

login authentication console

modem inout

transport input all

flowcontrol hardware

With above config, modem should alteast answer the incoming call..and move forward.

Tejal

hi tejal,

i did look at the routers interfaces, and i found out that my group-async was down.

Group-Async1 is down, line protocol is down

Hardware is Async Group Serial

Interface is unnumbered. Using address of FastEthernet0/0 (192.168.10.1)

MTU 1500 bytes, BW 1000 Kbit, DLY 100000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, loopback not set

Keepalive not set

DTR is pulsed for 5 seconds on reset

LCP Closed

Closed: IPCP

Last input never, output never, output hang never

Last clearing of "show interface" counters 22:19:11

Queueing strategy: fifo

Output queue 0/10, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

* and tejal, i tried to go to console the router, go to the interface and entered the "no shutdown" command to enable that interface. but still it wont go up.

thanks!

m.campos

hi tejal,

its me again... still with the router problem... heres

the config

#sho ru

Building configuration...

Current configuration : 2349 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname dasma-router

!

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login default group radius local

aaa authentication login line line

aaa authentication login console enable

aaa authentication ppp default if-needed group radius local

aaa authorization network default local

enable secret 5 $1$yQJx$Md8BVZAWWKnhSw8AovoGP1

!

username mac password 7 000906010155525456

username tina password 7 000B04030A4F030F0120

username line password 7 060A062F49

memory-size iomem 10

modem country microcom_hdms philippines

ip subnet-zero

!

!

no ip finger

ip domain-name dasma.dlsu.edu.ph

ip name-server 61.9.12.130

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 61.9.12.129 255.255.255.192 secondary

ip address 61.9.126.84 255.255.255.248 secondary

ip address 192.168.10.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

bandwidth 1024

ip address 192.168.132.22 255.255.255.252

ip accounting output-packets

ip nat outside

!

interface Group-Async1

ip unnumbered FastEthernet0/0

ip nat inside

encapsulation ppp

dialer in-band

async mode interactive

peer default ip address pool bidir_dial_pool

no fair-queue

ppp authentication chap pap

group-range 33 48

!

ip local pool bidir_dial_pool 172.16.1.1 172.16.1.5

ip nat inside source list 1 interface Serial0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

ip route 61.9.6.102 255.255.255.255 61.9.12.131

ip route 61.9.12.128 255.255.255.192 FastEthernet0/0

ip route 61.9.126.80 255.255.255.248 61.9.12.131

ip route 172.16.0.0 255.255.0.0 Serial0/0

no ip http server

!

logging trap warnings

access-list 1 permit 172.16.0.0 0.0.255.255

dialer-list 1 protocol ip permit

radius-server host 61.9.12.152 auth-port 1645 acct-port 1646

radius-server retransmit 3

!

dial-peer cor custom

!

!

!

!

line con 0

exec-timeout 0 0

login authentication console

transport input none

line 33 48

exec-timeout 0 0

autoselect ppp

login authentication console

modem Dialin

transport input all

stopbits 1

flowcontrol hardware

line aux 0

line vty 0 4

exec-timeout 0 0

password 7 05080F1C22431C5C4854454A

login authentication line

!

end

**** I did get a "fax tone" right now... unlike the former problem..

- the router is properly ground (i think)

here is the data

02:24:20: Modem 1/10 Mcom: in modem state 'Idle'

02:24:33: Modem 1/10 Mcom: in modem state 'Dialing/Answering'

02:24:34: Modem 1/10 Mcom: in modem state 'Incoming ring'

02:24:36: Modem 1/10 Mcom: in modem state 'Waiting for Carrier'

02:25:35: Modem 1/10 Mcom: in modem state 'Disconnecting'

02:25:35: Modem 1/10 Mcom: DISCONNECT, duration = 00:00:00, reason (0x2) No carrier

Additional Data

*here is the status of the Async 33, why is it spoofing???

my-router#sho interfaces Async 33

Async33 is up (spoofing), line protocol is up (spoofing)

modem(slot/port):1/0, csm_state:IDLE_STATE,

bchan_num:-1 csm_status(0): CSM_STATUS_UNLOCKED

Hardware is MCOM Integrated Modem Controller

Interface is unnumbered. Using address of FastEthernet0/0 (192.168.10.1)

MTU 1500 bytes, BW 9 Kbit, DLY 100000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, loopback not set

Keepalive not set

DTR is pulsed for 5 seconds on reset

LCP Closed

Closed: IPCP

Last input never, output never, output hang never

Last clearing of "show interface" counters 02:36:16

Queueing strategy: fifo

Output queue 0/10, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

*hope the cisco community could help us. any infos and inputs will be very helpful.

thanks.

Marck Jay B. Campos

Network Head

Information Technology Center

De La Salle University

Hi guys!

I have radius working with a 3620 and a 3640, here are some suggestions and feedback.

1) if you using win2k with active directory, setup the radius server on one of the Win2k servers. You can then tie in the active directory accounts to the radius, this way anyone dialing in can use the same id. Also make sure the users using radius have the dialin option checked in thier active directory account.

2) make sure your router and server can communicate without any issues or ports being blocked.

3) I noticed on the config above the group was not defined for pap under the interface.

4) Here is part of the config I used for our 3620 router.

aaa group server radius ser-rad-group

server x.x.1.234 auth-port 1645 acct-port 1646

server x.x.1.235 auth-port 1645 acct-port 1646

!

aaa authentication login default local

aaa authentication login no-authen none

aaa authentication login log-radius group ser-rad-group

aaa authentication ppp default local

aaa authentication ppp use-radius group ser-rad-group

aaa session-id common

!

ip dhcp-server x.x.1.234 :if your user need DHCP

interface Group-Async1

ip unnumbered FastEthernet1/0 ::easier for routing purposes

encapsulation ppp

no ip mroute-cache

dialer in-band

dialer idle-timeout 3600

async mode dedicated

peer default ip address dhcp ::if your using dhcp

no fair-queue

compress mppc ::if your using Microsoft compression

ppp max-bad-auth 3

ppp authentication pap use-radius :define radius group

group-range 1 8

radius-server host x.x.1.234 auth-port 1645 acct-port 1646

radius-server host x.x.1.235 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key ????????? :make sure key is same on radius server

to verfiy, uncheck need for key on rad ser radius-server authorization permit missing Service-Type

line 1 8

session-timeout 60

exec-timeout 0 0

modem InOut

modem autoconfigure discovery

no exec

transport preferred none

transport output none

autoselect ppp

flowcontrol hardware

If you have any questions let me know.

Randy McIver, CCNP

Cap Gemini Ernst & Young Consulting

Good luck !! : ))

thanks randy,

I'll try these configurations ASAP..

thanks

marck campos

Hi Marck,

Are you using a NM-16A/M module? (Module with internal modems)

This module is very sensitive to grounding so you should have a good grounding for the modems to work properly.

I would suggest you start troubleshooting from the lower layers going up.

From the router you can verify the connectivity with the modem through a reverse telnet session, below is the URL:

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800871ec.html

If your test was successful then proceed to PPP test between dial-up client and the router. If you haven't tried it yet, I would suggest that you test your dialup connection to the router with local authentication first prior to using radius authentication.

Comment: From the config that you have posted, under the "line 33 48", you have a "login authentication console" which means teh router will search for the login group named "console" from the aaa configuration lines in the upper part of your config. Try using "login authetication default" (you may not be able to see this command under the "line 33 48" since it is the default.

Hope this helps.