[0.0] Re: [cisco-nas] Newbie - Odd probs with AS5300 - double login on text

Charles Gregory cgregory at hwcn.org
Thu Aug 19 00:46:00 EDT 2004 

Hello!

I think we're making some progress here......

On Wed, 18 Aug 2004, Aaron Leonard wrote:
> > > is the command "rlogin trusted-localuser-source local".
> rlogin HOSTNAME /debug
> see what it says is your local and remote hostname

It didn't display hostnames, *however*, I got this, after I entered my
userid:
    RLOGIN: local username is: ciscoTS
    RLOGIN: remote username is: cgregory

So there is our problem. It doesn't 'hang onto' the authenticated user-id
for the dial-up line..... I'm already using:
   rlogin trusted-remoteuser-source local
   rlogin trusted-localuser-source radius

I also tried:
   rlogin trusted-localuser-source local

So what else do I need to get the userid instead of 'ciscoTS'?

> ... you have "ip address negotiated" on your 
> group-async0.  This is not good (if you are actually
> using any l3 config info from your physical async interfaces),
> it means that you will learn your IP address from your PPP peer
> which you can't want here.  Use "ip address unnumbered FastEther0".

Okay, I've made that change. 

> ... put "flush-at-activation" on your lines.  With
> "no flush-at-activation", junk can mess up your character
> mode login sequence.

This seems to have fixed the problem with the banner not appearing.

> ... "autoselect timeout 4" ... if this does what I think it does
> (kicks off the exec if no PPP data has arrived within 4 seconds),
> then you should EXPECT unreliable PPP connections.

I'll have to wait until tomorrow to test,, but this *may* prove to be the
'problem' that was messing up some PPP users. If so, then this is a BIG
step forward. All we would have left to fix is the double logins......

Thanks!

