[c-nsp] ISDN Dialin RADIUS
Nick Shah
Nick.Shah at aapt.com.au
Tue Feb 1 18:14:44 EST 2005
Florian
It looks like the ip addressing requirements are different for DIALUP &
ISDN. From your debug it looks that the radius is sending IP ADDRESSES,
and you also have loopback0 unnumbered configured on D channel config.
The loopback0 ip address seems to be from a different "network" than
what you are sending by radius. There are 2 ways to achieve what you are
trying to do.
Static configuration : where you authenticate ISDN users locally. Then
you can have a config like this:
Username S232791-35 password blah
interface Serial0/1:15
ip address 192.168.11.62 255.255.255.192
no ip redirects
encapsulation ppp
dialer idle-timeout 604800
dialer enable-timeout 5
dialer wait-for-carrier-time 15
dialer map ip 192.168.11.1 name S232791-35 broadcast
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no cdp enable
ppp authentication chap pap isdn-access
ppp chap hostname whatever
ppp multilink
end
interface Group-Async1
ip unnumbered Loopback0
ip helper-address x.y.z.a
ip helper-address a.b.c.d
encapsulation ppp
ip tcp header-compression passive
no ip mroute-cache
async dynamic address
async mode interactive
ppp authentication pap chap
group-range 97 120
Or, you can have something like this, where you are sending ip address
from radius, I would encourage using a /30 for each user :
interface Serial0/1:15
No ip address
no ip redirects
encapsulation ppp
dialer idle-timeout 604800
dialer enable-timeout 5
dialer wait-for-carrier-time 15
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no cdp enable
ppp authentication chap pap isdn-access
ppp chap hostname whatever
ppp multilink
end
interface Group-Async1
ip unnumbered Loopback0
ip helper-address x.y.z.a
ip helper-address a.b.c.d
encapsulation ppp
ip tcp header-compression passive
no ip mroute-cache
async dynamic address
async mode interactive
ppp authentication pap chap
group-range 97 120
rgds
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Florian Prester
Sent: Wednesday, 2 February 2005 3:00 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ISDN Dialin RADIUS
Hi,
I have no dialer config, I only have this:
interface Serial1/0:15
ip unnumbered Loopback0
ip pim sparse-mode
encapsulation ppp
dialer idle-timeout 6000
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn skip-async-callerid-check
no keepalive
no cdp enable
ppp authentication pap
ppp multilink
!
interface Group-Async0
ip unnumbered Loopback0
encapsulation ppp
ip tcp header-compression
dialer in-band
dialer idle-timeout 6000
async mode interactive
peer default ip address pool setup_pool
ppp authentication pap
group-range 65 94
.....
line 65 94
script modem-off-hook offhook
script callback callback
modem InOut
modem autoconfigure type mica
transport preferred none
transport input all
autoselect during-login
autoselect ppp
Josh Duffek wrote:
>I think radius is ok with IPCP happening:
>Feb 1 10:43:21.809: As84 AAA/AUTHOR/FSM: We can start IPCP
>
>What does your isdn/dialer interface config look like?
>
>Thanks,
>
>josh duffek network engineer
>consultantjd16 at ridemetro.org
>
>
>
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>bounces at puck.nether.net] On Behalf Of Florian Prester
>>Sent: Tuesday, February 01, 2005 6:59 AM
>>To: cisco-nsp at puck.nether.net
>>Subject: [c-nsp] ISDN Dialin RADIUS
>>
>>Hi,
>>
>>I am using an CISCO (IOS (tm) 3700 Software (C3725-IPBASE-M), Version
>>12.3(10), RELEASE SOFTWARE (fc3)) as a dialin router. The modem-calls
>>succeed, but isdn-calls fail. First my Radius server is serving the
>>IP-Address of the calling
>>
>>
>client,
>
>
>>the authentication succeed as well.
>>But the my NAS is or is not arguing with the caller, about the IP.
>>
>>############################################################
>>My AAA-Config:
>>
>>aaa new-model
>>!
>>!
