Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
3
Helpful
2
Replies

VPDN IOS12.2.11T multiple the login domain not work

noc
Level 1
Level 1

‎10-19-2002 08:08 AM - edited ‎03-09-2019 12:44 AM

Ask to expert , Today I using IOS Version 12.2(6) at LNS RSP2 (Router7507) but its have problem to client if use PPP thru LAC . LNS will not forward packet if client as PPP but It not problem if use MPP (Multiple link ). coz come from enable the IP CEF Its can't not work with VPDN. if I'm disable IP CEF the CPU utilization too high. I'm found IOS 12.2.11T resolved about these problem . since I have upgrade IOS to 12.2.11T I got a problem are Its can't use mutiple login domain . I've three diffrent login domain and point to diffrent radius server I use configure following :

=====

aaa new-model

aaa authentication login default local group radius

aaa authentication login vty line

aaa authentication ppp default local group radius

aaa authorization network default if-authenticated group radius local

aaa accounting network default start-stop group radius

ip host domain1.com 192.168.0.1

ip host domain2.com 192.168.0.2

ip host domain3.com 192.168.0.3

radius-server host 192.168.0.1 auth-port 1645 acct-port 1646

radius-server host 192.168.0.2 auth-port 1645 acct-port 1646

radius-server host 192.168.0.3 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server directed-request

radius-server key [hind]

radius-server authorization permit missing Service-Type

=====

But can use just one domain are domain1.com to redius 192.168.0.1 for other login domain not work . debug radius message tell :

1d12h: RADIUS: directed-request server 192.168.0.2 is not in list

1d12h: RADIUS: directed-request server 192.168.0.3 is not in list

====

and debug tell directed-request to first radius in list I have no real log to show you . I have just one this problem . Right now I must goback use IOS 12.2(6) becoz it no have problem abt multiple login domain . kindly suggestion

Thanks

Anan P.

Labels:
0 Helpful
2 Replies 2

murabi
Level 4
Level 4

‎10-25-2002 07:39 AM

To the best of my knowledge, Cisco IOS Version 12.2(6) is still in the LD state. It is not exactly a good practice to use LD versions on your production router. It's always safer from the reliability and security point view to install a GD version.

The other IOS version that you are using, ie 12.2.11T, is in the ED (Early Deployment) state and I am not sure about the stability of this version either.

I guess either way you will have to wait a little longer for the versions to become stable or choose some other IOS from the SA.

You can use the software advisor(SA) to help you choose a suitable version. The software advisor is available at http://www.cisco.com/cgi-bin/Support/CompNav/CN1.pl?Q2Submit=ProductFamily&HStartForm2=True&HProductFamily=4%7CIOS

My search for a version supporting PPP, CEF and multihop VPDN returned a pretty long list. Some of the versions mentioned were 12.2(7), 12.2(7a), 12.2(8)T, 12.2(8)T1, 12.2(8) and a number of other versions. I suggest you use this tool to pin point an IOS which meets your requirements. I would also suggest that you use a GD version only.

noc
Level 1
Level 1

‎10-27-2002 01:45 AM

Hi MOHAMAD ,

I have tested all IOS version from your seggestion . PPP on CEF work well but another problem still have . I forgot inform you about radius attribute from IOS12.2.11T , IOS12.2.11T1 its can send any radiusattribute to LNS .I was tested send "Session-Timeout=300" to LNS . then LNS ->show caller time :--> it tell session-timeout 5:00 and since another IOS version dosen't accept all attribute from radius . Now I'm still want IOS12.2.11T make multiple login domain .I have notice IOS12.2.11T it seem radius make newer future .I show you below (include multiple domain bug) :

=============

Oct 27 12:57:55.587: RADIUS: directed-server 192.168.0.2 extracted from username XTE3000HIND@domain2.com"

Oct 27 12:57:55.587: RADIUS: AAA Unsupported [134] 17

Oct 27 12:57:55.587: RADIUS: 56 69 72 74 75 61 6C 2D 41 63 63 65 73 73 31 [Virtual-Access1]

Oct 27 12:57:55.587: RADIUS(0000023B): Storing nasport 184 in rad_db

Oct 27 12:57:55.587: RADIUS/ENCODE(0000023B): acct_session_id: 594

Oct 27 12:57:55.587: RADIUS(0000023B): sending

Oct 27 12:57:55.587: RADIUS: directed-request server 192.168.0.2 is not in list

Oct 27 12:57:55.591: RADIUS: Using first server in list.

Oct 27 12:57:55.591: RADIUS: Send to unknown id 39 192.168.0.1:1645, Access-Request, len 109

Oct 27 12:57:55.591: RADIUS: authenticator 3A 2E 49 D2 32 A8 3D 6F - D0 A5 12 D4 D9 E0 50 7B

Oct 27 12:57:55.591: RADIUS: Framed-Protocol [7] 6 PPP [1]

Oct 27 12:57:55.591: RADIUS: User-Name [1] 25 "XTE3000HIND "

Oct 27 12:57:55.591: RADIUS: User-Password [2] 18 *

Oct 27 12:57:55.591: RADIUS: NAS-Port [5] 6 184

Oct 27 12:57:55.591: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Oct 27 12:57:55.591: RADIUS: Calling-Station-Id [31] 10 "[post hind]"

Oct 27 12:57:55.591: RADIUS: Called-Station-Id [30] 6 "[post hind]"

Oct 27 12:57:55.595: RADIUS: Service-Type [6] 6 Framed [2]

Oct 27 12:57:55.595: RADIUS: NAS-IP-Address [4] 6 172.16.0.1

Oct 27 12:57:56.295: RADIUS: Received from id 39 192.168.0.1:1645, Access-Reject, len 88

Oct 27 12:57:56.295: RADIUS: authenticator B4 28 C7 20 BA 2F 23 27 - 8B 57 55 BC 27 E8 D1 DC

Oct 27 12:57:56.295: RADIUS: Reply-Message [18] 68

Oct 27 12:57:56.295: RADIUS: 4E 6F 20 73 75 63 68 20 75 73 65 72 21 20 55 73 [No such user! Us]

Oct 27 12:57:56.295: RADIUS: 65 72 69 64 20 69 73 20 63 61 73 65 2D 73 65 6E [erid is case-sen]

Oct 27 12:57:56.299: RADIUS: 73 69 74 69 76 65 2C 0A 61 6E 64 20 61 74 20 6D [sitive,?and at m]

Oct 27 12:57:56.299: RADIUS: 6F 73 74 20 31 34 20 63 68 61 72 73 20 6C 6F 6E [ost 14 chars lon]

Oct 27 12:57:56.299: RADIUS: 67 2E [g.]

Oct 27 12:57:56.307: RADIUS: Received from id 23B

Oct 27 12:57:56.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access186, changed state to up

Oct 27 12:57:57.251: %LINK-3-UPDOWN: Interface Virtual-Access187, changed state to down

Oct 27 12:57:58.519: %LINK-3-UPDOWN: Interface Virtual-Access184, changed state to down

Oct 27 12:58:01.343: %LINK-3-UPDOWN: Interface Virtual-Access135, changed state to down

Oct 27 12:58:02.931: RADIUS: directed-server 192.168.0.2 extracted from username "XTE300HIND@domain2.com"

Oct 27 12:58:02.931: RADIUS: AAA Unsupported [134] 17

Oct 27 12:58:02.931: RADIUS: 56 69 72 74 75 61 6C 2D 41 63 63 65 73 73 31 [Virtual-Access1]

Oct 27 12:58:02.931: RADIUS(00000238): Using existing nas_port 177

Oct 27 12:58:02.931: RADIUS/ENCODE(00000238): acct_session_id: 591

Oct 27 12:58:02.935: RADIUS(00000238): sending

Oct 27 12:58:02.935: RADIUS: directed-request server 192.168.0.2 is not in list

Oct 27 12:58:02.935: RADIUS: Using first server in list.

=======

and show command :

LNSIOS12.2.11T# sh radius ?

server-group Shows the radius sg properties.

statistics Shows the radius statistics.

table Show RADIUS table information

LNSIOS12.2.11T# show radius table attributes

IETF ATTRIBUTE LIST:

Name User-Name Format String

Name User-Password Format Binary

Name CHAP-Password Format Binary

Name NAS-IP-Address Format IPv4 Address

Name NAS-Port Format Ulong

Name Service-Type Format Enum

Name Framed-Protocol Format Enum

Name Framed-IP-Address Format IPv4 Address

Name Framed-IP-Netmask Format IPv4 Address

Name Framed-Routing Format Ulong

Name Filter-Id Format Binary

Name Framed-MTU Format Ulong

Name Framed-Compression Format Enum

Name login-ip-addr-host Format IPv4 Address

Name Login-Service Format Enum

======

============ IOS12.2.12A ===========

LNS12.2.12A#sh radius ?

statistics Shows the radius statistics.

debug radius:

Oct 27 11:08:06.736: Radius: radius_port_info() success=1 radius_nas_port=1

Oct 27 11:08:06.836: RADIUS: Initial Transmit Virtual-Access143 id 67 192.168.0.1:1645, Access-Request, len 97

Oct 27 11:08:06.840: Attribute 4 6 CB79820A

Oct 27 11:08:06.840: Attribute 5 6 0000008F

Oct 27 11:08:06.840: Attribute 61 6 00000005

Oct 27 11:08:06.840: Attribute 1 13 58544544

Oct 27 11:08:06.840: Attribute 30 6 31323232

Oct 27 11:08:06.840: Attribute 31 10 32343638

Oct 27 11:08:06.840: Attribute 2 18 58E485D8

Oct 27 11:08:06.840: Attribute 6 6 00000002

Oct 27 11:08:06.840: Attribute 7 6 00000001

Oct 27 11:08:06.924: RADIUS: Received from id 67 192.168.0.1:1645, Access-Accept, len 55

Oct 27 11:08:06.924: Attribute 6 6 00000002

Oct 27 11:08:06.924: Attribute 7 6 00000001

Oct 27 11:08:06.924: Attribute 10 6 00000000

Oct 27 11:08:06.924: Attribute 27 6 00002A30

Oct 27 11:08:06.924: Attribute 28 6 00000384

Oct 27 11:08:06.924: Attribute 11 5 7070703D

Oct 27 11:08:06.980: RADIUS: saved authorization data for user 63628608 at 63422410

Oct 27 11:08:06.988: RADIUS: ustruct sharecount=3

Oct 27 11:08:06.988: Radius: radius_port_info() success=1 radius_nas_port=1

Oct 27 11:08:06.996: RADIUS: Initial Transmit Virtual-Access143 id 68 192.168.0.1:1646, Accounting-Request, len 181

====

It seem if debug radius format like IOS12.2.12A multiple login domain will work . Today I have upgrade from 12.2(6) to 12.2.12a already just fixed PPP and CEF for VPDN first . but still need the Radius Attribute for control LNS from IOS12.2.11T .

Thanks

Anan P.

0 Helpful
Customers Also Viewed These Support Documents