[0.0] Re: [cisco-nas] Newbie - Odd probs with AS5300 - double
login on text
Aaron Leonard
Aaron at Cisco.COM
Thu Aug 19 12:18:57 EDT 2004
> I think we're making some progress here......
> On Wed, 18 Aug 2004, Aaron Leonard wrote:
> > > > is the command "rlogin trusted-localuser-source local".
> > rlogin HOSTNAME /debug
> > see what it says is your local and remote hostname
> It didn't display hostnames, *however*, I got this, after I entered my
Yeah, that was a typo, I meant "username" instead of "hostname" here ...
> userid:
> RLOGIN: local username is: ciscoTS
> RLOGIN: remote username is: cgregory
> So there is our problem. It doesn't 'hang onto' the authenticated user-id
> for the dial-up line..... I'm already using:
> rlogin trusted-remoteuser-source local
> rlogin trusted-localuser-source radius
> I also tried:
> rlogin trusted-localuser-source local
> So what else do I need to get the userid instead of 'ciscoTS'?
Hm. I just now came across this:
CSCeb28546 login fails to use local username information
Release-note: Added 030603
The rlogin trusted-remoteuser-source and
rlogin trusted-localuser-source configurations, used for sending
authenticated usernames to the rlogin connection, do not work if
aaa new-model is also in use. There is no workaround.
Evidently this is a regression that appeared around 12.2(3)T; the
fix is Integrated in 12.2(16)BX01 12.3(02)T01 12.3(02.03)B
12.3(03.01)T 012.003(002.001). What IOS version did you say that
you were running? (On the 5300, I'd probably recommend recent
12.3 mainline.)
> > ... you have "ip address negotiated" on your
> > group-async0. This is not good (if you are actually
> > using any l3 config info from your physical async interfaces),
> > it means that you will learn your IP address from your PPP peer
> > which you can't want here. Use "ip address unnumbered FastEther0".
> Okay, I've made that change.
> > ... put "flush-at-activation" on your lines. With
> > "no flush-at-activation", junk can mess up your character
> > mode login sequence.
> This seems to have fixed the problem with the banner not appearing.
Good deal.
> > ... "autoselect timeout 4" ... if this does what I think it does
> > (kicks off the exec if no PPP data has arrived within 4 seconds),
> > then you should EXPECT unreliable PPP connections.
> I'll have to wait until tomorrow to test,, but this *may* prove to be the
> 'problem' that was messing up some PPP users. If so, then this is a BIG
> step forward. All we would have left to fix is the double logins......
If you are running some IOS version that is not susceptible
to CSCeb52067 yet are nonetheless suffering from the failure
of rlogin to reuse the authenticated username ... then we'll
need to investigate further.
Cheers,
Aaron
---
> Thanks!
> - Charles
> > > Here is the AS5300 config, if it helps:
> >
> > > Current configuration : 4370 bytes
> > > !
> > > version 12.3
> > > service timestamps debug uptime
> > > service timestamps log uptime
> > > no service password-encryption
> > > !
> > > hostname dundas
> > > !
> > > boot system flash:2:c5300-i-mz.123-1a.bin
> > > enable secret ******************
> > > enable password *************
> > > !
> > > username root password 0 *********
> > > username ****** password 0 ********
> > > spe 1/0 1/7
> > > firmware location flash:1:mica-modem-pw.2.9.5.0.bin
> > > spe 2/0 2/7
> > > firmware location flash:1:mica-modem-pw.2.9.5.0.bin
> > > !
> > > !
> > > resource-pool disable
> > > !
> > > modem recovery action none
> > > aaa new-model
> > > !
> > > !
> > > aaa authentication username-prompt "login: "
> > > aaa authentication login default local group radius
> > > aaa authentication login LOCALAUTH local enable
> > > aaa authentication ppp default if-needed local group radius
> > > aaa authorization exec default local group radius none
> > > aaa authorization network default local group radius
> > > aaa accounting delay-start
> > > aaa accounting network default start-stop group radius
> > > aaa accounting connection default start-stop group radius
> > > aaa session-id common
> > > ip subnet-zero
> > > ip domain list hwcn.org
> > > ip domain name hwcn.org
> > > ip name-server 199.212.94.65
> > > ip name-server 199.212.94.66
> > > !
> > > rlogin trusted-remoteuser-source local
> > > rlogin trusted-localuser-source radius
> > > async-bootp dns-server 199.212.94.65 199.212.94.66
> > > isdn switch-type primary-ni
> > > !
> > > partition flash 2 16 16
> > > !
> > > controller T1 0
> > > framing esf
> > > clock source line primary
> > > linecode b8zs
> > > pri-group timeslots 1-24
> > > !
> > > controller T1 1
> > > framing esf
> > > clock source line secondary 1
> > > linecode b8zs
> > > pri-group timeslots 1-24
> > > !
> > > controller T1 2
> > > framing esf
> > > linecode b8zs
> > > pri-group timeslots 1-24
> > > !
