[cisco-nas] isdn-bri dialing + CHAP + AAA

Tassos Chatzithomaoglou achatz at forthnet.gr
Thu Dec 23 12:06:02 EST 2004


Thx Dennis...once more ;-)

The workaround solved my problem.

Dennis Peng wrote on 21/12/2004 20:12:

> You are running into CSCef82993 which is submitted to fix a
> long-standing IOS behaviour which causes PPP to acknowledge PAP when
> "aaa new-model" is configured, even if pap sent-username hasn't been
> enabled. The workaround would be to configure "ppp pap refuse" on the
> 1751 BRI interface.
> 
> Dennis
> 
> Tassos Chatzithomaoglou [achatz at forthnet.gr] wrote:
> 
>>I'm trying to configure the following on a 1751 (12.3(11)T2), but it 
>>doesn't seem to be working.
>>
>>This bri is supposed to make an outgoing call to an AS5300. The AS5300 
>>already accepts calls from PC clients or other routers and it's working 
>>fine.
>>
>>!-----------------------------------------
>>! 1751 config
>>!-----------------------------------------
>>aaa new-model
>>!
>>aaa authentication login default enable
>>aaa authentication ppp default local
>>aaa authorization exec default local if-authenticated
>>aaa authorization network default local
>>!
>>username user1 password pass1
>>!
>>interface BRI1/0
>> ip address x.x.x.x y.y.y.y
>> encapsulation ppp
>> dialer idle-timeout 600
>> dialer string xxxx
>> dialer-group 1
>> isdn switch-type basic-net3
>> no fair-queue
>> no cdp enable
>> ppp authentication chap callin
>> ppp chap hostname user1
>> ppp chap password pass1
>>!-----------------------------------------
>>
>>!-----------------------------------------
>>! AS5300 config
>>!-----------------------------------------
>>aaa authentication ppp RADIUS-AAA if-needed group RADIUS-SERVERS
>>aaa authorization network RADIUS-AAA group RADIUS-SERVERS
>>aaa accounting network RADIUS-AAA start-stop group RADIUS-SERVERS-ACCT
>>!-----------------------------------------
>>interface Dialer2
>> ip unnumbered Loopback0
>> encapsulation ppp
>> no ip mroute-cache
>> dialer in-band
>> dialer idle-timeout 1200 either
>> dialer-group 1
>> peer default ip address pool isdn
>> ppp authentication pap chap ms-chap callin RADIUS-AAA
>> ppp authorization RADIUS-AAA
>> ppp accounting RADIUS-AAA
>>!-----------------------------------------
>>
>>If i remove the whole aaa configuration from the 1751, then it's working 
>>fine (!). The user gets CHAP authenticated.
>>
>>If i add "ppp pap sent-username user1 password pass1" and ENABLE AAA (!) on 
>>the 1751, then it's working fine (!!). The user gets PAP authenticated.
>>
>>Is there a problem somewhere with chap and AAA?
>>
>>
>>_______________________________________________
>>cisco-nas mailing list
>>cisco-nas at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nas
> 
> 



More information about the cisco-nas mailing list