[cisco-bba] 12.2(16b) crashing with per-user RADIUS entries

Deryk Piper deryk at mod-soft.com
Thu Jun 26 10:18:04 EDT 2003 

Just to give anybody a heads-up who might be interested...

At Dennis' suggestion I removed IP Inspection from the Virtual-Template
interface that's cloned for PPP sessions.  This stopped the crashing.
There's an outstanding bug - CSCea56700 - that corresponds to this
problem.  It's at severity 2 and is currently assigned.

Thanks Dennis,

DP

> -----Original Message-----
> From: cisco-bba-bounces at puck.nether.net
> [mailto:cisco-bba-bounces at puck.nether.net]On Behalf Of Deryk Piper
> Sent: Wednesday, June 25, 2003 5:02 PM
> To: Dennis Peng
> Cc: cisco-bba at puck.nether.net
> Subject: RE: [cisco-bba] 12.2(16b) crashing with per-user
> RADIUS entries
>
>
> Hi Dennis,
>
> I'll qualify the following by saying that things have changed
> a bit over
> the course of testing, but here's the jist of it:
>
> user at realm	Auth-Type := Local, Password == "xxx"
>         Framed-IP-Address = 10.1.253.3,
>         Framed-IP-Netmask = 255.255.255.255,
> #        Cisco-AVPair += "ip:route=10.1.2.0 255.255.255.0 10.1.253.3",
>         Cisco-AVPair += "ip:inacl#1=permit ip host 10.1.253.3 any",
>         Cisco-AVPair += "ip:inacl#2=permit ip 10.1.2.0 0.0.0.255 any",
>         Service-Type = Framed,
>         Framed-Protocol = PPP,
>         Fall-Through = No
>
> Anyhow, there it is.  Information gets inserted on the router
> correctly,
> as previously stated.
>
> Thanks,
>
> DP
>
>
> > -----Original Message-----
> > From: Dennis Peng [mailto:dpeng at cisco.com]
> > Sent: Wednesday, June 25, 2003 4:20 PM
> > To: Deryk Piper
> > Cc: cisco-bba at puck.nether.net
> > Subject: Re: [cisco-bba] 12.2(16b) crashing with per-user
> > RADIUS entries
> >
> >
> > Can you send me the RADIUS profile which causes the problem
> to occur?
> >
> > Dennis
> >
> > Deryk Piper [deryk at mod-soft.com] wrote:
> > > Hi all,
> > >
> > > I've got a 3640 running 12.2(16b) (previously 12.2(16)).
> > It's acting as
> > > an LNS for DSL, ISDN and analog dial-up customers.  The
> > 3640 is using
> > > AAA to authenticate users via FreeRADIUS (previously
> > Cistron RADIUS) on
> > > a Linux box.  Normally this works fine.  However, I
> > recently decided to
> > > have a go at per-user access-lists and routes.  My first
> > try at per-user
> > > access-lists seemed to work, but the router crashed a few
> > seconds after
> > > I issued the "clear int virtual-accessXXX" command to
> boot the test
> > > user.  Note that I made no configuration changes to the
> > router, only the
> > > RADIUS entries on the Linux box.  The router also reboots
> > if the test
> > > user disconnects on its own, or if the router needs loses
> > contact (PPP
> > > keealives) and needs to clear the session.  Once or twice
> > it seems to
> > > have rebooted for no reason (only when using per-user ACLs)
> > >
> > > I'm using the inacl and outacl AV pairs to download the
> > access-list to
> > > the router.  Again, the access-lists appear no problem on the
> > > Virtual-Access interface and are dynamically named
> > Virtual-AccessXXX#1
> > > and Virtual-AccessXXX#0.  However, the router just seems
> to want to
> > > spontaneously reboot.
> > >
> > > I've got a case open with TAC, but I thought I'd check here
> > to see if
> > > anybody else has seen this problem.
> > >
> > > My AAA config is as follows:
> > >
> > > aaa new-model
> > > aaa authentication login default local
> > > aaa authentication ppp default group radius
> > > aaa authorization exec default local
> > > aaa authorization network default group radius if-authenticated
> > > aaa accounting update newinfo
> > > aaa accounting network default start-stop group radius
> > >
> > > Should I try removing the accounting entries?
> > >
> > > Thanks in advance,
> > >
> > > DP
> > >
> > >
> > >
> > > Deryk Piper, B.Asc
> > >  Network Manager
> > >  Applications Development
> > > Modular Software Ltd.
> > >
> > > Web:    www.mod-soft.com
> > > Email:  deryk at mod-soft.com
> > > Phone:  905.890.3778 x225
> > > FAX:    905.890.3845
> > >
> > >
> > > _______________________________________________
> > > cisco-bba mailing list
> > > cisco-bba at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/cisco-bba
> >
> > --
> > --------------------------------------------------------------
> > -----------
> >       ||        ||                                 Dennis Peng
> >       ||        ||        Cisco Systems, Inc.
> Escalation Engineer
> >      ||||      ||||       170 West Tasman Drive    Phone:
> > (408) 526-6143
> >  ..:||||||:..:||||||:..   San Jose, CA 95134       Fax:
> > (408) 232-2343
> >    Cisco Systems Inc.                              dpeng at cisco.com
> > --------------------------------------------------------------
> > -----------
> >
>
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-bba
>

More information about the cisco-bba mailing list