> > > controller T1 3
> > > framing esf
> > > linecode b8zs
> > > pri-group timeslots 1-24
> > > !
> > > !
> > > interface Ethernet0
> > > no ip address
> > > shutdown
> > > !
> > > interface Serial0:23
> > > no ip address
> > > isdn switch-type primary-ni
> > > isdn incoming-voice modem
> > > no cdp enable
> > > !
> > > interface Serial1:23
> > > no ip address
> > > isdn switch-type primary-ni
> > > isdn incoming-voice modem
> > > no cdp enable
> > > !
> > > interface Serial2:23
> > > no ip address
> > > isdn switch-type primary-ni
> > > isdn incoming-voice modem
> > > no cdp enable
> > > !
> > > interface Serial3:23
> > > no ip address
> > > isdn switch-type primary-ni
> > > isdn incoming-voice modem
> > > no cdp enable
> > > !
> > > interface FastEthernet0
> > > ip address 199.212.94.74 255.255.255.0
> > > no ip route-cache
> > > duplex auto
> > > speed auto
> > > !
> > > interface Group-Async0
> > > ip address negotiated
> > > encapsulation ppp
> > > timeout absolute 1440 0
> > > async mode interactive
> > > peer default ip address pool dialin_pool
> > > no keepalive
> > > ppp authentication pap callin
> > > group-range 1 96
> > > !
> > > ip local pool dialin_pool 199.212.94.141 199.212.94.223
> > > ip classless
> > > ip route 0.0.0.0 0.0.0.0 199.212.94.253
> > > no ip http server
> > > !
> > > !
> > > access-list 101 permit tcp any 199.212.94.0 0.0.0.255 established
> > > access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq www
> > > access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq login
> > > access-list 101 permit tcp any 199.212.94.0 0.0.0.255 eq telnet
> > > access-list 101 permit tcp any any eq domain
> > > access-list 101 permit udp any any eq domain
> > > access-list 102 permit tcp any 199.212.94.0 0.0.0.255 established
> > > access-list 102 permit tcp any 199.212.94.0 0.0.0.255 eq smtp
> > > access-list 102 deny tcp any any eq smtp
> > > access-list 102 permit ip any any
> > > access-list 103 permit tcp any 199.212.94.0 0.0.0.255 established
> > > access-list 103 deny tcp any any eq smtp
> > > access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq www
> > > access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq telnet
> > > access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq login
> > > access-list 103 permit tcp any 199.212.94.0 0.0.0.255 eq pop3
> > > access-list 103 permit tcp any any eq domain
> > > access-list 103 permit udp any any eq domain
> > > dialer-list 1 protocol ip permit
> > > radius-server host 199.212.94.65 auth-port 1645 acct-port 1646
> > > radius-server key tpftats
> > > radius-server authorization deny missing Service-Type
> > > banner motd ^CC
> > > ***** Welcome to the Hamilton CommunityNet *****
> >
> > > If a second login prompt appears after you have entered your password
> > > please simply enter your HWCN USer-ID and password again. (We are
> > > working on correcting this problem.) ^C
> > > !
> > > line con 0
> > > logging synchronous
> > > line 1 96
> > > no flush-at-activation
> > > modem InOut
> > > autocommand connect 199.212.94.66
> > > terminal-type vt100
> > > transport preferred rlogin
> > > transport input all
> > > autoselect during-login
> > > autoselect ppp
> > > autoselect timeout 4
> > > line aux 0
> > > line vty 0 4
> > > password *********
> > > login authentication LOCALAUTH
> > > !
> > > scheduler interval 1000
> > > !
> > > end
> >
> > > Thanks!
> >
> > > - Charles
> >
> > > > > I'm hoping my question is 'old', and all I need is to RTFM the appropriate
> > > > > archive or web reference:
> > > >
> > > > > AS5300 - Anyone ever run into a situation where the AS5300 does not
> > > > > properly send whatever 'code' is necessary to have a login host 'trust'
> > > > > the AS5300? The result to the end user is they have to login a second time
> > > > > when they get to the login host. Very annoying. I tried two different
> > > > > login hosts - one Solaris and the other Linux. Same behaviour.
> > > >
> > > > > The DNS/hosts entries have the AS5300 correctly identified (or so it
> > > > > seems), and they are properly entered in host.equiv but no joy.
> > > > > I'm using the two standard 'trusted' entries in the config, and there is
> > > > > no problem with authentication (via radius) on the AS5300. It just doesn't
> > > > > get 'trusted' when the Cisco connects to the loginhost....
> > > >
> > > > > If this doesn't leap out as an 'obvious' problem, I will post details of
> > > > > firmware and configuration, as needed. Thanks!
> > > >
> > > > > - Charles Gregory
> > > >
> > > > > _______________________________________________
> > > > > cisco-nas mailing list
> > > > > cisco-nas at puck.nether.net
> > > > > https://puck.nether.net/mailman/listinfo/cisco-nas
> > > >
> >
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
More information about the cisco-nas
mailing list