[0.0] Re: [cisco-nas] Newbie - Odd probs with AS5300 - double login on text

Aaron Leonard Aaron at Cisco.COM
Wed Aug 18 18:10:46 EDT 2004


> > I assume that the way you want this to work is for a user to login
> > into the AS5300 under some username - say "aaron" - then issue the
> > 'rlogin FOO' and then have the rlogin server on host FOO
> > automatically log the user in as "aaron" without reprompting for a
> > username.

> Correct.

> > If my assumptions are correct, then what you are looking for
> > is the command "rlogin trusted-localuser-source local".

> Which is already specified. And 'hosts.equiv' is setup properly
> on the *nix host.

> > With this obscure command in effect, the IOS rlogin client will
> > present the line's authenticated username to the rlogin server as the
> > username.

> Actually, it's not 'obscure' to me. I've used it successfully on AS5200's
> for another ISP. It just doesn't seem to quite work here....
> I also note that the 'banner' does not always appear on a text dial-up.
> I am also having a few problems with PPP negotiating for *some* of my
> dial-up clients. So there are multiple issues with this AS5300. I'm
> wondering if my config has some simple 'logic flaw'?

Have you made sure that the source IP address of the rlogin
connection has a valid PTR record in the DNS - i.e. that
your *nix rlogin server can do a gethostbyaddr() on the
rlogin client's IP address and this returns the hostname
which is present in your hosts.equiv?

For example ... once you rlogin to the *nix host and do a "who am i",
do you see the expected hostname?

Also try this ...

rlogin HOSTNAME /debug

see what it says is your local and remote hostname

Some quick comments on your config ...

... you have "ip address negotiated" on your 
group-async0.  This is not good (if you are actually
using any l3 config info from your physical async interfaces),
it means that you will learn your IP address from your PPP peer
which you can't want here.  Use "ip address unnumbered FastEther0".

... put "flush-at-activation" on your lines.  With
"no flush-at-activation", junk can mess up your character
mode login sequence.

... "autoselect timeout 4" ... if this does what I think it does
(kicks off the exec if no PPP data has arrived within 4 seconds),
then you should EXPECT unreliable PPP connections.

Regards,

Aaron

---

> Here is the AS5300 config, if it helps:

