11-11-2003 03:31 AM - edited 03-02-2019 11:37 AM
I have an issue with Virtual Profiles running on an AS5300, 12.1(20) with CSACS 2.6 as the TACACS+ authentication. The access server serves dial-up users (via a group-async interface) and ISDN dial-in users using fixed static dialer profiles. I am trying to extend this to use virtual profiles for some ISDN dial-in users (to principally download access-lists and routes on a per-user basis).
However, after configuring virtual templates, the virtual access interface is not cloned.
Are any special AAA authorization parameters required on the user's CSACS configuration?
Presumably the PPP authentication/authorization configuration used to authenticate the user, as the details configured on the physical serial interface.
ISDN Caller ID is used to bind inbounds call to the physical dialer profile, but the users without static dialer profiles have an ISDN caller statement under the physical interface, so the call is not rejected.
The user is authenticated and authorized but the virtual template is not cloned.
The relevant parts of the configuration are:
aaa new-model
aaa authentication login default local
aaa authentication login TELNET line
aaa authentication login DIALINPPP group tacacs+ local
aaa authentication ppp default local
aaa authentication ppp ROUTERPPP local
aaa authentication ppp DIALINPPP if-needed group tacacs+ local
aaa authorization exec DIALINPPP group tacacs+ if-authenticated
aaa authorization network ROUTERPPP if-authenticated
aaa authorization network DIALINPPP group tacacs+ local
aaa accounting network DIALINPPP start-stop group tacacs+
!
virtual-profile if-needed
virtual-profile virtual-template 1
virtual-profile aaa
!
interface Virtual-Template1
ip unnumbered Loopback0
!
interface Serial0:15
no ip address
encapsulation ppp
no logging event link-status
dialer pool-member 1
no snmp trap link-status
isdn switch-type primary-net5
isdn caller 5551234
isdn caller 5557890
isdn caller 5550001
isdn incoming-voice modem
isdn skip-async-callerid-check
compress stac
no cdp enable
ppp authentication chap DIALINPPP
ppp authorization DIALINPPP
ppp multilink
!
interface Dialer0
description Dialer Profile #0
ip unnumbered loopback0
dialer caller 5551234
...
!
interface Dialer1
description Dialer Profile #1
ip unnumbered loopback0
dialer caller 5557890
...
11-13-2003 12:39 PM
If ISDN users don't get a VACESS created that would mean they terminate on the D channel interface which does not have an IP address. If this were the case they should not be able to negotiate IPCP.
The "isdn caller" command can be used if you aren't doing "dialer caller" on dialer interfaces. So for anyone who happens to be calling from the numbers you have specified in the dialer caller statements on the D channel interface, the calls will bind to a B channel and no VACESS will be created.
However if the caller were to negotiate Multilink, that requires a VACESS interface so a VACESS would be created.
The above is true for ISDN users. If you are having the same problem with Async I don't see enough information to determine anything.
Run the following debugs if possible when the problem occurs.
debug isdn q931
debug aaa authen
debug aaa author
debug ppp neg
debug vtemplate
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide