[0.0] Re: [cisco-nas] Newbie - Odd probs with AS5300 - double login on text

Charles Gregory cgregory at hwcn.org
Wed Aug 18 17:52:45 EDT 2004 

On Wed, 18 Aug 2004, Aaron Leonard wrote:
> I assume that the way you want this to work is for a user to login
> into the AS5300 under some username - say "aaron" - then issue the
> 'rlogin FOO' and then have the rlogin server on host FOO
> automatically log the user in as "aaron" without reprompting for a
> username.

Correct. 

> If my assumptions are correct, then what you are looking for 
> is the command "rlogin trusted-localuser-source local".

Which is already specified. And 'hosts.equiv' is setup properly
on the *nix host. 

> With this obscure command in effect, the IOS rlogin client will
> present the line's authenticated username to the rlogin server as the
> username.

Actually, it's not 'obscure' to me. I've used it successfully on AS5200's
for another ISP. It just doesn't seem to quite work here....
I also note that the 'banner' does not always appear on a text dial-up.
I am also having a few problems with PPP negotiating for *some* of my
dial-up clients. So there are multiple issues with this AS5300. I'm
wondering if my config has some simple 'logic flaw'?
Here is the AS5300 config, if it helps:

Current configuration : 4370 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname dundas
!
boot system flash:2:c5300-i-mz.123-1a.bin
enable secret ******************
enable password *************
!
username root password 0 *********
username ****** password 0 ********
spe 1/0 1/7
 firmware location flash:1:mica-modem-pw.2.9.5.0.bin
spe 2/0 2/7
 firmware location flash:1:mica-modem-pw.2.9.5.0.bin
!
!
resource-pool disable
!
modem recovery action none
aaa new-model
!
!
aaa authentication username-prompt "login: "
aaa authentication login default local group radius
aaa authentication login LOCALAUTH local enable
aaa authentication ppp default if-needed local group radius
aaa authorization exec default local group radius none
aaa authorization network default local group radius
aaa accounting delay-start
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa session-id common
ip subnet-zero
ip domain list hwcn.org
ip domain name hwcn.org
ip name-server 199.212.94.65
ip name-server 199.212.94.66
!
rlogin trusted-remoteuser-source local
rlogin trusted-localuser-source radius
async-bootp dns-server 199.212.94.65 199.212.94.66
isdn switch-type primary-ni
!
partition flash 2 16 16
!
controller T1 0
 framing esf
 clock source line primary
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 1
 framing esf
 clock source line secondary 1
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 2
 framing esf
 linecode b8zs
 pri-group timeslots 1-24
!
controller T1 3
 framing esf
 linecode b8zs
 pri-group timeslots 1-24
!
!
interface Ethernet0
 no ip address
 shutdown
!
interface Serial0:23
 no ip address
 isdn switch-type primary-ni
 isdn incoming-voice modem
 no cdp enable
!
interface Serial1:23
 no ip address
 isdn switch-type primary-ni
 isdn incoming-voice modem
 no cdp enable
!
interface Serial2:23
 no ip address
 isdn switch-type primary-ni
 isdn incoming-voice modem
 no cdp enable
!
interface Serial3:23
 no ip address
 isdn switch-type primary-ni
 isdn incoming-voice modem
 no cdp enable
!
interface FastEthernet0
 ip address 199.212.94.74 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
!
interface Group-Async0
 ip address negotiated
 encapsulation ppp
 timeout absolute 1440 0
 async mode interactive
 peer default ip address pool dialin_pool
 no keepalive
 ppp authentication pap callin
 group-range 1 96
!
ip local pool dialin_pool 199.212.94.141 199.212.94.223
ip classless
ip route 0.0.0.0 0.0.0.0 199.212.94.253
no ip http server
!
!
access-list 101 permit tcp any 199.212.94.0 0.0.0.255 established
access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq www
access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq login
access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq telnet
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 102 permit tcp any 199.212.94.0 0.0.0.255 established
access-list 102 permit tcp any 199.212.94.0 0.0.0.255 eq smtp
access-list 102 deny   tcp any any eq smtp
access-list 102 permit ip any any
access-list 103 permit tcp any 199.212.94.0 0.0.0.255 established
access-list 103 deny   tcp any any eq smtp
access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq www
access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq telnet
access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq login
access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq pop3
access-list 103 permit tcp any any eq domain
access-list 103 permit udp any any eq domain
dialer-list 1 protocol ip permit
radius-server host 199.212.94.65 auth-port 1645 acct-port 1646
radius-server key tpftats
radius-server authorization deny missing Service-Type
banner motd ^CC
***** Welcome to the Hamilton CommunityNet *****

If a second login prompt appears after you have entered your password
please simply enter your HWCN USer-ID and password again. (We are
working on correcting this problem.) ^C
!
line con 0
 logging synchronous
line 1 96
 no flush-at-activation
 modem InOut
 autocommand  connect 199.212.94.66
 terminal-type vt100
 transport preferred rlogin
 transport input all
 autoselect during-login
 autoselect ppp
 autoselect timeout 4
line aux 0
line vty 0 4
 password *********
 login authentication LOCALAUTH
!
scheduler interval 1000
!
end

Thanks!

- Charles

> > I'm hoping my question is 'old', and all I need is to RTFM the appropriate
> > archive or web reference:
> 
> > AS5300 - Anyone ever run into a situation where the AS5300 does not
> > properly send whatever 'code' is necessary to have a login host 'trust'
> > the AS5300? The result to the end user is they have to login a second time
> > when they get to the login host. Very annoying. I tried two different
> > login hosts - one Solaris and the other Linux. Same behaviour.
> 
> > The DNS/hosts entries have the AS5300 correctly identified (or so it
> > seems), and they are properly entered in host.equiv but no joy.
> > I'm using the two standard 'trusted' entries in the config, and there is
> > no problem with authentication (via radius) on the AS5300. It just doesn't
> > get 'trusted' when the Cisco connects to the loginhost....
> 
> > If this doesn't leap out as an 'obvious' problem, I will post details of
> > firmware and configuration, as needed. Thanks!
> 
> > - Charles Gregory
> 
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas
>

More information about the cisco-nas mailing list