10-19-2002 08:08 AM - edited 03-09-2019 12:44 AM
Ask to expert , Today I using IOS Version 12.2(6) at LNS RSP2 (Router7507) but its have problem to client if use PPP thru LAC . LNS will not forward packet if client as PPP but It not problem if use MPP (Multiple link ). coz come from enable the IP CEF Its can't not work with VPDN. if I'm disable IP CEF the CPU utilization too high. I'm found IOS 12.2.11T resolved about these problem . since I have upgrade IOS to 12.2.11T I got a problem are Its can't use mutiple login domain . I've three diffrent login domain and point to diffrent radius server I use configure following :
=====
aaa new-model
aaa authentication login default local group radius
aaa authentication login vty line
aaa authentication ppp default local group radius
aaa authorization network default if-authenticated group radius local
aaa accounting network default start-stop group radius
ip host domain1.com 192.168.0.1
ip host domain2.com 192.168.0.2
ip host domain3.com 192.168.0.3
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646
radius-server host 192.168.0.2 auth-port 1645 acct-port 1646
radius-server host 192.168.0.3 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server directed-request
radius-server key [hind]
radius-server authorization permit missing Service-Type
=====
But can use just one domain are domain1.com to redius 192.168.0.1 for other login domain not work . debug radius message tell :
1d12h: RADIUS: directed-request server 192.168.0.2 is not in list
1d12h: RADIUS: directed-request server 192.168.0.3 is not in list
====
and debug tell directed-request to first radius in list I have no real log to show you . I have just one this problem . Right now I must goback use IOS 12.2(6) becoz it no have problem abt multiple login domain . kindly suggestion
Thanks
Anan P.
10-25-2002 07:39 AM
To the best of my knowledge, Cisco IOS Version 12.2(6) is still in the LD state. It is not exactly a good practice to use LD versions on your production router. It's always safer from the reliability and security point view to install a GD version.
The other IOS version that you are using, ie 12.2.11T, is in the ED (Early Deployment) state and I am not sure about the stability of this version either.
I guess either way you will have to wait a little longer for the versions to become stable or choose some other IOS from the SA.
You can use the software advisor(SA) to help you choose a suitable version. The software advisor is available at http://www.cisco.com/cgi-bin/Support/CompNav/CN1.pl?Q2Submit=ProductFamily&HStartForm2=True&HProductFamily=4%7CIOS
My search for a version supporting PPP, CEF and multihop VPDN returned a pretty long list. Some of the versions mentioned were 12.2(7), 12.2(7a), 12.2(8)T, 12.2(8)T1, 12.2(8) and a number of other versions. I suggest you use this tool to pin point an IOS which meets your requirements. I would also suggest that you use a GD version only.
10-27-2002 01:45 AM
Hi MOHAMAD ,
I have tested all IOS version from your seggestion . PPP on CEF work well but another problem still have . I forgot inform you about radius attribute from IOS12.2.11T , IOS12.2.11T1 its can send any radiusattribute to LNS .I was tested send "Session-Timeout=300" to LNS . then LNS ->show caller time :--> it tell session-timeout 5:00 and since another IOS version dosen't accept all attribute from radius . Now I'm still want IOS12.2.11T make multiple login domain .I have notice IOS12.2.11T it seem radius make newer future .I show you below (include multiple domain bug) :
=============
Oct 27 12:57:55.587: RADIUS: directed-server 192.168.0.2 extracted from username XTE3000HIND@domain2.com"
Oct 27 12:57:55.587: RADIUS: AAA Unsupported [134] 17
Oct 27 12:57:55.587: RADIUS: 56 69 72 74 75 61 6C 2D 41 63 63 65 73 73 31 [Virtual-Access1]
Oct 27 12:57:55.587: RADIUS(0000023B): Storing nasport 184 in rad_db
Oct 27 12:57:55.587: RADIUS/ENCODE(0000023B): acct_session_id: 594
Oct 27 12:57:55.587: RADIUS(0000023B): sending
Oct 27 12:57:55.587: RADIUS: directed-request server 192.168.0.2 is not in list
Oct 27 12:57:55.591: RADIUS: Using first server in list.
Oct 27 12:57:55.591: RADIUS: Send to unknown id 39 192.168.0.1:1645, Access-Request, len 109
Oct 27 12:57:55.591: RADIUS: authenticator 3A 2E 49 D2 32 A8 3D 6F - D0 A5 12 D4 D9 E0 50 7B
Oct 27 12:57:55.591: RADIUS: Framed-Protocol [7] 6 PPP [1]
Oct 27 12:57:55.591: RADIUS: User-Name [1] 25 "XTE3000HIND "
Oct 27 12:57:55.591: RADIUS: User-Password [2] 18 *
Oct 27 12:57:55.591: RADIUS: NAS-Port [5] 6 184
Oct 27 12:57:55.591: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Oct 27 12:57:55.591: RADIUS: Calling-Station-Id [31] 10 "[post hind]"
Oct 27 12:57:55.591: RADIUS: Called-Station-Id [30] 6 "[post hind]"
Oct 27 12:57:55.595: RADIUS: Service-Type [6] 6 Framed [2]
Oct 27 12:57:55.595: RADIUS: NAS-IP-Address [4] 6 172.16.0.1
Oct 27 12:57:56.295: RADIUS: Received from id 39 192.168.0.1:1645, Access-Reject, len 88
Oct 27 12:57:56.295: RADIUS: authenticator B4 28 C7 20 BA 2F 23 27 - 8B 57 55 BC 27 E8 D1 DC
Oct 27 12:57:56.295: RADIUS: Reply-Message [18] 68
Oct 27 12:57:56.295: RADIUS: 4E 6F 20 73 75 63 68 20 75 73 65 72 21 20 55 73 [No such user! Us]
Oct 27 12:57:56.295: RADIUS: 65 72 69 64 20 69 73 20 63 61 73 65 2D 73 65 6E [erid is case-sen]
Oct 27 12:57:56.299: RADIUS: 73 69 74 69 76 65 2C 0A 61 6E 64 20 61 74 20 6D [sitive,?and at m]
Oct 27 12:57:56.299: RADIUS: 6F 73 74 20 31 34 20 63 68 61 72 73 20 6C 6F 6E [ost 14 chars lon]
Oct 27 12:57:56.299: RADIUS: 67 2E [g.]
