[c-nsp] ISDN Dialin RADIUS

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Feb 2 03:23:22 EST 2005


Florian,

can you please add virtual-profile configuration and try again?

virtual-profile virtual-template 1
interface Virtual-template 1
 ip unnumbered Loopback0
 encapsulation ppp
 peer default ip address pool setup_pool
 ppp authentication pap

The call fails as the router tries to terminate it on a virtual-access
interface, but due to the missing virtual-template config, the
virtual-access interface has no network protocol config (in particular
no IP config), and all NCP attempts fail.   

	oli

P.S: This is a different debug than the one you sent originally..

Florian Prester <> wrote on Wednesday, February 02, 2005 9:00 AM:

> Hi,
> YES, the RADIUS is assigning IP addresses for all users.
> 
> #######################################################
> following-Config:
> 
> current configuration : 8815 bytes
> !
> ! Last configuration change at 08:35:57 MET Wed Feb 2 2005 by @admin
> ! NVRAM config last updated at 12:15:36 MET Tue Feb 1 2005 by @admin
> !
> version 12.3
> service timestamps debug datetime msec
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service linenumber
> !
> hostname modem-i1
> !
> boot-start-marker
> boot system flash flash:c3725-ipbase-mz.123-10.bin
> boot-end-marker
> !
> card type e1 1
> logging buffered 512000 debugging
> !
> clock timezone MET 1
> clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00
> modem country mica germany
> aaa new-model
> !
> !
> aaa authentication login default group radius local none
> aaa authentication enable default enable line none
> aaa authentication ppp default if-needed group radius
> aaa authorization exec default group radius local
> aaa authorization network default group radius none
> aaa accounting delay-start
> aaa accounting exec default start-stop group radius
> aaa accounting network default start-stop group radius
> aaa accounting system default start-stop group radius
> aaa session-id common
> ip subnet-zero
> no ip source-route
> ip cef
> isdn switch-type primary-net5
> isdn logging
> !
> chat-script offhook "" "ATH1" OK
> chat-script callback ABORT ERROR ABORT BUSY "" "ATDT\T" TIMEOUT 60
> "CONNECT" \C
> !
> !
> controller E1 1/0
> pri-group timeslots 1-31
> !
> !
> interface Loopback0
> ip address 192.44.86.6 255.255.255.255
> !
> interface FastEthernet0/1
> ip address 192.44.86.36 255.255.255.224
> ip access-group 101 out
> ip mask-reply
> ip directed-broadcast 3
> no ip proxy-arp
> ip pim sparse-dense-mode
> ip multicast ttl-threshold 16
> no ip route-cache cef
> no ip route-cache
> ip cgmp
> no ip mroute-cache
> ip ospf cost 1
> duplex auto
> speed auto
> !
> interface Serial1/0:15
> ip unnumbered Loopback0
> ip pim sparse-mode
> encapsulation ppp
> dialer idle-timeout 6000
> dialer-group 1
> isdn switch-type primary-net5
> isdn incoming-voice modem
> isdn skip-async-callerid-check
> no peer default ip address
> no keepalive
> no cdp enable
> ppp authentication pap
> ppp multilink
> !
> interface Group-Async0
> ip unnumbered Loopback0
> encapsulation ppp
> ip tcp header-compression
> dialer in-band
> dialer idle-timeout 6000
> async mode interactive
> peer default ip address pool setup_pool
> ppp authentication pap
> group-range 65 94
> !
> router ospf 1
> log-adjacency-changes
> redistribute connected subnets
> redistribute static subnets
> network 10.8.0.0 0.0.255.255 area 0.0.0.0
> network 192.44.86.32 0.0.0.31 area 0.0.0.0
> !