- Charles

> > Here is the AS5300 config, if it helps:
> 
> > Current configuration : 4370 bytes
> > !
> > version 12.3
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname dundas
> > !
> > boot system flash:2:c5300-i-mz.123-1a.bin
> > enable secret ******************
> > enable password *************
> > !
> > username root password 0 *********
> > username ****** password 0 ********
> > spe 1/0 1/7
> >  firmware location flash:1:mica-modem-pw.2.9.5.0.bin
> > spe 2/0 2/7
> >  firmware location flash:1:mica-modem-pw.2.9.5.0.bin
> > !
> > !
> > resource-pool disable
> > !
> > modem recovery action none
> > aaa new-model
> > !
> > !
> > aaa authentication username-prompt "login: "
> > aaa authentication login default local group radius
> > aaa authentication login LOCALAUTH local enable
> > aaa authentication ppp default if-needed local group radius
> > aaa authorization exec default local group radius none
> > aaa authorization network default local group radius
> > aaa accounting delay-start
> > aaa accounting network default start-stop group radius
> > aaa accounting connection default start-stop group radius
> > aaa session-id common
> > ip subnet-zero
> > ip domain list hwcn.org
> > ip domain name hwcn.org
> > ip name-server 199.212.94.65
> > ip name-server 199.212.94.66
> > !
> > rlogin trusted-remoteuser-source local
> > rlogin trusted-localuser-source radius
> > async-bootp dns-server 199.212.94.65 199.212.94.66
> > isdn switch-type primary-ni
> > !
> > partition flash 2 16 16
> > !
> > controller T1 0
> >  framing esf
> >  clock source line primary
> >  linecode b8zs
> >  pri-group timeslots 1-24
> > !
> > controller T1 1
> >  framing esf
> >  clock source line secondary 1
> >  linecode b8zs
> >  pri-group timeslots 1-24
> > !
> > controller T1 2
> >  framing esf
> >  linecode b8zs
> >  pri-group timeslots 1-24
> > !
> > controller T1 3
> >  framing esf
> >  linecode b8zs
> >  pri-group timeslots 1-24
> > !
> > !
> > interface Ethernet0
> >  no ip address
> >  shutdown
> > !
> > interface Serial0:23
> >  no ip address
> >  isdn switch-type primary-ni
> >  isdn incoming-voice modem
> >  no cdp enable
> > !
> > interface Serial1:23
> >  no ip address
> >  isdn switch-type primary-ni
> >  isdn incoming-voice modem
> >  no cdp enable
> > !
> > interface Serial2:23
> >  no ip address
> >  isdn switch-type primary-ni
> >  isdn incoming-voice modem
> >  no cdp enable
> > !
> > interface Serial3:23
> >  no ip address
> >  isdn switch-type primary-ni
> >  isdn incoming-voice modem
> >  no cdp enable
> > !
> > interface FastEthernet0
> >  ip address 199.212.94.74 255.255.255.0
> >  no ip route-cache
> >  duplex auto
> >  speed auto
> > !
> > interface Group-Async0
> >  ip address negotiated
> >  encapsulation ppp
> >  timeout absolute 1440 0
> >  async mode interactive
> >  peer default ip address pool dialin_pool
> >  no keepalive
> >  ppp authentication pap callin
> >  group-range 1 96
> > !
> > ip local pool dialin_pool 199.212.94.141 199.212.94.223
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 199.212.94.253
> > no ip http server
> > !
> > !
> > access-list 101 permit tcp any 199.212.94.0 0.0.0.255 established
> > access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq www
> > access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq login
> > access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq telnet
> > access-list 101 permit tcp any any eq domain
> > access-list 101 permit udp any any eq domain
> > access-list 102 permit tcp any 199.212.94.0 0.0.0.255 established
> > access-list 102 permit tcp any 199.212.94.0 0.0.0.255 eq smtp
> > access-list 102 deny   tcp any any eq smtp
> > access-list 102 permit ip any any
> > access-list 103 permit tcp any 199.212.94.0 0.0.0.255 established
> > access-list 103 deny   tcp any any eq smtp
> > access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq www
> > access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq telnet
> > access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq login
> > access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq pop3
> > access-list 103 permit tcp any any eq domain
> > access-list 103 permit udp any any eq domain
> > dialer-list 1 protocol ip permit
> > radius-server host 199.212.94.65 auth-port 1645 acct-port 1646
> > radius-server key tpftats
> > radius-server authorization deny missing Service-Type
> > banner motd ^CC
> > ***** Welcome to the Hamilton CommunityNet *****
> 
> > If a second login prompt appears after you have entered your password
> > please simply enter your HWCN USer-ID and password again. (We are
> > working on correcting this problem.) ^C
> > !
> > line con 0
> >  logging synchronous
> > line 1 96
> >  no flush-at-activation
> >  modem InOut
> >  autocommand  connect 199.212.94.66
> >  terminal-type vt100
> >  transport preferred rlogin
> >  transport input all
> >  autoselect during-login
> >  autoselect ppp
> >  autoselect timeout 4
> > line aux 0
> > line vty 0 4
> >  password *********
> >  login authentication LOCALAUTH
> > !
> > scheduler interval 1000
> > !
> > end
> 
> > Thanks!
> 
> > - Charles
> 
> > > > I'm hoping my question is 'old', and all I need is to RTFM the appropriate
> > > > archive or web reference:
> > >
> > > > AS5300 - Anyone ever run into a situation where the AS5300 does not
> > > > properly send whatever 'code' is necessary to have a login host 'trust'
> > > > the AS5300? The result to the end user is they have to login a second time
> > > > when they get to the login host. Very annoying. I tried two different
> > > > login hosts - one Solaris and the other Linux. Same behaviour.
> > >
> > > > The DNS/hosts entries have the AS5300 correctly identified (or so it
> > > > seems), and they are properly entered in host.equiv but no joy.
> > > > I'm using the two standard 'trusted' entries in the config, and there is
> > > > no problem with authentication (via radius) on the AS5300. It just doesn't
> > > > get 'trusted' when the Cisco connects to the loginhost....
> > >
> > > > If this doesn't leap out as an 'obvious' problem, I will post details of
> > > > firmware and configuration, as needed. Thanks!
> > >
> > > > - Charles Gregory
> > >
> > > > _______________________________________________
> > > > cisco-nas mailing list
> > > > cisco-nas at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nas
> > >
>

More information about the cisco-nas mailing list