Cistron 1.6.4 + Cisco AS5300
Brent Reich
brent@unixcentauri.com
Thu, 13 Sep 2001 10:15:21 -0500
This email is soley for the benefit of the archives, as the thread has
good examples of correct AS5300 configs in it. This problem has been
resolved, there were some config problems early on, but the main issue
was the operator (me) is a colossal idiot =) when doing debugging on the
5300 itself i find the *one* ISDN user i was testing with was getting
auth failures, after double checking the the 5300 50 million times, then
rechecking the radius users file and such another 50 million times i
discovered that i neglected to add that user to the unix passwd file :p
no wonder it wasnt auth'ing :p So, sufferring major shame and
emabarrassment we can officially close this thread. thanx to everybody
for the pointers and suggestions as they did help me fix things early
on, and eventually led me to the assumtion that 1) my NAS was correct.
2) my Radius was correct. 3) so what else is there possibly? ... the
only thing i didnt check.... the unix passwd file that radius was
auth'ing against. lesson learned: Use multiple test examples, dont
put all the eggs in one basket.
On Tue, Sep 11, 2001 at 11:24:51AM -0500, Brent Reich wrote:
>
>
> Hi again,
>
> I have tried to implement the recommendation below, but i get a error
> from the 5300. Also, i *may* have posted the wrong section as the
> d-channel config snippet, i will include 2 more sections here that i
> think pertain to that. please advise, and thanks for the help and
> patience so far =)
>
> the "error":
>
> d-nas00#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> d-nas00(config)#int ser0:23
> d-nas00(config-if)#ppp
> d-nas00(config-if)#ppp authen
> d-nas00(config-if)#ppp authentication pap
> Cannot change ppp values of hunt group member
> d-nas00(config-if)#
>
>
> here are the other 2 sections that may be pertinent to this problem:
>
> interface Virtual-Template1
> ip unnumbered FastEthernet0
> no ip directed-broadcast
> peer default ip address pool ippool
> ppp authentication pap
>
>
> interface Dialer0
> ip unnumbered FastEthernet0
> no ip directed-broadcast
> encapsulation ppp
> no logging event link-status
> dialer in-band
> dialer idle-timeout 32000
> dialer-group 1
> no snmp trap link-status
> peer default ip address pool ippool
> no cdp enable
> ppp authentication pap
> ppp multilink bap
> ppp bap call accept
> ppp bap timeout pending 20
> ppp bap link types isdn analog
>
>
> These 2 do indeed have the ipunnumbered <interface>, and the ppp
> authentication pap lines in them.
>
> TIA.
>
>
> On Mon, Sep 10, 2001 at 05:03:12PM +0200, Mustafa N. Deeb wrote:
> > I had the same problem
> >
> > And I added these lines under the D channel
> > Ip unnumbered <INTERFACE>
> > Ppp authentication pap
> >
> >
> >
> > -----Original Message-----
> > From: cistron-radius-admin@lists.cistron.nl
> > [mailto:cistron-radius-admin@lists.cistron.nl] On Behalf Of Brent Reich
> > Sent: Monday, September 10, 2001 4:13 PM
> > To: cistron-radius@lists.cistron.nl
> > Subject: Re: Cistron 1.6.4 + Cisco AS5300
> >
> > Not sure if this is the config info you had requested, Let me know if
> > this is not it, and maybe where on this thing (AS5300) i can get it for
> > you =)
> >
> > interface Serial0:23
> > no ip address
> > no ip directed-broadcast
> > encapsulation ppp
> > dialer rotary-group 0
> > dialer-group 1
> > isdn switch-type primary-ni
> > isdn tei-negotiation first-call
> > isdn incoming-voice modem
> > no cdp enable
> >
> >
> >
> > On Sat, Sep 08, 2001 at 08:47:44AM +0200, Mustafa N. Deeb wrote:
> > > Can you forward us the configurations under the D-channel
> > > i.e Serial X/X:15
> > >
> > > I always had this problem with ciscos, but it was always solved inside
> > > the D-Channel Configs.
> > >
> > > Cheers
> > >
> > > -----Original Message-----
> > > From: cistron-radius-admin@lists.cistron.nl
> > > [mailto:cistron-radius-admin@lists.cistron.nl] On Behalf Of Brent
> > Reich
> > > Sent: Friday, September 07, 2001 8:50 PM
> > > To: cistron-radius@lists.cistron.nl
> > > Subject: Re: Cistron 1.6.4 + Cisco AS5300
> > >
> > >
> > >
> > > Hi Miquel,
> > >
> > > I beleive my NAS is in order, here is the pertinent aaa configs from
> > the
> > > 5300:
> > >
> > > aaa authentication login default line
> > > aaa authentication login dialin radius
> > > aaa authentication enable default enable
> > > aaa authentication ppp default radius
> > > aaa authorization network default radius
> > > aaa accounting network default start-stop radius
> > >
> > > I have delved into the archives and found a thread called "Analog yes,
> > > ISDN no... Why? the goback" from March 2001
> > >
> > >
> > > It appears i have a very similar problem, in further inspection (
> > > following the FAQ debug). I find that my Async users get on just fine,
> > > its only the ISDN users that cannot authenticate. here is output from
> > > the
> > > radius server:
> > >
> > > radrecv: Request from host xxx.xxx.xxx.35 code=1, id=157, length=84
> > > NAS-IP-Address = xxx.xxx.xxx.35
> > > NAS-Port-Id = 32
> > > NAS-Port-Type = Async
> > > User-Name = "name"
> > > Called-Station-Id = "1111111"
> > > Password = "***encrypted stuff***"
> > > Service-Type = Framed-User
> > > Framed-Protocol = PPP
> > > users: Matched name at 418
> > > auth: System
> > > Sending Ack of id 157 to xxx.xxx.xxx.35 (nas d-nas00)
> > > Service-Type = Framed-User
> > > Framed-IP-Address = 0.0.0.0
> > > Framed-MTU = 1500
> > > Framed-Compression = Van-Jacobson-TCP-IP
> > > Login OK: [name/password] (from nas d-nas00/S32)
> > > radrecv: Request from host xxx.xxx.xxx.35 code=4, id=158, length=94
> > > NAS-IP-Address = xxx.xxx.xxx.35
> > > NAS-Port-Id = 32
> > > NAS-Port-Type = Async
> > > User-Name = "name"
> > > Called-Station-Id = "1111111"
> > > Acct-Status-Type = Start
> > > Acct-Authentic = RADIUS
> > > Service-Type = Framed-User
> > > Acct-Session-Id = "00000A36"
> > > Framed-Protocol = PPP
> > > Acct-Delay-Time = 0
> > > Sending Accounting Ack of id 158 to xxx.xxx.xxx.35 (nas d-nas00)
> > >
> > >
> > > This all should be good ^^^^^^^^^^^^^^^^^ BTW, the NAS assigns
> > *most*
> > > users dynamic IP's, do i even need the Framed-IP-Addresss = 0.0.0.0 in
> > > my users file for those people??? (i will incude a segment of the
> > users
> > > file at the bottom.)
> > >
> > > here's the bad stuff:
> > >
> > > Login incorrect: [ISDNname/password] (from nas d-nas00/S20111 cli
> > > 1111111)
> > > radrecv: Request from host xxx.xxx.xxx.35 code=4, id=160, length=107
> > > NAS-IP-Address = xxx.xxx.xxx.35
> > > NAS-Port-Id = 20111
> > > NAS-Port-Type = ISDN
> > > User-Name = "ISDNname"
> > > Calling-Station-Id = "1111111"
> > > Acct-Status-Type = Stop
> > > Acct-Authentic = RADIUS
> > > Service-Type = Framed-User
> > > Acct-Session-Id = "00000A37"
> > > Acct-Input-Packets = 0
> > > Acct-Output-Packets = 0
> > > Acct-Session-Time = 0
> > > Acct-Delay-Time = 0
> > > Accounting: logout: login entry for NAS d-nas00 port 20111 not found
> > > Sending Accounting Ack of id 160 to xxx.xxx.xxx.35 (nas d-nas00)
> > > radrecv: Request from host xxx.xxx.xxx.35 code=1, id=161, length=85
> > > NAS-IP-Address = xxx.xxx.xxx.35
> > > NAS-Port-Id = 20113
> > > NAS-Port-Type = ISDN
> > > User-Name = "ISDNname"
> > > Calling-Station-Id = "1111111"
> > > Password = "***encrypted stuff***"
> > > Service-Type = Framed-User
> > > Framed-Protocol = PPP
> > > users: Matched ISDNname at 15
> > > auth: System
> > > Sending Reject of id 161 to xxx.xxx.xxx.35 (nas d-nas00)
> > > Login incorrect: [ISDNname/password] (from nas d-nas00/S20113 cli
> > > 1111111)
> > > radrecv: Request from host xxx.xxx.xxx.35 code=4, id=162, length=107
> > > NAS-IP-Address = xxx.xxx.xxx.35
> > > NAS-Port-Id = 20113
> > > NAS-Port-Type = ISDN
> > > User-Name = "ISDNname"
> > > Calling-Station-Id = "1111111"
> > > Acct-Status-Type = Stop
> > > Acct-Authentic = RADIUS
> > > Service-Type = Framed-User
> > > Acct-Session-Id = "00000A38"
> > > Acct-Input-Packets = 0
> > > Acct-Output-Packets = 0
> > > Acct-Session-Time = 0
> > > Acct-Delay-Time = 0
> > > Accounting: logout: login entry for NAS d-nas00 port 20113 not found
> > > Sending Accounting Ack of id 162 to xxx.xxx.xxx.35 (nas d-nas00)
> > >
> > >
> > > It does say Login Incorrect, but that is incorrect, the password
> > > (cleartext) _is_ correct.