> ip local pool setup-pool 172.16.21.1 172.16.21.30
> ip default-gateway 192.44.86.34
> ip classless
> ip default-network 0.0.0.0
> ip route 0.0.0.0 0.0.0.0 192.44.86.35
> ip route 0.0.0.0 0.0.0.0 192.44.86.34 150
> ip route 0.0.0.0 0.0.0.0 Null0 200
> ip route 192.44.83.24 255.255.255.248 192.44.82.78
> ip route 192.44.83.40 255.255.255.248 192.44.82.140
> ip route 192.44.83.48 255.255.255.248 192.44.82.48
> ip route 192.44.83.56 255.255.255.248 192.44.82.35
> ip route 192.44.90.0 255.255.255.0 192.44.82.11
> no ip http server
> ip pim accept-rp auto-rp
> ip ospf name-lookup
> line con 0
> line 65 94
> script modem-off-hook offhook
> script callback callback
> modem InOut
> modem autoconfigure type mica
> transport preferred none
> transport input all
> autoselect during-login
> autoselect ppp
> line aux 0
> no exec
> line vty 0 4
> session-timeout 60 output
> exec-timeout 60 0
> history size 100
> transport preferred none
> escape-character 3
> !
> 
> ################################################################
> following DEBUG:
> 
> General OS:
> AAA Authentication debugging is on
> AAA Authorization debugging is on
> Generic IP:
> IP peer address activity debugging is on
> PPP:
> PPP authentication debugging is on
> PPP protocol errors debugging is on
> PPP protocol negotiation debugging is on
> 
> Radius protocol debugging is on
> Radius packet protocol debugging is on
> 
> ###############################################################
> following DEBUG-OUTPUT:
> Feb 2 07:36:03.478: AAA/BIND(00000162): Bind i/f Serial1/0:0
> Feb 2 07:36:03.478: AAA/ACCT/DS0: channel=0, ds1=0, t3=0, slot=1,
> ds0=16777216
> Feb 2 08:36:03.490 MET: %LINK-3-UPDOWN: Interface Serial1/0:0, changed
> state to up
> Feb 2 07:36:03.490: Se1/0:0 PPP: Using dialer call direction
> Feb 2 07:36:03.490: Se1/0:0 PPP: Treating connection as a callin
> Feb 2 07:36:03.490: Se1/0:0 PPP: Phase is ESTABLISHING, Passive Open
> Feb 2 07:36:03.490: Se1/0:0 LCP: State is Listen
> Feb 2 07:36:05.482: Se1/0:0 LCP: TIMEout: State Listen
> Feb 2 07:36:05.482: Se1/0:0 PPP: Authorization required
> Feb 2 07:36:05.482: Se1/0:0 AAA/AUTHOR/LCP: Authorization succeeds
> trivially Feb 2 07:36:05.482: Se1/0:0 LCP: O CONFREQ [Listen] id 7
> len 29 
> Feb 2 07:36:05.482: Se1/0:0 LCP: AuthProto PAP (0x0304C023)
> Feb 2 07:36:05.482: Se1/0:0 LCP: MagicNumber 0x14AD3E2C
> (0x050614AD3E2C) Feb 2 07:36:05.482: Se1/0:0 LCP: MRRU 1524
> (0x110405F4) 
> Feb 2 07:36:05.482: Se1/0:0 LCP: EndpointDisc 1 modem-i1
> (0x130B016D6F64656D2D6931)
> Feb 2 07:36:05.498: Se1/0:0 LCP: I CONFREQ [REQsent] id 1 len 14
> Feb 2 07:36:05.498: Se1/0:0 LCP: MRU 1500 (0x010405DC)
> Feb 2 07:36:05.498: Se1/0:0 LCP: MagicNumber 0x5E52C3ED
> (0x05065E52C3ED) Feb 2 07:36:05.498: Se1/0:0 LCP: O CONFACK [REQsent]
> id 1 len 14 
> Feb 2 07:36:05.498: Se1/0:0 LCP: MRU 1500 (0x010405DC)
> Feb 2 07:36:05.498: Se1/0:0 LCP: MagicNumber 0x5E52C3ED
> (0x05065E52C3ED) Feb 2 07:36:05.502: Se1/0:0 LCP: I CONFREJ [ACKsent]
> id 7 len 8 
> Feb 2 07:36:05.502: Se1/0:0 LCP: MRRU 1524 (0x110405F4)
> Feb 2 07:36:05.502: Se1/0:0 LCP: O CONFREQ [ACKsent] id 8 len 25
> Feb 2 07:36:05.502: Se1/0:0 LCP: AuthProto PAP (0x0304C023)
> Feb 2 07:36:05.502: Se1/0:0 LCP: MagicNumber 0x14AD3E2C
> (0x050614AD3E2C) Feb 2 07:36:05.502: Se1/0:0 LCP: EndpointDisc 1
> modem-i1 (0x130B016D6F64656D2D6931)
> Feb 2 07:36:05.522: Se1/0:0 LCP: I CONFACK [ACKsent] id 8 len 25
> Feb 2 07:36:05.522: Se1/0:0 LCP: AuthProto PAP (0x0304C023)
> Feb 2 07:36:05.522: Se1/0:0 LCP: MagicNumber 0x14AD3E2C
> (0x050614AD3E2C) Feb 2 07:36:05.522: Se1/0:0 LCP: EndpointDisc 1
> modem-i1 (0x130B016D6F64656D2D6931)
> Feb 2 07:36:05.522: Se1/0:0 LCP: State is Open
> Feb 2 07:36:05.522: Se1/0:0 PPP: Phase is AUTHENTICATING, by this end
> Feb 2 07:36:05.526: Se1/0:0 PAP: I AUTH-REQ id 1 len 20 from "goofy"
> Feb 2 07:36:05.526: Se1/0:0 PAP: Authenticating peer goofy
> Feb 2 07:36:05.526: Se1/0:0 PPP: Phase is FORWARDING, Attempting
> Forward Feb 2 07:36:05.526: Se1/0:0 PPP: Phase is AUTHENTICATING,
> Unauthenticated User
> Feb 2 07:36:05.526: AAA/AUTHEN/PPP (00000162): Pick method list
> 'default' Feb 2 07:36:05.526: Se1/0:0 PPP: Sent PAP LOGIN Request
> Feb 2 07:36:05.526: RADIUS/ENCODE(00000162):Orig. component type =
> ISDN 
> Feb 2 07:36:05.526: RADIUS: AAA Unsupported Attr: interface [153] 11
> Feb 2 07:36:05.526: RADIUS: 53 65 72 69 61 6C 31 2F 30 [Serial1/0]
> Feb 2 07:36:05.526: RADIUS(00000162): Storing nasport 20000 in rad_db
> Feb 2 07:36:05.526: RADIUS(00000162): Config NAS IP: 0.0.0.0
> Feb 2 07:36:05.526: RADIUS/ENCODE(00000162): acct_session_id: 355
> Feb 2 07:36:05.526: RADIUS(00000162): sending
> Feb 2 07:36:05.526: RADIUS/ENCODE: Best Local IP-Address NAS-IP for
> Radius-Server RADIUS
> Feb 2 07:36:05.526: RADIUS(00000162): Send Access-Request to
> RADIUS:1812 
> id 1645/69, len 107
> Feb 2 07:36:05.526: RADIUS: authenticator 23 E7 EC F2 1C 4C 00 AD - 73
> E7 20 AE 33 43 31 CA
> Feb 2 07:36:05.526: RADIUS: Framed-Protocol [7] 6 PPP [1]
> Feb 2 07:36:05.526: RADIUS: User-Name [1] 8 "goofy"
> Feb 2 07:36:05.526: RADIUS: User-Password [2] 18 *
> Feb 2 07:36:05.526: RADIUS: NAS-Port [5] 6 20000
> Feb 2 07:36:05.526: RADIUS: NAS-Port-Type [61] 6 ISDN [2]
> Feb 2 07:36:05.526: RADIUS: Calling-Station-Id [31] 12 "phone-nr"
> Feb 2 07:36:05.526: RADIUS: Called-Station-Id [30] 7 "71840"
> Feb 2 07:36:05.526: RADIUS: Connect-Info [77] 12 "64000 HDLC"
> Feb 2 07:36:05.526: RADIUS: Service-Type [6] 6 Framed [2]
> Feb 2 07:36:05.526: RADIUS: NAS-IP-Address [4] 6 NAS-IP
> Feb 2 07:36:05.534: RADIUS: Received from id 1645/69 RADIUS:1812,
> Access-Accept, len 44
> Feb 2 07:36:05.534: RADIUS: authenticator 2D 7A 6E CD C0 80 0A 58 - 8C
> D7 35 13 02 6A D8 D9
> Feb 2 07:36:05.534: RADIUS: Service-Type [6] 6 Framed [2]
> Feb 2 07:36:05.534: RADIUS: Framed-Protocol [7] 6 PPP [1]
> Feb 2 07:36:05.534: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.0
> Feb 2 07:36:05.534: RADIUS: Framed-IP-Address [8] 6 10.10.47.167
> Feb 2 07:36:05.534: RADIUS(00000162): Received from id 1645/69
> Feb 2 07:36:05.534: Se1/0:0 PPP: Received LOGIN Response PASS
> Feb 2 07:36:05.534: Se1/0:0 PPP/AAA: Check Attr: service-type
> Feb 2 07:36:05.534: Se1/0:0 PPP/AAA: Check Attr: Framed-Protocol
> Feb 2 07:36:05.534: Se1/0:0 PPP/AAA: Check Attr: netmask
> Feb 2 07:36:05.534: Se1/0:0 PPP/AAA: Check Attr: route: Peruser
> Feb 2 07:36:05.534: Se1/0:0 PPP/AAA: Check Attr: addr
> Feb 2 07:36:05.534: Se1/0:0 PPP: Phase is FORWARDING, Attempting
> Forward Feb 2 07:36:05.534: Se1/0:0 PPP: Phase is AUTHENTICATING,
> Authenticated User Feb 2 07:36:05.534: Se1/0:0 AAA/AUTHOR/LCP:
> Process Author 
> Feb 2 07:36:05.534: Se1/0:0 AAA/AUTHOR/LCP: Process Attr: service-type
> Feb 2 07:36:05.534: Se1/0:0 PAP: O AUTH-ACK id 1 len 5
> Feb 2 07:36:05.534: Se1/0:0 PPP: Phase is FORWARDING
> Feb 2 07:36:05.534: Vi1 PPP: Phase is DOWN, Setup
> Feb 2 07:36:05.534: AAA/BIND(00000162): Bind i/f Virtual-Access1
> Feb 2 07:36:05.534: Vi1 PPP: Authorization required
> Feb 2 07:36:05.534: Vi1 PPP: No remote authentication for call-in
> Feb 2 07:36:05.534: Vi1 PPP: Phase is ESTABLISHING
> Feb 2 07:36:05.534: Se1/0:0 PPP: Phase is FORWARDED
> Feb 2 07:36:05.534: Vi1 LCP: I FORCED rcvd CONFACK len 21
> Feb 2 07:36:05.534: Vi1 LCP: AuthProto PAP (0x0304C023)
> Feb 2 07:36:05.534: Vi1 LCP: MagicNumber 0x14AD3E2C (0x050614AD3E2C)
> Feb 2 07:36:05.538: Vi1 LCP: EndpointDisc 1 modem-i1
> (0x130B016D6F64656D2D6931)
> Feb 2 07:36:05.538: Vi1 LCP: I FORCED sent CONFACK len 10
> Feb 2 07:36:05.538: Vi1 LCP: MRU 1500 (0x010405DC)
> Feb 2 07:36:05.538: Vi1 LCP: MagicNumber 0x5E52C3ED (0x05065E52C3ED)
> Feb 2 07:36:05.538: Vi1 PPP: Phase is AUTHENTICATING, by this end
> Feb 2 07:36:05.538: Vi1 AAA/AUTHOR/LCP: Process Author
> Feb 2 07:36:05.538: Vi1 AAA/AUTHOR/LCP: Process Attr: service-type
> Feb 2 07:36:05.538: Vi1 PPP: Phase is UP
> Feb 2 07:36:05.538: Vi1 PPP: Process pending ncp packets
> Feb 2 07:36:05.538: Se1/0:0 PPP: Process pending ncp packets
> Feb 2 08:36:05.538 MET: %LINK-3-UPDOWN: Interface Virtual-Access1,
> changed state to up
> Feb 2 07:36:05.550: Vi1 CCP: I CONFREQ [Not negotiated] id 1 len 10
> Feb 2 07:36:05.550: Vi1 CCP: Deflate 0x7800 (0x1A047800)
> Feb 2 07:36:05.550: Vi1 CCP: Predictor1 (0x0102)
> Feb 2 07:36:05.550: Vi1 LCP: O PROTREJ [Open] id 1 len 16 protocol CCP
> (0x80FD0101000A1A0478000102)
> Feb 2 07:36:05.554: Vi1 IPCP: I CONFREQ [Not negotiated] id 1 len 28
> Feb 2 07:36:05.554: Vi1 IPCP: Address 0.0.0.0 (0x030600000000)
> Feb 2 07:36:05.554: Vi1 IPCP: CompressType VJ 15 slots CompressSlotID
> (0x0206002D0F01)
> Feb 2 07:36:05.554: Vi1 IPCP: PrimaryDNS 131.188.3.73 (0x810683BC0349)
> Feb 2 07:36:05.554: Vi1 IPCP: SecondaryDNS 255.255.255.255
> (0x8306FFFFFFFF) Feb 2 07:36:05.554: Vi1 LCP: O PROTREJ [Open] id 2
> len 34 protocol IPCP 
> Feb 2 07:36:05.554: Vi1 LCP: (0x80210101001C0306000000000206002D)
> Feb 2 07:36:05.554: Vi1 LCP: (0x0F01810683BC03498306FFFFFFFF)
> Feb 2 07:36:05.558: Vi1 IPV6CP: I CONFREQ [Not negotiated] id 1 len 14
> Feb 2 07:36:05.558: Vi1 IPV6CP: Interface-Id 0207:E9FF:FE5D:BB9E
> (0x010A0207E9FFFE5DBB9E)
> Feb 2 07:36:05.558: Vi1 LCP: O PROTREJ [Open] id 3 len 20 protocol
> IPV6CP (0x80570101000E010A0207E9FFFE5DBB9E)
> Feb 2 07:36:05.570: Vi1 IPCP: I TERMREQ [Not negotiated] id 1 len 4
> Feb 2 07:36:05.570: Vi1 IPCP: Lower layer not up, discarding packet
> Feb 2 07:36:05.574: Vi1 IPV6CP: I TERMREQ [Not negotiated] id 1 len 4
> Feb 2 07:36:05.574: Vi1 LCP: O PROTREJ [Open] id 4 len 10 protocol
> IPV6CP (0x805705010004)
> Feb 2 08:36:06.534 MET: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface Serial1/0:0, changed state to up
> Feb 2 08:36:06.538 MET: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface Virtual-Access1, changed state to up
> Feb 2 07:36:08.674: Vi1 IPCP: I TERMREQ [Not negotiated] id 1 len 4
> Feb 2 07:36:08.674: Vi1 IPCP: Lower layer not up, discarding packet
> Feb 2 07:36:08.678: Vi1 IPV6CP: I TERMREQ [Not negotiated] id 1 len 4
> Feb 2 07:36:08.678: Vi1 LCP: O PROTREJ [Open] id 5 len 10 protocol
> IPV6CP (0x805705010004)
> Feb 2 08:36:09.490 MET: %ISDN-6-CONNECT: Interface Serial1/0:0 is now
> connected to phone-nr goofy
> Feb 2 07:36:11.746: Vi1 IPCP: I TERMREQ [Not negotiated] id 1 len 4
> Feb 2 07:36:11.746: Vi1 IPCP: Lower layer not up, discarding packet
> Feb 2 07:36:11.746: Vi1 IPV6CP: I TERMREQ [Not negotiated] id 1 len 4
> Feb 2 07:36:11.746: Vi1 LCP: O PROTREJ [Open] id 6 len 10 protocol
> IPV6CP (0x805705010004)
> Feb 2 07:36:14.814: Vi1 IPCP: I TERMREQ [Not negotiated] id 1 len 4
> Feb 2 07:36:14.814: Vi1 IPCP: Lower layer not up, discarding packet
> Feb 2 07:36:14.818: Vi1 IPV6CP: I TERMREQ [Not negotiated] id 1 len 4
> Feb 2 07:36:14.818: Vi1 LCP: O PROTREJ [Open] id 7 len 10 protocol
> IPV6CP (0x805705010004)
> Feb 2 07:36:17.886: Vi1 IPCP: I TERMREQ [Not negotiated] id 1 len 4
> Feb 2 07:36:17.886: Vi1 IPCP: Lower layer not up, discarding packet
