Re: ISDN Authorisation failure

tamer · ‎12-15-2002

I had AS5800 which is configured for ISDN and analog calls, ppp authorization is configured in order to assign users ip addreeses from the radius. Analog calls have no problem and the users can take their ip address from radius. the problrem is in isdn users receives an lcp error negotiation message when i configure the serial with ppp authorization command, when i remove the authorization and put a local ip lool in serial interface the users loggin without problems

serial configuration is as follow :

interface Serial1/0/0:15

ip unnumbered Loopback0

no ip redirects

encapsulation ppp

no ip route-cache

ip tcp header-compression passive

dialer idle-timeout 7000

autodetect encapsulation ppp v120

isdn switch-type primary-net5

isdn not-end-to-end 56

isdn incoming-voice modem

isdn negotiate-bchan

no peer default ip address

ppp authentication pap chap rad-1

ppp authorization rad-1

ppp multilink

I debug ppp authentication and aaa authorization the output is as follow :

Dec 15 14:26:27.565: AAA/ACCT/DS0: channel=12, ds1=0, t3=0, slot=0, ds0=12

Dec 15 14:26:27.693: AAA: parse name=tty2 idb type=-1 tty=-1

Dec 15 14:26:27.693: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

Dec 15 14:26:27.693: AAA/MEMORY: create_user (0x6664B548) user='aossama' ruser='MOH-C82' ds0=0 port='tty2' rem_addr='62.140.64.177' authen_type=ASCII service=NONE priv=15 initial_task_id='0'

Dec 15 14:26:27.693: tty2 AAA/AUTHOR/CMD(2640554636): Port='tty2' list='' service=CMD

Dec 15 14:26:27.693: AAA/AUTHOR/CMD: tty2(2640554636) user='aossama'

Dec 15 14:26:27.693: tty2 AAA/AUTHOR/CMD(2640554636): send AV service=shell

Dec 15 14:26:27.693: tty2 AAA/AUTHOR/CMD(2640554636): send AV cmd=configure

Dec 15 14:26:27.693: tty2 AAA/AUTHOR/CMD(2640554636): send AV cmd-arg=terminal

Dec 15 14:26:27.693: tty2 AAA/AUTHOR/CMD(2640554636): send AV cmd-arg=<cr>

Dec 15 14:26:27.693: tty2 AAA/AUTHOR/CMD(2640554636): found list "default"

Dec 15 14:26:27.693: tty2 AAA/AUTHOR/CMD(2640554636): Method=LOCAL

Dec 15 14:26:27.693: AAA/AUTHOR (2640554636): Post authorization status = PASS_ADD

Dec 15 14:26:27.693: AAA/MEMORY: free_user (0x6664B548) user='aossama' ruser='MOH-C82' port='tty2' rem_addr='62.140.64.177' authen_type=ASCII service=NONE priv=15

Dec 15 14:26:27.833: Se1/0/0:12 PPP: Treating connection as a callin

Dec 15 14:26:27.833: Se1/0/0:12 PPP: Phase is ESTABLISHING, Passive Open

Dec 15 14:26:27.833: Se1/0/0:12 LCP: State is Listen

Dec 15 14:26:27.833: Se1/0/0:12 LCP: I CONFREQ [Listen] id 0 len 48

Dec 15 14:26:27.833: Se1/0/0:12 LCP: MRU 1524 (0x010405F4)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: MagicNumber 0x081409E3 (0x0506081409E3)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: PFC (0x0702)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: ACFC (0x0802)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: Callback 6 (0x0D0306)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: MRRU 1614 (0x1104064E)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: EndpointDisc 1 Local

Dec 15 14:26:27.833: Se1/0/0:12 LCP: (0x1317014319E96043534B1DBEC7856465)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: (0x26D63300000000)

Dec 15 14:26:27.833: Se1/0/0:12 PPP: Authorization required

Dec 15 14:26:27.833: Se1/0/0:12 LCP: O CONFREQ [Listen] id 11 len 28

Dec 15 14:26:27.833: Se1/0/0:12 LCP: AuthProto PAP (0x0304C023)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: MagicNumber 0x20C0B389 (0x050620C0B389)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: MRRU 1524 (0x110405F4)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: EndpointDisc 1 MOH-C82 (0x130A014D4F482D433832)

Dec 15 14:26:27.833: Se1/0/0:12 LCP: O CONFREJ [Listen] id 0 len 7

Dec 15 14:26:27.837: Se1/0/0:12 LCP: Callback 6 (0x0D0306)

Dec 15 14:26:27.857: Se1/0/0:12 LCP: I CONFACK [REQsent] id 11 len 28

Dec 15 14:26:27.857: Se1/0/0:12 LCP: AuthProto PAP (0x0304C023)

Dec 15 14:26:27.857: Se1/0/0:12 LCP: MagicNumber 0x20C0B389 (0x050620C0B389)

Dec 15 14:26:27.857: Se1/0/0:12 LCP: MRRU 1524 (0x110405F4)

Dec 15 14:26:27.857: Se1/0/0:12 LCP: EndpointDisc 1 MOH-C82 (0x130A014D4F482D433832)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: I CONFREQ [ACKrcvd] id 1 len 45

Dec 15 14:26:27.865: Se1/0/0:12 LCP: MRU 1524 (0x010405F4)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: MagicNumber 0x081409E3 (0x0506081409E3)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: PFC (0x0702)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: ACFC (0x0802)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: MRRU 1614 (0x1104064E)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: EndpointDisc 1 Local

Dec 15 14:26:27.865: Se1/0/0:12 LCP: (0x1317014319E96043534B1DBEC7856465)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: (0x26D63300000000)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: O CONFACK [ACKrcvd] id 1 len 45

Dec 15 14:26:27.865: Se1/0/0:12 LCP: MRU 1524 (0x010405F4)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: MagicNumber 0x081409E3 (0x0506081409E3)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: PFC (0x0702)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: ACFC (0x0802)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: MRRU 1614 (0x1104064E)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: EndpointDisc 1 Local

Dec 15 14:26:27.865: Se1/0/0:12 LCP: (0x1317014319E96043534B1DBEC7856465)

Dec 15 14:26:27.865int se: Se1/0/0:12 LCP: (0x26D63300000000)

Dec 15 14:26:27.865: Se1/0/0:12 LCP: State is Open

Dec 15 14:26:27.865: Se1/0/0:12 PPP: Phase is AUTHENTICATING, by this end

Dec 15 14:26:27.929: Se1/0/0:12 LCP: I IDENTIFY [Open] id 2 len 18 magic 0x081409E3 MSRASV5.10

Dec 15 14:26:27.933: Se1/0/0:12 LCP: I IDENTIFY [Open] id 3 len 21 magic 0x081409E3 MSRAS-1-LAB13

Dec 15 14:26:27.937: Se1/0/0:12 PAP: I AUTH-REQ id 16 len 15 from "TIC"

Dec 15 14:26:27.937: Se1/0/0:12 PAP: Authenticating peer TIC

Dec 15 14:26:27.937: Se1/0/0:12 PPP: Phase is FORWARDING, Attempting Forward

Dec 15 14:26:27.937: Se1/0/0:12 PPP: Phase is AUTHENTICATING, Unauthenticated User

