[cisco-bba] 12.2(16b) crashing with per-user RADIUS entries
Deryk Piper
deryk at mod-soft.com
Wed Jun 25 18:02:07 EDT 2003
Hi Dennis,
I'll qualify the following by saying that things have changed a bit over
the course of testing, but here's the jist of it:
user at realm Auth-Type := Local, Password == "xxx"
Framed-IP-Address = 10.1.253.3,
Framed-IP-Netmask = 255.255.255.255,
# Cisco-AVPair += "ip:route=10.1.2.0 255.255.255.0 10.1.253.3",
Cisco-AVPair += "ip:inacl#1=permit ip host 10.1.253.3 any",
Cisco-AVPair += "ip:inacl#2=permit ip 10.1.2.0 0.0.0.255 any",
Service-Type = Framed,
Framed-Protocol = PPP,
Fall-Through = No
Anyhow, there it is. Information gets inserted on the router correctly,
as previously stated.
Thanks,
DP
> -----Original Message-----
> From: Dennis Peng [mailto:dpeng at cisco.com]
> Sent: Wednesday, June 25, 2003 4:20 PM
> To: Deryk Piper
> Cc: cisco-bba at puck.nether.net
> Subject: Re: [cisco-bba] 12.2(16b) crashing with per-user
> RADIUS entries
>
>
> Can you send me the RADIUS profile which causes the problem to occur?
>
> Dennis
>
> Deryk Piper [deryk at mod-soft.com] wrote:
> > Hi all,
> >
> > I've got a 3640 running 12.2(16b) (previously 12.2(16)).
> It's acting as
> > an LNS for DSL, ISDN and analog dial-up customers. The
> 3640 is using
> > AAA to authenticate users via FreeRADIUS (previously
> Cistron RADIUS) on
> > a Linux box. Normally this works fine. However, I
> recently decided to
> > have a go at per-user access-lists and routes. My first
> try at per-user
> > access-lists seemed to work, but the router crashed a few
> seconds after
> > I issued the "clear int virtual-accessXXX" command to boot the test
> > user. Note that I made no configuration changes to the
> router, only the
> > RADIUS entries on the Linux box. The router also reboots
> if the test
> > user disconnects on its own, or if the router needs loses
> contact (PPP
> > keealives) and needs to clear the session. Once or twice
> it seems to
> > have rebooted for no reason (only when using per-user ACLs)
> >
> > I'm using the inacl and outacl AV pairs to download the
> access-list to
> > the router. Again, the access-lists appear no problem on the
> > Virtual-Access interface and are dynamically named
> Virtual-AccessXXX#1
> > and Virtual-AccessXXX#0. However, the router just seems to want to
> > spontaneously reboot.
> >
> > I've got a case open with TAC, but I thought I'd check here
> to see if
> > anybody else has seen this problem.
> >
> > My AAA config is as follows:
> >
> > aaa new-model
> > aaa authentication login default local
> > aaa authentication ppp default group radius
> > aaa authorization exec default local
> > aaa authorization network default group radius if-authenticated
> > aaa accounting update newinfo
> > aaa accounting network default start-stop group radius
> >
> > Should I try removing the accounting entries?
> >
> > Thanks in advance,
> >
> > DP
> >
> >
> >
> > Deryk Piper, B.Asc
> > Network Manager
> > Applications Development
> > Modular Software Ltd.
> >
> > Web: www.mod-soft.com
> > Email: deryk at mod-soft.com
> > Phone: 905.890.3778 x225
> > FAX: 905.890.3845
> >
> >
> > _______________________________________________
> > cisco-bba mailing list
> > cisco-bba at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-bba
>
> --
> --------------------------------------------------------------
> -----------
> || || Dennis Peng
> || || Cisco Systems, Inc. Escalation Engineer
> |||| |||| 170 West Tasman Drive Phone:
> (408) 526-6143
> ..:||||||:..:||||||:.. San Jose, CA 95134 Fax:
> (408) 232-2343
> Cisco Systems Inc. dpeng at cisco.com
> --------------------------------------------------------------
> -----------
>
More information about the cisco-bba
mailing list