Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
1
Replies

Virtual Access Interface not cloned from a Virtual Template

mmelbourne
Level 5
Level 5

‎11-11-2003 03:31 AM - edited ‎03-02-2019 11:37 AM

I have an issue with Virtual Profiles running on an AS5300, 12.1(20) with CSACS 2.6 as the TACACS+ authentication. The access server serves dial-up users (via a group-async interface) and ISDN dial-in users using fixed static dialer profiles. I am trying to extend this to use virtual profiles for some ISDN dial-in users (to principally download access-lists and routes on a per-user basis).

However, after configuring virtual templates, the virtual access interface is not cloned.

Are any special AAA authorization parameters required on the user's CSACS configuration?

Presumably the PPP authentication/authorization configuration used to authenticate the user, as the details configured on the physical serial interface.

ISDN Caller ID is used to bind inbounds call to the physical dialer profile, but the users without static dialer profiles have an ISDN caller statement under the physical interface, so the call is not rejected.

The user is authenticated and authorized but the virtual template is not cloned.

The relevant parts of the configuration are:

aaa new-model

aaa authentication login default local

aaa authentication login TELNET line

aaa authentication login DIALINPPP group tacacs+ local

aaa authentication ppp default local

aaa authentication ppp ROUTERPPP local

aaa authentication ppp DIALINPPP if-needed group tacacs+ local

aaa authorization exec DIALINPPP group tacacs+ if-authenticated

aaa authorization network ROUTERPPP if-authenticated

aaa authorization network DIALINPPP group tacacs+ local

aaa accounting network DIALINPPP start-stop group tacacs+

!

virtual-profile if-needed

virtual-profile virtual-template 1

virtual-profile aaa

!

interface Virtual-Template1

ip unnumbered Loopback0

!

interface Serial0:15

no ip address

encapsulation ppp

no logging event link-status

dialer pool-member 1

no snmp trap link-status

isdn switch-type primary-net5

isdn caller 5551234

isdn caller 5557890

isdn caller 5550001

isdn incoming-voice modem

isdn skip-async-callerid-check

compress stac

no cdp enable

ppp authentication chap DIALINPPP

ppp authorization DIALINPPP

ppp multilink

!

interface Dialer0

description Dialer Profile #0

ip unnumbered loopback0

dialer caller 5551234

...

!

interface Dialer1

description Dialer Profile #1

ip unnumbered loopback0

dialer caller 5557890

...

Labels:
0 Helpful
1 Reply 1

dbellazetin
Level 4
Level 4

‎11-13-2003 12:39 PM

If ISDN users don't get a VACESS created that would mean they terminate on the D channel interface which does not have an IP address. If this were the case they should not be able to negotiate IPCP.

The "isdn caller" command can be used if you aren't doing "dialer caller" on dialer interfaces. So for anyone who happens to be calling from the numbers you have specified in the dialer caller statements on the D channel interface, the calls will bind to a B channel and no VACESS will be created.

However if the caller were to negotiate Multilink, that requires a VACESS interface so a VACESS would be created.

The above is true for ISDN users. If you are having the same problem with Async I don't see enough information to determine anything.

Run the following debugs if possible when the problem occurs.

debug isdn q931

debug aaa authen

debug aaa author

debug ppp neg

debug vtemplate

Daniel

0 Helpful
Customers Also Viewed These Support Documents