Cistron 1.6.4 + Cisco AS5300

Brent Reich brent@unixcentauri.com
Fri, 7 Sep 2001 13:49:45 -0500 

Hi Miquel,

I beleive my NAS is in order, here is the pertinent aaa configs from the
5300:

aaa authentication login default line
aaa authentication login dialin radius
aaa authentication enable default enable
aaa authentication ppp default radius
aaa authorization network default radius
aaa accounting network default start-stop radius

I have delved into the archives and found a thread called "Analog yes,
ISDN no... Why? the goback" from March 2001


It appears i have a very similar problem, in further inspection (
following the FAQ debug). I find that my Async users get on just fine,
its only the ISDN users that cannot authenticate. here is output from the
radius server:

radrecv: Request from host xxx.xxx.xxx.35 code=1, id=157, length=84
    NAS-IP-Address = xxx.xxx.xxx.35
    NAS-Port-Id = 32
    NAS-Port-Type = Async
    User-Name = "name"
    Called-Station-Id = "1111111"
    Password = "***encrypted stuff***"
    Service-Type = Framed-User
    Framed-Protocol = PPP
  users: Matched name at 418
  auth: System
Sending Ack of id 157 to xxx.xxx.xxx.35 (nas d-nas00)
    Service-Type = Framed-User
    Framed-IP-Address = 0.0.0.0
    Framed-MTU = 1500
    Framed-Compression = Van-Jacobson-TCP-IP
Login OK: [name/password] (from nas d-nas00/S32)
radrecv: Request from host xxx.xxx.xxx.35 code=4, id=158, length=94
    NAS-IP-Address = xxx.xxx.xxx.35
    NAS-Port-Id = 32
    NAS-Port-Type = Async
    User-Name = "name"
    Called-Station-Id = "1111111"
    Acct-Status-Type = Start
    Acct-Authentic = RADIUS
    Service-Type = Framed-User
    Acct-Session-Id = "00000A36"
    Framed-Protocol = PPP
    Acct-Delay-Time = 0
Sending Accounting Ack of id 158 to xxx.xxx.xxx.35 (nas d-nas00)


This all should be good  ^^^^^^^^^^^^^^^^^  BTW, the NAS assigns *most*
users dynamic IP's, do i even need the Framed-IP-Addresss = 0.0.0.0 in
my users file for those people??? (i will incude a segment of the users
file at the bottom.)

here's the bad stuff:

Login incorrect: [ISDNname/password] (from nas d-nas00/S20111 cli 1111111)
radrecv: Request from host xxx.xxx.xxx.35 code=4, id=160, length=107
    NAS-IP-Address = xxx.xxx.xxx.35
    NAS-Port-Id = 20111
    NAS-Port-Type = ISDN
    User-Name = "ISDNname"
    Calling-Station-Id = "1111111"
    Acct-Status-Type = Stop
    Acct-Authentic = RADIUS
    Service-Type = Framed-User
    Acct-Session-Id = "00000A37"
    Acct-Input-Packets = 0
    Acct-Output-Packets = 0
    Acct-Session-Time = 0
    Acct-Delay-Time = 0
Accounting: logout: login entry for NAS d-nas00 port 20111 not found
Sending Accounting Ack of id 160 to xxx.xxx.xxx.35 (nas d-nas00)
radrecv: Request from host xxx.xxx.xxx.35 code=1, id=161, length=85
    NAS-IP-Address = xxx.xxx.xxx.35
    NAS-Port-Id = 20113
    NAS-Port-Type = ISDN
    User-Name = "ISDNname"
    Calling-Station-Id = "1111111"
    Password = "***encrypted stuff***"
    Service-Type = Framed-User
    Framed-Protocol = PPP
  users: Matched ISDNname at 15
  auth: System
Sending Reject of id 161 to xxx.xxx.xxx.35 (nas d-nas00)
Login incorrect: [ISDNname/password] (from nas d-nas00/S20113 cli 1111111)
radrecv: Request from host xxx.xxx.xxx.35 code=4, id=162, length=107
    NAS-IP-Address = xxx.xxx.xxx.35
    NAS-Port-Id = 20113
    NAS-Port-Type = ISDN
    User-Name = "ISDNname"
    Calling-Station-Id = "1111111"
    Acct-Status-Type = Stop
    Acct-Authentic = RADIUS
    Service-Type = Framed-User
    Acct-Session-Id = "00000A38"
    Acct-Input-Packets = 0
    Acct-Output-Packets = 0
    Acct-Session-Time = 0
    Acct-Delay-Time = 0
Accounting: logout: login entry for NAS d-nas00 port 20113 not found
Sending Accounting Ack of id 162 to xxx.xxx.xxx.35 (nas d-nas00)


It does say Login Incorrect, but that is incorrect, the password
(cleartext) _is_ correct.

So, I still never get a "START" record for ISDN users. I still don't
understand what all the Accounting: logout: port not found entries mean.

>From the users file:

########ISDN########

ISDNname   Auth-Type = System, Simultaneous-Use = 1, NAS-Port-Type =
ISDN
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 0.0.0.0,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP

ISDNname1   Auth-Type = System, Simultaneous-Use = 2, NAS-Port-Type = ISDN
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = xxx.xxx.xxx.9,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP


########DIAL-UP########

name   Auth-Type = System, Simultaneous-Use = 2
        Service-Type = Framed-User,
        Framed-IP-Address = 0.0.0.0,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP


name1   Auth-Type = System, Simultaneous-Use = 1
        Service-Type = Framed-User,
        Framed-IP-Address = 0.0.0.0,
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobson-TCP-IP

any thoughts on where to go from here?  i am thoroughly confused.

On Thu, Sep 06, 2001 at 10:43:45PM +0000, Miquel van Smoorenburg wrote:
> In article <20010906160127.A22694@unixcentauri.com>,
> Brent Reich  <brent@unixcentauri.com> wrote:
> >I am pretty green at Radius and SNMP, if i need to include more info for
> >this please let me know and i will provide it. Needless to say in my
> >details file i only get "STOP" records.
> 
> And that is exactly your problem. Fix your NAS so that it sends
> start records as well.
> 
> Mike.
> -- 
> "Answering above the the original message is called top posting. Sometimes
>  also called the Jeopardy style. Usenet is Q & A not A & Q." -- Bob Gootee
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.radius.cistron.nl/list/

-- 

Brent Reich, CCNA
brent@unixcentauri.com
http://www.unixcentauri.com
0110111001101111011011100111001101100101011011100111001101100101