[cisco-nas] isdn-bri dialing + CHAP + AAA

Félix Izquierdo fizquierdo at l3consulting.com
Tue Dec 21 13:29:51 EST 2004 

I remenber the same problem also in the 12.3T branch when I changed a 
pap configuration to chap on a CPE with aaa active.

debug aaa authentication & authorization will tell you where is the 
problem ( or the bug ). I remember to solve it configuring 
authentication and authorization none for the dial-out interface.

Can you try it?


Tassos Chatzithomaoglou wrote:
> I'm trying to configure the following on a 1751 (12.3(11)T2), but it 
> doesn't seem to be working.
> 
> This bri is supposed to make an outgoing call to an AS5300. The AS5300 
> already accepts calls from PC clients or other routers and it's working 
> fine.
> 
> !-----------------------------------------
> ! 1751 config
> !-----------------------------------------
> aaa new-model
> !
> aaa authentication login default enable
> aaa authentication ppp default local
> aaa authorization exec default local if-authenticated
> aaa authorization network default local
> !
> username user1 password pass1
> !
> interface BRI1/0
>  ip address x.x.x.x y.y.y.y
>  encapsulation ppp
>  dialer idle-timeout 600
>  dialer string xxxx
>  dialer-group 1
>  isdn switch-type basic-net3
>  no fair-queue
>  no cdp enable
>  ppp authentication chap callin
>  ppp chap hostname user1
>  ppp chap password pass1
> !-----------------------------------------
> 
> !-----------------------------------------
> ! AS5300 config
> !-----------------------------------------
> aaa authentication ppp RADIUS-AAA if-needed group RADIUS-SERVERS
> aaa authorization network RADIUS-AAA group RADIUS-SERVERS
> aaa accounting network RADIUS-AAA start-stop group RADIUS-SERVERS-ACCT
> !-----------------------------------------
> interface Dialer2
>  ip unnumbered Loopback0
>  encapsulation ppp
>  no ip mroute-cache
>  dialer in-band
>  dialer idle-timeout 1200 either
>  dialer-group 1
>  peer default ip address pool isdn
>  ppp authentication pap chap ms-chap callin RADIUS-AAA
>  ppp authorization RADIUS-AAA
>  ppp accounting RADIUS-AAA
> !-----------------------------------------
> 
> If i remove the whole aaa configuration from the 1751, then it's working 
> fine (!). The user gets CHAP authenticated.
> 
> If i add "ppp pap sent-username user1 password pass1" and ENABLE AAA (!) 
> on the 1751, then it's working fine (!!). The user gets PAP authenticated.
> 
> Is there a problem somewhere with chap and AAA?
> 
> 
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
> 
>

More information about the cisco-nas mailing list