[cisco-nas] isdn-bri dialing + CHAP + AAA

Dennis Peng dpeng at cisco.com
Tue Dec 21 13:12:53 EST 2004


You are running into CSCef82993 which is submitted to fix a
long-standing IOS behaviour which causes PPP to acknowledge PAP when
"aaa new-model" is configured, even if pap sent-username hasn't been
enabled. The workaround would be to configure "ppp pap refuse" on the
1751 BRI interface.

Dennis

Tassos Chatzithomaoglou [achatz at forthnet.gr] wrote:
> I'm trying to configure the following on a 1751 (12.3(11)T2), but it 
> doesn't seem to be working.
> 
> This bri is supposed to make an outgoing call to an AS5300. The AS5300 
> already accepts calls from PC clients or other routers and it's working 
> fine.
> 
> !-----------------------------------------
> ! 1751 config
> !-----------------------------------------
> aaa new-model
> !
> aaa authentication login default enable
> aaa authentication ppp default local
> aaa authorization exec default local if-authenticated
> aaa authorization network default local
> !
> username user1 password pass1
> !
> interface BRI1/0
>  ip address x.x.x.x y.y.y.y
>  encapsulation ppp
>  dialer idle-timeout 600
>  dialer string xxxx
>  dialer-group 1
>  isdn switch-type basic-net3
>  no fair-queue
>  no cdp enable
>  ppp authentication chap callin
>  ppp chap hostname user1
>  ppp chap password pass1
> !-----------------------------------------
> 
> !-----------------------------------------
> ! AS5300 config
> !-----------------------------------------
> aaa authentication ppp RADIUS-AAA if-needed group RADIUS-SERVERS
> aaa authorization network RADIUS-AAA group RADIUS-SERVERS
> aaa accounting network RADIUS-AAA start-stop group RADIUS-SERVERS-ACCT
> !-----------------------------------------
> interface Dialer2
>  ip unnumbered Loopback0
>  encapsulation ppp
>  no ip mroute-cache
>  dialer in-band
>  dialer idle-timeout 1200 either
>  dialer-group 1
>  peer default ip address pool isdn
>  ppp authentication pap chap ms-chap callin RADIUS-AAA
>  ppp authorization RADIUS-AAA
>  ppp accounting RADIUS-AAA
> !-----------------------------------------
> 
> If i remove the whole aaa configuration from the 1751, then it's working 
> fine (!). The user gets CHAP authenticated.
> 
> If i add "ppp pap sent-username user1 password pass1" and ENABLE AAA (!) on 
> the 1751, then it's working fine (!!). The user gets PAP authenticated.
> 
> Is there a problem somewhere with chap and AAA?
> 
> 
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas


More information about the cisco-nas mailing list