> Feb 2 07:36:17.886: Vi1 IPV6CP: I TERMREQ [Not negotiated] id 1 len 4
> Feb 2 07:36:17.886: Vi1 LCP: O PROTREJ [Open] id 8 len 10 protocol
> IPV6CP (0x805705010004)
> Feb 2 07:36:20.954: Vi1 LCP: I TERMREQ [Open] id 2 len 4
> Feb 2 07:36:20.954: Vi1 LCP: O TERMACK [Open] id 2 len 4
> Feb 2 07:36:20.954: Vi1 PPP: Sending Acct Event[Down] id[162]
> Feb 2 07:36:20.958: Vi1 IPCP: State is Closed
> Feb 2 07:36:20.958: Vi1 PPP: Phase is TERMINATING
> Feb 2 07:36:20.958: Se1/0:0 PPP: Sending Acct Event[Down] id[162]
> Feb 2 07:36:20.958: Se1/0:0 PPP: Phase is TERMINATING
> Feb 2 07:36:20.958: Se1/0:0 LCP: State is Closed
> Feb 2 07:36:20.958: Se1/0:0 PPP: Phase is DOWN
> Feb 2 08:36:20.958 MET: %ISDN-6-DISCONNECT: Interface Serial1/0:0
> disconnected from phone-nr goofy, call lasted 17 seconds
> Feb 2 08:36:20.962 MET: %LINK-3-UPDOWN: Interface Virtual-Access1,
> changed state to down
> Feb 2 07:36:20.962: Vi1 LCP: State is Closed
> Feb 2 07:36:20.962: Vi1 PPP: Phase is DOWN
> Feb 2 08:36:21.034 MET: %LINK-3-UPDOWN: Interface Serial1/0:0, changed
> state to down
> Feb 2 08:36:21.958 MET: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface Virtual-Access1, changed state to down
> Feb 2 08:36:21.958 MET: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface Serial1/0:0, changed state to down
>
########################################################################
########
> 
> Thanks
> Florian
> 
> 
> 
> Dennis Peng wrote:
> 
>> 
>> On Feb 1, 2005, at 4:59 AM, Florian Prester wrote:
>> 
>>> Hi,
>>> 
>>> I am using an CISCO (IOS (tm) 3700 Software (C3725-IPBASE-M),
>>> Version 
>>> 12.3(10), RELEASE SOFTWARE (fc3)) as a dialin router. The
>>> modem-calls succeed, but isdn-calls fail.
>> 
>> 
>> I'm a little confused by this statement because in the debug trace
>> you show below, you show a modem call which fails.
>> 
>> 
>>> First my Radius server is serving the IP-Address of the calling
>>> client, the authentication succeed as well.
>> 
>> 
>> Is your RADIUS server assigning IP addresses for all of your users?
>> 
>>> But the my NAS is or is not arguing with the caller, about the IP.
>> 
>> 
>> Can you send me your full configuration and also a new set of
>> debugs for a failing call with the following debugs turned on:
>> 
>> debug aaa authen
>> debug aaa author
>> debug ppp negot
>> debug ppp authen
>> debug ppp error
>> debug radius authen
>> debug ip peer
>> 
>> Thanks.
>> 
>> Dennis
> 
> 
> --
> --------------------------------------------------------------
> Dipl. Inf. Florian Prester
> Network Administration
> Regionales RechenZentrum Erlangen
> Universitaet Erlangen-Nuernberg
> Germany
> 
> Tel.: +499131 8527813
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list