Oct 27 12:57:56.307: RADIUS: Received from id 23B
Oct 27 12:57:56.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access186, changed state to up
Oct 27 12:57:57.251: %LINK-3-UPDOWN: Interface Virtual-Access187, changed state to down
Oct 27 12:57:58.519: %LINK-3-UPDOWN: Interface Virtual-Access184, changed state to down
Oct 27 12:58:01.343: %LINK-3-UPDOWN: Interface Virtual-Access135, changed state to down
Oct 27 12:58:02.931: RADIUS: directed-server 192.168.0.2 extracted from username "XTE300HIND@domain2.com"
Oct 27 12:58:02.931: RADIUS: AAA Unsupported [134] 17
Oct 27 12:58:02.931: RADIUS: 56 69 72 74 75 61 6C 2D 41 63 63 65 73 73 31 [Virtual-Access1]
Oct 27 12:58:02.931: RADIUS(00000238): Using existing nas_port 177
Oct 27 12:58:02.931: RADIUS/ENCODE(00000238): acct_session_id: 591
Oct 27 12:58:02.935: RADIUS(00000238): sending
Oct 27 12:58:02.935: RADIUS: directed-request server 192.168.0.2 is not in list
Oct 27 12:58:02.935: RADIUS: Using first server in list.
=======
and show command :
LNSIOS12.2.11T# sh radius ?
server-group Shows the radius sg properties.
statistics Shows the radius statistics.
table Show RADIUS table information
LNSIOS12.2.11T# show radius table attributes
IETF ATTRIBUTE LIST:
Name User-Name Format String
Name User-Password Format Binary
Name CHAP-Password Format Binary
Name NAS-IP-Address Format IPv4 Address
Name NAS-Port Format Ulong
Name Service-Type Format Enum
Name Framed-Protocol Format Enum
Name Framed-IP-Address Format IPv4 Address
Name Framed-IP-Netmask Format IPv4 Address
Name Framed-Routing Format Ulong
Name Filter-Id Format Binary
Name Framed-MTU Format Ulong
Name Framed-Compression Format Enum
Name login-ip-addr-host Format IPv4 Address
Name Login-Service Format Enum
======
============ IOS12.2.12A ===========
LNS12.2.12A#sh radius ?
statistics Shows the radius statistics.
debug radius:
Oct 27 11:08:06.736: Radius: radius_port_info() success=1 radius_nas_port=1
Oct 27 11:08:06.836: RADIUS: Initial Transmit Virtual-Access143 id 67 192.168.0.1:1645, Access-Request, len 97
Oct 27 11:08:06.840: Attribute 4 6 CB79820A
Oct 27 11:08:06.840: Attribute 5 6 0000008F
Oct 27 11:08:06.840: Attribute 61 6 00000005
Oct 27 11:08:06.840: Attribute 1 13 58544544
Oct 27 11:08:06.840: Attribute 30 6 31323232
Oct 27 11:08:06.840: Attribute 31 10 32343638
Oct 27 11:08:06.840: Attribute 2 18 58E485D8
Oct 27 11:08:06.840: Attribute 6 6 00000002
Oct 27 11:08:06.840: Attribute 7 6 00000001
Oct 27 11:08:06.924: RADIUS: Received from id 67 192.168.0.1:1645, Access-Accept, len 55
Oct 27 11:08:06.924: Attribute 6 6 00000002
Oct 27 11:08:06.924: Attribute 7 6 00000001
Oct 27 11:08:06.924: Attribute 10 6 00000000
Oct 27 11:08:06.924: Attribute 27 6 00002A30
Oct 27 11:08:06.924: Attribute 28 6 00000384
Oct 27 11:08:06.924: Attribute 11 5 7070703D
Oct 27 11:08:06.980: RADIUS: saved authorization data for user 63628608 at 63422410
Oct 27 11:08:06.988: RADIUS: ustruct sharecount=3
Oct 27 11:08:06.988: Radius: radius_port_info() success=1 radius_nas_port=1
Oct 27 11:08:06.996: RADIUS: Initial Transmit Virtual-Access143 id 68 192.168.0.1:1646, Accounting-Request, len 181
====
It seem if debug radius format like IOS12.2.12A multiple login domain will work . Today I have upgrade from 12.2(6) to 12.2.12a already just fixed PPP and CEF for VPDN first . but still need the Radius Attribute for control LNS from IOS12.2.11T .
Thanks
Anan P.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide