Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Problem with downloadable ACL's with ISDN

Hi,

I have interesting problem.

Problem is related to Cisco 3725 with E1 and digital modems used as access server.

Access server is using Cisco Secure ACS for AAA purposes.

I defined downloadable access list as RADIUS cisco av-pair.

It works fine with modem lines, but it does not with if you try dial using regular ISDN connection.

With ISDN connection authorization fail. After unconfiguring av-pairs on ACS everything works fine.

Configuration for multilink:

multilink virtual-template 1

interface Virtual-Template1

ip unnumbered Loopback0

Configuration for ISDN is:

interface Serial1/0:15

ip unnumbered Loopback0

ip nat inside

encapsulation ppp

dialer-group 1

isdn switch-type primary-net5

isdn incoming-voice modem

no fair-queue

no cdp enable

ppp callback permit

ppp authentication chap aaaPPP

ppp authorization aaaPPP

ppp multilink

Configuration for digital modems:

interface Group-Async1

ip unnumbered Loopback0

ip nat inside

encapsulation ppp

async mode dedicated

ppp callback permit

ppp authentication chap aaaPPP

ppp authorization aaaPPP

group-range 65 94

Configuration for AAA:

aaa authentication ppp aaaPPP group radius

aaa authorization network aaaPPP group radius

aaa accounting network default start-stop group radius

radius-server host <ACS IP address> auth-port 1645 acct-port 1646 key <ACS key>

I tried to find any solution on CCO, but I failed.

Have anybody any idea? Is it unsupported feature?

BTW: I tried to check downloadable ACL's also in "pure" enviroment - without callback and multilink feature and it also does work.

2 REPLIES
Bronze

Re: Problem with downloadable ACL's with ISDN

Try out dialer rotary-group instead of dialer group, because dialer group can only be associated with one interface at a time.

Please have a look at

http://www.cisco.com/en/US/tech/tk801/tk379/technologies_configuration_example09186a0080094557.shtml

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7e9b.html#wp1181417

Community Member

Re: Problem with downloadable ACL's with ISDN

Hello,

Unfortunately I was not able to read post for long time.

The problem is not with dialer-group.

I have already try configuration with dialer interface. Using dialer interface user is able to authenticate and authorize but access list are still not loaded to the router.

I use cisco av-pair ip:inacl# statement on radius server. As I mentioned it works fine with async interfaces but it does not with isdn pri interface.

113
Views
0
Helpful
2
Replies
CreatePlease to create content