[cisco-nas] Callback with Microsoft IAS (RADIUS)

Harald Astrand astrand at unicc.org
Thu Apr 24 18:47:04 EDT 2003






Thank you very much for the information!

I actually already had the "dialer in-band" (and dialer idle-timeout)
defined for the group-async interface.

I found on CCO that only in version 12.1(7) the RADIUS attribute 19 for
Microsoft callback is supported.
I guess this means that I can not specify the phone number in the user
properties in Active Directory.
However, I assume that callback should work if I define the AV-pair
"lcp:callback-dialstring=1234567".
Unfortunately, I will not have time to troubleshoot any more until next
week.

Thanks again for your help!

Regards,

Harald



                                                                                                                                              
                    "Michael                                                                                                                  
                    Taylor               To:     "Michael Taylor (mitaylor)" <mitaylor at cisco.com>                                             
                    (mitaylor)"          cc:     "Harald Astrand" <astrand at unicc.org>, cisco-nas at puck.nether.net                              
                    <mitaylor at cisc       Subject:     Re: [cisco-nas] Callback with Microsoft IAS (RADIUS)                                    
                    o.com>                                                                                                                    
                                                                                                                                              
                    04/24/2003                                                                                                                
                    05:11 AM                                                                                                                  
                                                                                                                                              
                                                                                                                                              




OK, I've just set this up in my lab using a 5300 and 12.0(7)T, with Merit
RADIUS running on a SUN box.

I did have a couple of issues getting it to work, and I think you are
probably running into:

CSCdv58818: MS Callback fails without dialer in-band if async-mode ...
This DDTS is fixed in 12.2(7), 12.2(7)T etc. BUT, I wouldn't recommend the
pain of upgrading, the workaround is to add 'dialer in-band' to your
'interface Group-Async'

**** WARNING adding 'dialer in-band' will set the idle timeout for all
async users to the default of 120 seconds, so you will probably want to add

'dialer idle-timeout 2147483' or something similar.

*** ALSO, you will need to add a chat script for dialing out. (see config)

I used the same RADIUS profile as below, and here is the bare bones config
of my 5300 to get callback working;

Please let me know if you need any more help with this

Cheers,
Mike Taylor
************************************************************

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vgdbu-5300
!
aaa new-model
aaa group server radius default
  server 2.2.2.2 auth-port 1812 acct-port 1813
!
aaa authentication login default none
aaa authentication ppp default group radius
aaa authorization network default group radius
enable password BLAH
!
!
!
resource-pool disable
!
!
!
!
!
ip subnet-zero
!
isdn switch-type primary-net5
isdn voice-call-failure 0
chat-script callback ABORT ERROR "" "ATDT\T" TIMEOUT 90 CONNECT \c
mta receive maximum-recipients 0
!
!
controller E1 0
  clock source line primary
  pri-group timeslots 1-31
!
controller E1 1
  clock source line secondary 1
!
controller E1 2
!
controller E1 3
!
!
!
!
interface Ethernet0
  no ip address
  no ip directed-broadcast
  shutdown
!
interface Serial0:15
  no ip address
  no ip directed-broadcast
  isdn switch-type primary-net5
  isdn incoming-voice modem
  fair-queue 64 256 0
  no cdp enable
!
interface FastEthernet0
  ip address 1.1.1.1 255.255.255.0
  no ip directed-broadcast
  duplex full
  speed 100
!
interface Group-Async0
  ip unnumbered FastEthernet0
  no ip directed-broadcast
  encapsulation ppp
  dialer in-band
  dialer idle-timeout 2147483
  async mode dedicated
  ppp callback accept
  ppp authentication chap pap
  group-range 1 72
!
ip classless
no ip http server
!
!
radius-server host 2.2.2.2 auth-port 1812 acct-port 1813 key cisco
!
line con 0
  transport input none
line 1 72
  script callback callback
  modem InOut
  transport preferred lat pad telnet rlogin udptn v120 lapb-ta
  transport output lat pad telnet rlogin udptn v120 lapb-ta
line aux 0
line vty 0 4
  exec-timeout 0 0
!
end






At 08:14 AM Thursday 24/04/2003 +1000, Michael Taylor (mitaylor) wrote:
>Hi,
>
>I've done some work a while back on Callback, here's the RADIUS profile I
>was using:
>
>callback Auth-Type := Local, User-Password == "testing"
>         Service-Type = Framed-User,
>         Framed-IP-Address = 192.168.1.1,
>         Cisco-AVPair = "lcp:callback-dialstring=1234567",
>         Cisco-AVPair = "lcp:nocallback-verify=1",
>         Cisco-AVPair = "ip:addr=192.168.1.1",
>         Fall-Through = Yes
>
>I was working on authentication issues with 12.2T, and haven't actually
>tried it on 12.0(7)T, but I can load it up for a test when I get into the
>office if you like...
>
>Cheers,
>Mike
>
>At 03:20 PM Wednesday 23/04/2003 +0200, Harald Astrand wrote:
>
>
>
>
>>Hi,
>>
>>I am trying to get callback working on an AS5200 (12.0.7(T)) using
RADIUS.
>>The AAA server used is a Windows 2000 Server running IAS.
>>
>>On the AS5200 I have the following AAA configuration:
>>
>>aaa new-model
>>aaa group server radius RASGROUP
>>  server 10.168.10.13 auth-port 1645 acct-port 1646
>>  server 10.168.10.14 auth-port 1645 acct-port 1646
>>!
>>aaa authentication login RAS group RASGROUP
>>aaa authentication ppp RAS group RASGROUP
>>aaa authorization exec RAS group RASGROUP
>>aaa authorization network RAS group RASGROUP
>>aaa accounting exec RAS start-stop group RASGROUP
>>aaa accounting network RAS start-stop group RASGROUP
>>
>>interface Group-Async 1
>>  ppp authentication pap RAS
>>  ppp authorization RAS
>>  ppp accounting RAS
>>
>>I have set us the policy in IAS to return the following parameters:
>>
>>Framed-Protocol=PPP
>>Service-Type=Framed (there does not seem to be any service-type called
>>Framed-User)
>>Cisco-AV-Pair="lcp:callback-dialstring=12345678"
>>
>>Unfortunately, I am not able to get this to work. Are there any more
>>parameters that I have to return to the NAS?
>>Also, if possible I would like to specify the callback number in the user
>>profile (and not in a AV-pair)
>>
>>Any help would be greatly appreciated!
>>
>>Regards,
>>
>>Harald
>>
>>_______________________________________________
>>cisco-nas mailing list
>>cisco-nas at puck.nether.net
>>http://puck.nether.net/mailman/listinfo/cisco-nas
>
>Cisco Systems
>VGDBU - Voice Gateway and Dial Business Unit
>Customer Engineering
>Sydney, Australia
>Ph:     (+61 2) 8446 6044
>Mobile: (+61) 401 890 474
>
>_______________________________________________
>cisco-nas mailing list
>cisco-nas at puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nas

Cisco Systems
VGDBU - Voice Gateway and Dial Business Unit
Customer Engineering
Sydney, Australia
Ph:     (+61 2) 8446 6044
Mobile: (+61) 401 890 474






More information about the cisco-nas mailing list