Dec 15 14:26:27.937: Se1/0/0:12 PPP: Sent PAP LOGIN Request to AAA

Dec 15 14:26:28.121: Se1/0/0:12 PPP: Received LOGIN Response from AAA = PASS

Dec 15 14:26:28.121: Se1/0/0:12 PPP/AAA: Check Attr: service-type

Dec 15 14:26:28.121: Se1/0/0:12 PPP/AAA: Check Attr: Framed-Protocol

Dec 15 14:26:28.121: Se1/0/0:12 PPP/AAA: Check Attr: addr

Dec 15 14:26:28.121: Se1/0/0:12 PPP/AAA: Check Attr: netmask

Dec 15 14:26:28.121: Se1/0/0:12 PPP/AAA: Check Attr: link-compression:Peruser

Dec 15 14:26:28.121: Se1/0/0:12 PPP/AAA: Check Attr: Port-Limit

Dec 15 14:26:28.121: Se1/0/0:12 PPP: Phase is FORWARDING, Attempting Forward

Dec 15 14:26:28.121: Se1/0/0:12 PPP: Phase is AUTHENTICATING, Authenticated User

Dec 15 14:26:28.121: Se1/0/0:12 AAA/AUTHOR/LCP: Process Author

Dec 15 14:26:28.121: Se1/0/0:12 AAA/AUTHOR/LCP: Process Attr: link-compression

Dec 15 14:26:28.121: AAA/AUTHOR: Processing PerUser AV link-compression

Dec 15 14:26:28.121: Se1/0/0:12 AAA/AUTHOR/LCP: IF_config:

ip tcp header-compression

Dec 15 14:26:28.121: Se1/0/0:12 PAP: O AUTH-ACK id 16 len 5

Dec 15 14:26:28.121: Se1/0/0:12 PPP: Phase is VIRTUALIZED

Dec 15 14:26:28.125: Vi1 PPP: Phase is DOWN, Setup

Dec 15 14:26:28.133: Se1/0/0:12 PPP: Phase is TERMINATING

Dec 15 14:26:28.133: Se1/0/0:12 LCP: O TERMREQ [Open] id 12 len 4

Dec 15 14:26:28.397: Se1/0/0:12 LCP: State is Closed

Dec 15 14:26:28.397: Se1/0/0:12 PPP: Phase is DOWN

Can any body know what is the problem ?

thanx in advance,

tepatel · ‎12-15-2002

The NAS is looking for Virtual interface config..

Dec 15 14:26:28.121: Se1/0/0:12 PPP: Phase is VIRTUALIZED

Dec 15 14:26:28.125: Vi1 PPP: Phase is DOWN, Setup

You need to configure interface virtual-template 1 to terminate the isdn users everytime the authorizaton data received from AAA for isdn users..so you need to enter following config.

config t

multilink virtual-template 1

virtual-profile virtual-template 1

virtual-profile if-needed

!

Interface virtual-template 1

ip unnumbered Loopback0

encapsulation ppp

no ip route-cache

ip tcp header-compression passive

autodetect encapsulation ppp v120

ppp authentication pap chap rad-1

ppp authorization rad-1

ppp multilink

After that it should work.

tamer · ‎12-16-2002

Thanx a lot this configuration helped me and the users are working, but another problem appears, when I put ppp multilink command on serial interface users can't login , and when I remove the command user login and take IP from the radius but they can't establish ppp multilink . configuration is as follows:

multilink virtual-template 1

virtual-profile if-needed

virtual-profile virtual-template 1

interface Virtual-Template1

ip unnumbered Loopback0

no ip route-cache

ip tcp header-compression

autodetect encapsulation ppp

peer default ip address pool default

ppp authentication pap chap rad-1

ppp authorization rad-1

ppp multilink

!

interface Serial1/0/0:15

ip unnumbered Loopback0

no ip redirects

encapsulation ppp

no ip route-cache

ip tcp header-compression passive

dialer idle-timeout 7000

autodetect encapsulation ppp v120

isdn switch-type primary-net5

isdn not-end-to-end 56

isdn incoming-voice modem

isdn negotiate-bchan

peer default ip address pool default

ppp authorization rad-1

ppp authentication pap chap rad-1

ppp multilink { when this command added no body can login, must removed but users can't establish ppp multilink}

thanx for ur support

tepatel · ‎12-16-2002

Leave the "ppp multilink" command under the setial interfce as its needed under physical interfce to negotiate the multilink.

I would remove following lines of config from serial interface if i don't need.

autodetect encapsulation ppp v120

isdn not-end-to-end 56

isdn negotiate-bchan

Now we need to see the following debug to see where the problem is when isdn users with multilink dialin.

debug isdn q931

debug ppp nego

debug aaa per

debug aaa authentication

debug aaa authorization