>>aaa authentication login default group radius local none
>>aaa authentication enable default enable line none
>>aaa authentication ppp default if-needed group radius
>>aaa authorization exec default group radius local
>>aaa authorization network default group radius none
>>aaa accounting delay-start
>>aaa accounting exec default start-stop group radius
>>aaa accounting network default start-stop group radius
>>aaa accounting system default start-stop group radius
>>aaa session-id common
>>
>>###########################################################
>>My log:
>>
>>Feb 1 10:43:21.805: RADIUS: Received from id 1645/26
>>
>>
>131.188.2.96:1812,
>
>
>>Access-Accept, len 44
>>Feb 1 10:43:21.805: RADIUS: authenticator 54 3A 8C 7F C2 2C F9 1D -
>>
>>
>57
>
>
>>2B 4C A4 EE 6F AE 62
>>Feb 1 10:43:21.805: RADIUS: Service-Type [6] 6
>>Framed [2]
>>Feb 1 10:43:21.805: RADIUS: Framed-Protocol [7] 6
>>PPP [1]
>>Feb 1 10:43:21.805: RADIUS: Framed-IP-Netmask [9] 6
>>255.255.255.0
>>Feb 1 10:43:21.805: RADIUS: Framed-IP-Address [8] 6
>>10.10.47.167
>>Feb 1 10:43:21.805: RADIUS(00000040): Received from id 1645/26 Feb 1
>>10:43:21.805: As84 PPP: Received LOGIN Response PASS Feb 1
>>10:43:21.805: As84 PPP/AAA: Check Attr: service-type Feb 1
>>10:43:21.805: As84 PPP/AAA: Check Attr: Framed-Protocol Feb 1
>>10:43:21.805: As84 PPP/AAA: Check Attr: netmask Feb 1 10:43:21.805:
>>As84 PPP/AAA: Check Attr: route: Peruser Feb 1 10:43:21.805: As84
>>PPP/AAA: Check Attr: addr Feb 1 10:43:21.805: As84 PPP: Phase is
>>FORWARDING, Attempting Forward Feb 1 10:43:21.805: As84 PPP: Phase is
>>AUTHENTICATING, Authenticated
>>
>>
>User
>
>
>>Feb 1 10:43:21.805: As84 PAP: O AUTH-ACK id 1 len 5
>>Feb 1 10:43:21.809: As84 PPP: Phase is UP
>>Feb 1 10:43:21.809: As84 AAA/AUTHOR/FSM: We can start IPCP Feb 1
>>10:43:21.809: As84 IPCP: O CONFREQ [Closed] id 1 len 16
>>Feb 1 10:43:21.809: As84 IPCP: CompressType VJ 15 slots
>>(0x0206002D0F00)
>>Feb 1 10:43:21.809: As84 IPCP: Address 192.44.86.6
>>
>>
>(0x0306C02C5606)
>
>
>>Feb 1 10:43:21.809: As84 PPP: Process pending ncp packets Feb 1
>>10:43:21.929: As84 CCP: I CONFREQ [Not negotiated] id 1 len 10
>>Feb 1 10:43:21.929: As84 CCP: Deflate 0x7800 (0x1A047800)
>>Feb 1 10:43:21.929: As84 CCP: Predictor1 (0x0102)
>>Feb 1 10:43:21.929: As84 LCP: O PROTREJ [Open] id 2 len 16 protocol
>>
>>
>CCP
>
>
>>(0x80FD0101000A1A0478000102)
>>Feb 1 10:43:21.929: As84 IPCP: I CONFREQ [REQsent] id 1 len 28
>>Feb 1 10:43:21.933: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:21.933: As84 IPCP: CompressType VJ 15 slots
>>CompressSlotID (0x0206002D0F01)
>>Feb 1 10:43:21.933: As84 IPCP: PrimaryDNS 131.188.3.73
>>(0x810683BC0349)
>>Feb 1 10:43:21.933: As84 IPCP: SecondaryDNS 255.255.255.255
>>(0x8306FFFFFFFF)
>>Feb 1 10:43:21.933: As84 IPCP: Cannot satisfy pool request Feb 1
>>10:43:21.933: As84 IPCP: Neither side knows remote address Feb 1
>>10:43:21.933: As84 AAA/AUTHOR/IPCP: no author-info for primary
>>
>>
>dns
>
>
>>Feb 1 10:43:21.933: As84 AAA/AUTHOR/IPCP: no author-info for seconday
>>
>>
>dns
>
>
>>Feb 1 10:43:21.933: As84 IPCP: O CONFREJ [REQsent] id 1 len 10
>>Feb 1 10:43:21.933: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:21.945: As84 IPV6CP: I CONFREQ [Not negotiated] id 1 len
>>
>>
>14
>
>
>>Feb 1 10:43:21.945: As84 IPV6CP: Interface-Id 020F:1FFF:FEBC:983A
>>(0x010A020F1FFFFEBC983A)
>>Feb 1 10:43:21.945: As84 LCP: O PROTREJ [Open] id 3 len 20 protocol
>>IPV6CP (0x80570101000E010A020F1FFFFEBC983A)
>>Feb 1 10:43:21.945: As84 IPCP: I CONFACK [REQsent] id 1 len 16
>>Feb 1 10:43:21.945: As84 IPCP: CompressType VJ 15 slots
>>(0x0206002D0F00)
>>Feb 1 10:43:21.945: As84 IPCP: Address 192.44.86.6
>>
>>
>(0x0306C02C5606)
>
>
>>Feb 1 10:43:22.053: As84 IPCP: I CONFREQ [ACKrcvd] id 2 len 28
>>Feb 1 10:43:22.053: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.053: As84 IPCP: CompressType VJ 15 slots
>>CompressSlotID (0x0206002D0F01)
>>Feb 1 10:43:22.053: As84 IPCP: PrimaryDNS 131.188.3.73
>>(0x810683BC0349)
>>Feb 1 10:43:22.053: As84 IPCP: SecondaryDNS 255.255.255.255
>>(0x8306FFFFFFFF)
>>Feb 1 10:43:22.053: As84 IPCP: Cannot satisfy pool request Feb 1
>>10:43:22.053: As84 IPCP: Neither side knows remote address Feb 1
>>10:43:22.053: As84 AAA/AUTHOR/IPCP: no author-info for primary
>>
>>
>dns
>
>
>>Feb 1 10:43:22.053: As84 AAA/AUTHOR/IPCP: no author-info for seconday
>>
>>
>dns
>
>
>>Feb 1 10:43:22.053: As84 IPCP: O CONFREJ [ACKrcvd] id 2 len 10
>>Feb 1 10:43:22.053: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.053: As84 IPV6CP: I TERMREQ [Not negotiated] id 1 len
>>
>>
>4
>
>
>>Feb 1 10:43:22.053: As84 LCP: O PROTREJ [Open] id 4 len 10 protocol
>>IPV6CP (0x805705010004)
>>Feb 1 10:43:22.157: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.157: As84 IPCP: CompressType VJ 15 slots
>>CompressSlotID (0x0206002D0F01)
>>Feb 1 10:43:22.157: As84 IPCP: PrimaryDNS 131.188.3.73
>>(0x810683BC0349)
>>Feb 1 10:43:22.157: As84 IPCP: SecondaryDNS 255.255.255.255
>>(0x8306FFFFFFFF)
>>Feb 1 10:43:22.157: As84 IPCP: Cannot satisfy pool request Feb 1
>>10:43:22.157: As84 IPCP: Neither side knows remote address Feb 1
>>10:43:22.157: As84 AAA/AUTHOR/IPCP: no author-info for primary
>>
>>
>dns
>
>
>>Feb 1 10:43:22.157: As84 AAA/AUTHOR/IPCP: no author-info for seconday
>>
>>
>dns
>
>
>>Feb 1 10:43:22.157: As84 IPCP: O CONFREJ [ACKrcvd] id 3 len 10
>>Feb 1 10:43:22.157: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.265: As84 IPCP: I CONFREQ [ACKrcvd] id 4 len 28
>>Feb 1 10:43:22.265: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.265: As84 IPCP: CompressType VJ 15 slots
>>CompressSlotID (0x0206002D0F01)
>>Feb 1 10:43:22.265: As84 IPCP: PrimaryDNS 131.188.3.73
>>(0x810683BC0349)
>>Feb 1 10:43:22.265: As84 IPCP: SecondaryDNS 255.255.255.255
>>(0x8306FFFFFFFF)
>>Feb 1 10:43:22.265: As84 IPCP: Cannot satisfy pool request Feb 1
>>10:43:22.265: As84 IPCP: Neither side knows remote address Feb 1
>>10:43:22.265: As84 AAA/AUTHOR/IPCP: no author-info for primary
>>
>>
>dns
>
>
>>Feb 1 10:43:22.265: As84 AAA/AUTHOR/IPCP: no author-info for seconday
>>
>>
>dns
>
>
>>Feb 1 10:43:22.265: As84 IPCP: O CONFREJ [ACKrcvd] id 4 len 10
>>Feb 1 10:43:22.265: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.381: As84 IPCP: I CONFREQ [ACKrcvd] id 5 len 28
>>Feb 1 10:43:22.381: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.381: As84 IPCP: CompressType VJ 15 slots
>>CompressSlotID (0x0206002D0F01)
>>Feb 1 10:43:22.381: As84 IPCP: PrimaryDNS 131.188.3.73
>>(0x810683BC0349)
>>Feb 1 10:43:22.381: As84 IPCP: SecondaryDNS 255.255.255.255
>>(0x8306FFFFFFFF)
>>Feb 1 10:43:22.381: As84 IPCP: Cannot satisfy pool request Feb 1
>>10:43:22.381: As84 IPCP: Neither side knows remote address Feb 1
>>10:43:22.381: As84 AAA/AUTHOR/IPCP: no author-info for primary
>>
>>
>dns
>
>
>>Feb 1 10:43:22.381: As84 AAA/AUTHOR/IPCP: no author-info for seconday
>>
>>
>dns
>
>
>>Feb 1 10:43:22.381: As84 IPCP: O CONFREJ [ACKrcvd] id 5 len 10
>>Feb 1 10:43:22.381: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.501: As84 IPCP: I CONFREQ [ACKrcvd] id 6 len 28
>>Feb 1 10:43:22.501: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.501: As84 IPCP: CompressType VJ 15 slots
>>CompressSlotID (0x0206002D0F01)
>>Feb 1 10:43:22.501: As84 IPCP: PrimaryDNS 131.188.3.73
>>(0x810683BC0349)
>>Feb 1 10:43:22.501: As84 IPCP: SecondaryDNS 255.255.255.255
>>(0x8306FFFFFFFF)
>>Feb 1 10:43:22.501: As84 IPCP: Cannot satisfy pool request Feb 1
>>10:43:22.501: As84 IPCP: Neither side knows remote address Feb 1
>>10:43:22.501: As84 AAA/AUTHOR/IPCP: no author-info for primary
>>
>>
>dns
>
>
>>Feb 1 10:43:22.501: As84 AAA/AUTHOR/IPCP: no author-info for seconday
>>
>>
>dns
>
>
>>Feb 1 10:43:22.501: As84 IPCP: O CONFREJ [ACKrcvd] id 6 len 10
>>Feb 1 10:43:22.501: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.625: As84 IPCP: I CONFREQ [ACKrcvd] id 7 len 28
>>Feb 1 10:43:22.625: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.625: As84 IPCP: CompressType VJ 15 slots
>>CompressSlotID (0x0206002D0F01)
>>Feb 1 10:43:22.625: As84 IPCP: PrimaryDNS 131.188.3.73
>>(0x810683BC0349)
>>Feb 1 10:43:22.625: As84 IPCP: SecondaryDNS 255.255.255.255
>>(0x8306FFFFFFFF)
>>Feb 1 10:43:22.625: As84 IPCP: Cannot satisfy pool request Feb 1
>>10:43:22.625: As84 IPCP: Neither side knows remote address Feb 1
>>10:43:22.625: As84 AAA/AUTHOR/IPCP: no author-info for primary
>>
>>
>dns
>
>
>>Feb 1 10:43:22.625: As84 AAA/AUTHOR/IPCP: no author-info for seconday
>>
>>
>dns
>
>
>>Feb 1 10:43:22.625: As84 IPCP: O CONFREJ [ACKrcvd] id 7 len 10
>>Feb 1 10:43:22.625: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.745: As84 IPCP: I CONFREQ [ACKrcvd] id 8 len 28
>>Feb 1 10:43:22.745: As84 IPCP: Address 0.0.0.0 (0x030600000000)
>>Feb 1 10:43:22.745: As84 IPCP: CompressType VJ 15 slots
>>CompressSlotID (0x0206002D0F01)
>>Feb 1 10:43:22.745: As84 IPCP: PrimaryDNS 131.188.3.73
>>(0x810683BC0349)
>>Feb 1 10:43:22.745: As84 IPCP: SecondaryDNS 255.255.255.255
>>(0x8306FFFFFFFF)
>>Feb 1 10:43:22.745: As84 IPCP: Cannot satisfy pool request
>>############################################################
>>
>>If someone can help me, thanks.
>>
>> Florian Prester
>>
>>P.S.: The client is tested.
>>
>>--
>>--------------------------------------------------------------
>>Dipl. Inf. Florian Prester
>>Network Administration
>>Regionales RechenZentrum Erlangen
>>Universitaet Erlangen-Nuernberg
>>Germany
>>
>>Tel.: +499131 8527813
>>
>>_______________________________________________
>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
--
--------------------------------------------------------------
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany
Tel.: +499131 8527813
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
------------------------------------------------------------------------------
More information about the cisco-nsp
mailing list