> Current configuration : 4370 bytes
> !
> version 12.3
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname dundas
> !
> boot system flash:2:c5300-i-mz.123-1a.bin
> enable secret ******************
> enable password *************
> !
> username root password 0 *********
> username ****** password 0 ********
> spe 1/0 1/7
>  firmware location flash:1:mica-modem-pw.2.9.5.0.bin
> spe 2/0 2/7
>  firmware location flash:1:mica-modem-pw.2.9.5.0.bin
> !
> !
> resource-pool disable
> !
> modem recovery action none
> aaa new-model
> !
> !
> aaa authentication username-prompt "login: "
> aaa authentication login default local group radius
> aaa authentication login LOCALAUTH local enable
> aaa authentication ppp default if-needed local group radius
> aaa authorization exec default local group radius none
> aaa authorization network default local group radius
> aaa accounting delay-start
> aaa accounting network default start-stop group radius
> aaa accounting connection default start-stop group radius
> aaa session-id common
> ip subnet-zero
> ip domain list hwcn.org
> ip domain name hwcn.org
> ip name-server 199.212.94.65
> ip name-server 199.212.94.66
> !
> rlogin trusted-remoteuser-source local
> rlogin trusted-localuser-source radius
> async-bootp dns-server 199.212.94.65 199.212.94.66
> isdn switch-type primary-ni
> !
> partition flash 2 16 16
> !
> controller T1 0
>  framing esf
>  clock source line primary
>  linecode b8zs
>  pri-group timeslots 1-24
> !
> controller T1 1
>  framing esf
>  clock source line secondary 1
>  linecode b8zs
>  pri-group timeslots 1-24
> !
> controller T1 2
>  framing esf
>  linecode b8zs
>  pri-group timeslots 1-24
> !
> controller T1 3
>  framing esf
>  linecode b8zs
>  pri-group timeslots 1-24
> !
> !
> interface Ethernet0
>  no ip address
>  shutdown
> !
> interface Serial0:23
>  no ip address
>  isdn switch-type primary-ni
>  isdn incoming-voice modem
>  no cdp enable
> !
> interface Serial1:23
>  no ip address
>  isdn switch-type primary-ni
>  isdn incoming-voice modem
>  no cdp enable
> !
> interface Serial2:23
>  no ip address
>  isdn switch-type primary-ni
>  isdn incoming-voice modem
>  no cdp enable
> !
> interface Serial3:23
>  no ip address
>  isdn switch-type primary-ni
>  isdn incoming-voice modem
>  no cdp enable
> !
> interface FastEthernet0
>  ip address 199.212.94.74 255.255.255.0
>  no ip route-cache
>  duplex auto
>  speed auto
> !
> interface Group-Async0
>  ip address negotiated
>  encapsulation ppp
>  timeout absolute 1440 0
>  async mode interactive
>  peer default ip address pool dialin_pool
>  no keepalive
>  ppp authentication pap callin
>  group-range 1 96
> !
> ip local pool dialin_pool 199.212.94.141 199.212.94.223
> ip classless
> ip route 0.0.0.0 0.0.0.0 199.212.94.253
> no ip http server
> !
> !
> access-list 101 permit tcp any 199.212.94.0 0.0.0.255 established
> access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq www
> access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq login
> access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq telnet
> access-list 101 permit tcp any any eq domain
> access-list 101 permit udp any any eq domain
> access-list 102 permit tcp any 199.212.94.0 0.0.0.255 established
> access-list 102 permit tcp any 199.212.94.0 0.0.0.255 eq smtp
> access-list 102 deny   tcp any any eq smtp
> access-list 102 permit ip any any
> access-list 103 permit tcp any 199.212.94.0 0.0.0.255 established
> access-list 103 deny   tcp any any eq smtp
> access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq www
> access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq telnet
> access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq login
> access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq pop3
> access-list 103 permit tcp any any eq domain
> access-list 103 permit udp any any eq domain
> dialer-list 1 protocol ip permit
> radius-server host 199.212.94.65 auth-port 1645 acct-port 1646
> radius-server key tpftats
> radius-server authorization deny missing Service-Type
> banner motd ^CC
> ***** Welcome to the Hamilton CommunityNet *****

> If a second login prompt appears after you have entered your password
> please simply enter your HWCN USer-ID and password again. (We are
> working on correcting this problem.) ^C
> !
> line con 0
>  logging synchronous
> line 1 96
>  no flush-at-activation
>  modem InOut
>  autocommand  connect 199.212.94.66
>  terminal-type vt100
>  transport preferred rlogin
>  transport input all
>  autoselect during-login
>  autoselect ppp
>  autoselect timeout 4
> line aux 0
> line vty 0 4
>  password *********
>  login authentication LOCALAUTH
> !
> scheduler interval 1000
> !
> end

> Thanks!

> - Charles

> > > I'm hoping my question is 'old', and all I need is to RTFM the appropriate
> > > archive or web reference:
> >
> > > AS5300 - Anyone ever run into a situation where the AS5300 does not
> > > properly send whatever 'code' is necessary to have a login host 'trust'
> > > the AS5300? The result to the end user is they have to login a second time
> > > when they get to the login host. Very annoying. I tried two different
> > > login hosts - one Solaris and the other Linux. Same behaviour.
> >
> > > The DNS/hosts entries have the AS5300 correctly identified (or so it
> > > seems), and they are properly entered in host.equiv but no joy.
> > > I'm using the two standard 'trusted' entries in the config, and there is
> > > no problem with authentication (via radius) on the AS5300. It just doesn't
> > > get 'trusted' when the Cisco connects to the loginhost....
> >
> > > If this doesn't leap out as an 'obvious' problem, I will post details of
> > > firmware and configuration, as needed. Thanks!
> >
> > > - Charles Gregory
> >
> > > _______________________________________________
> > > cisco-nas mailing list
> > > cisco-nas at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nas
> >



More information about the cisco-nas mailing list