> > >
> > > So, I still never get a "START" record for ISDN users. I still don't
> > > understand what all the Accounting: logout: port not found entries
> > mean.
> > >
> > > >From the users file:
> > >
> > > ########ISDN########
> > >
> > > ISDNname Auth-Type = System, Simultaneous-Use = 1, NAS-Port-Type =
> > > ISDN
> > > Service-Type = Framed-User,
> > > Framed-Protocol = PPP,
> > > Framed-IP-Address = 0.0.0.0,
> > > Framed-MTU = 1500,
> > > Framed-Compression = Van-Jacobson-TCP-IP
> > >
> > > ISDNname1 Auth-Type = System, Simultaneous-Use = 2, NAS-Port-Type =
> > > ISDN
> > > Service-Type = Framed-User,
> > > Framed-Protocol = PPP,
> > > Framed-IP-Address = xxx.xxx.xxx.9,
> > > Framed-MTU = 1500,
> > > Framed-Compression = Van-Jacobson-TCP-IP
> > >
> > >
> > > ########DIAL-UP########
> > >
> > > name Auth-Type = System, Simultaneous-Use = 2
> > > Service-Type = Framed-User,
> > > Framed-IP-Address = 0.0.0.0,
> > > Framed-MTU = 1500,
> > > Framed-Compression = Van-Jacobson-TCP-IP
> > >
> > >
> > > name1 Auth-Type = System, Simultaneous-Use = 1
> > > Service-Type = Framed-User,
> > > Framed-IP-Address = 0.0.0.0,
> > > Framed-MTU = 1500,
> > > Framed-Compression = Van-Jacobson-TCP-IP
> > >
> > > any thoughts on where to go from here? i am thoroughly confused.
> > >
> > > On Thu, Sep 06, 2001 at 10:43:45PM +0000, Miquel van Smoorenburg
> > wrote:
> > > > In article <20010906160127.A22694@unixcentauri.com>,
> > > > Brent Reich <brent@unixcentauri.com> wrote:
> > > > >I am pretty green at Radius and SNMP, if i need to include more
> > info
> > > for
> > > > >this please let me know and i will provide it. Needless to say in
> > my
> > > > >details file i only get "STOP" records.
> > > >
> > > > And that is exactly your problem. Fix your NAS so that it sends
> > > > start records as well.
> > > >
> > > > Mike.
> > > > --
> > > > "Answering above the the original message is called top posting.
> > > Sometimes
> > > > also called the Jeopardy style. Usenet is Q & A not A & Q." -- Bob
> > > Gootee
> > > >
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.radius.cistron.nl/list/
> > >
> > > --
> > >
> > > Brent Reich, CCNA
> > > brent@unixcentauri.com
> > > http://www.unixcentauri.com
> > > 0110111001101111011011100111001101100101011011100111001101100101
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.radius.cistron.nl/list/
> > >
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.radius.cistron.nl/list/
> >
> > --
> >
> > Brent Reich, CCNA
> > brent@unixcentauri.com
> > http://www.unixcentauri.com
> > 0110111001101111011011100111001101100101011011100111001101100101
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.radius.cistron.nl/list/
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.radius.cistron.nl/list/
>
> --
>
> Brent Reich, CCNA
> brent@unixcentauri.com
> http://www.unixcentauri.com
> 0110111001101111011011100111001101100101011011100111001101100101
>
> -
> List info/subscribe/unsubscribe? See http://www.radius.cistron.nl/list/
--
Brent Reich, CCNA
brent@unixcentauri.com
http://www.unixcentauri.com
0110111001101111011011100111001101100101011011100111001101100101