Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
0
Helpful
2
Replies

Logging Ras access

npservice
Level 1
Level 1

‎12-10-2004 01:32 AM - edited ‎03-10-2019 01:55 PM

Hi,i have a Router 3640 with 4 bri interface.

Router 3640 working as Ras and it authenticate user with Radius Server.

Radius authentication working good.

I configured a Syslog logging but during authentication process my Syslog Server doesn't receive Radius logging data

If i enable radius debug in console my Syslog can receive Radius logging data.

Please show me how i have to correctly configure Syslog.

Many thanks

version 12.2

service timestamps debug uptime

service timestamps log datetime

service password-encryption

!

hostname RasCisco

!

boot system flash flash:c3640-i-mz.122-15.T14.bin

logging queue-limit 100

logging buffered 4096 debugging

no logging console

enable password xxxx

!

username decras password xxxx

username ibm password xxx

modem country mica italy

aaa new-model

!

!

aaa authentication login default group radius local

aaa authentication ppp default group radius local

aaa authorization exec default group radius local

aaa session-id common

ip subnet-zero

!

!

!

async-bootp dns-server 192.168.2.1

async-bootp nbns-server 192.168.2.1

isdn switch-type basic-net3

!

modemcap entry TAC:MSC=&F&D2S34=18000S40=10S54=456debugthismodemS71=4

!

!

!

interface Loopback0

ip address 192.168.1.2 255.255.255.0

!

interface Ethernet0/0

ip address 192.168.3.100 255.255.255.0

half-duplex

no cdp enable

!

interface TokenRing0/0

no ip address

shutdown

ring-speed 16

no cdp enable

!

interface BRI1/0

no ip address

encapsulation ppp

isdn switch-type basic-net3

isdn incoming-voice modem

isdn static-tei 0

no cdp enable

!

interface BRI1/1

no ip address

encapsulation ppp

isdn switch-type basic-net3

isdn incoming-voice modem

isdn static-tei 0

no cdp enable

!

interface BRI1/2

no ip address

encapsulation ppp

isdn switch-type basic-net3

isdn incoming-voice modem

isdn static-tei 0

no cdp enable

!

interface BRI1/3

no ip address

encapsulation ppp

isdn switch-type basic-net3

isdn incoming-voice modem

isdn static-tei 0

no cdp enable

!

interface Group-Async1

ip unnumbered Ethernet0/0

encapsulation ppp

ip tcp header-compression

no ip mroute-cache

async mode dedicated

peer default ip address pool bologna

no keepalive

ppp authentication pap chap ms-chap

group-range 65 70

!

ip local pool bologna 192.168.3.10 192.168.3.20

no ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.3.254

!

!

!

logging trap debugging

logging 192.168.2.10

no cdp run

radius-server host 192.168.2.10 auth-port 1645 acct-port 1646

radius-server key xxxx

radius-server authorization permit missing Service-Type

!

line con 0

line 65 70

flush-at-activation

script reset default

logging synchronous level all

modem Dialin

modem autoconfigure type TAC

autoselect during-login

autoselect ppp

line aux 0

line vty 0 4

!

!

end

Labels:
0 Helpful
2 Replies 2

paddyxdoyle
Level 6
Level 6

‎12-10-2004 04:18 AM

Hi,

You config looks fine to me, are you saying that when you use debug radius and someone logs in via radius nothing is passed to your syslog server.

Or nothing is logged to your syslog server, however when you enable debug radius then sylog messages are being logged by your syslog server?

Also have you considered using AAA Accounting to your radius server?

Paddy

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to paddyxdoyle

‎12-10-2004 11:56 AM

I believe from the original post that they want a record of who has dialed in to their RAS server and that they are attempting to create that record via syslog.

There are not so many good options for creating this record to syslog: some versions of IOS have a call tracking feature which sends records to syslog. I tested it at a customer site where I was helping them do some dial up work. I found the reporting to be very verbose and we ultimately decided not to use this feature. The code for call tracking may or may not be supported in your router.

The other option to send records to syslog is the option to use debug which the original post indicated that they have done.

I believe that Paddy is on the right track with his last suggestion. Instead of looking to syslog for teh solution they should look to their radius authentication server for the solution. It is easy to turn on accounting in aaa and send records to the server which will include when the session started, when the session ended, the ID of the dial in user, and some other information which they may find useful.

The accounting record was the solution which my customer decided to use. I think it would fit well as the solution for the question asked here.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents