12-13-2002 07:07 AM - edited 03-10-2019 07:04 AM
Hi,
I've a Cisco3640 router configured for ISDN backup and dialin purposes. The dialin clients are authenticated with their NT Domain username/password through the ACS. The asyn dialin facility works well but the ISDN clients cannot connect, they get authentication failure message.
The corresponding config:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group radius
aaa authentication ppp Dradius if-needed group radius local
aaa authorization exec default group tacacs+ none
aaa authorization network default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
Dialer interface:
interface Dialer13
ip unnumbered Ethernet0/0
no ip redirects
ip directed-broadcast
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer idle-timeout 1800
dialer-group 1
peer default ip address pool dialin_pool
no fair-queue
compress mppc ignore-pfc
no cdp enable
ppp authentication ms-chap callin Dradius
ppp ipcp dns 10.10.10.1
ppp ipcp wins 10.10.10.2
The Asyn group config:
interface Group-Async1
bandwidth 115
ip unnumbered Loopback0
encapsulation ppp
no ip route-cache
no ip mroute-cache
load-interval 30
dialer in-band
dialer idle-timeout 3600
dialer-group 1
async mode interactive
peer default ip address pool dialin_pool
fair-queue 1024 32 64
no cdp enable
ppp authentication ms-chap
group-range 65 82
And finally the PRI config:
interface Serial3/1:15
no ip address
encapsulation ppp
no ip route-cache
dialer pool-member 1
isdn switch-type primary-net5
isdn incoming-voice modem
no fair-queue
no cdp enable
ppp authentication chap
ppp multilink
We have ACS2.6 installed and on his "failed attemps" report log I see that after the ISDN dial attempt there is an entry :"CS CHAP password invalid"
Why does the NAS except CHAP when MS-CHAP is configured on the Dialer interface? And the analogue dialin works well. The router is used for other backup purposes, I think it doesn't disturb the dialin facility. I altered the PRI ppp config into ppp authentication MS-CHAP but it didn't help, only the asyn worked.
The used IOS image is: c3640-i-mz.121-15.bin
Any help appreciated,
regards,
Balázs
12-13-2002 07:42 AM
Try removing "ppp authent chap" from the PRI.
If this doesn't work, send the output of debug ppp negotiation, debug ppp error and debug ppp authentication, debug aaa authentication and debug radius.
12-16-2002 05:14 AM
I removed the ppp authentication CHAP for the PRI but it still doesn't work.
Here are the ISDN outputs:
szertr5#u all
All possible debugging has been turned off
szertr5#deb ppp neg
PPP protocol negotiation debugging is on
szertr5#
.Dec 16 12:29:29: %LINK-3-UPDOWN: Interface Serial3/1:16, changed state to up
.Dec 16 12:29:29.528: Se3/1:16 PPP: Treating connection as a callin
.Dec 16 12:29:29.528: Se3/1:16 PPP: Phase is ESTABLISHING, Passive Open
.Dec 16 12:29:29.528: Se3/1:16 LCP: State is Listen
.Dec 16 12:29:30.076: Se3/1:16 LCP: I CONFREQ [Listen] id 85 len 6
.Dec 16 12:29:30.076: Se3/1:16 LCP: VendorSpecific OUI (0x0002)
.Dec 16 12:29:30.076: Se3/1:16 LCP: O CONFREQ [Listen] id 7 len 29
.Dec 16 12:29:30.076: Se3/1:16 LCP: AuthProto CHAP (0x0305C22305)
.Dec 16 12:29:30.076: Se3/1:16 LCP: MagicNumber 0x3EF7FCD9 (0x05063EF7FCD9)
.Dec 16 12:29:30.076: Se3/1:16 LCP: MRRU 1524 (0x110405F4)
.Dec 16 12:29:30.076: Se3/1:16 LCP: EndpointDisc 1 Local (0x130A01737A6572747235)
.Dec 16 12:29:30.076: Se3/1:16 LCP: O CONFREJ [Listen] id 85 len 6
.Dec 16 12:29:30.076: Se3/1:16 LCP: VendorSpecific OUI (0x0002)
.Dec 16 12:29:32.076: Se3/1:16 LCP: TIMEout: State REQsent
.Dec 16 12:29:32.076: Se3/1:16 LCP: O CONFREQ [REQsent] id 8 len 29
.Dec 16 12:29:32.076: Se3/1:16 LCP: AuthProto CHAP (0x0305C22305)
.Dec 16 12:29:32.076: Se3/1:16 LCP: MagicNumber 0x3EF7FCD9 (0x05063EF7FCD9)
.Dec 16 12:29:32.076: Se3/1:16 LCP: MRRU 1524 (0x110405F4)
.Dec 16 12:29:32.076: Se3/1:16 LCP: EndpointDisc 1 Local (0x130A01737A6572747235)
.Dec 16 12:29:32.088: Se3/1:16 LCP: I CONFREJ [REQsent] id 8 len 18
.Dec 16 12:29:32.088: Se3/1:16 LCP: MRRU 1524 (0x110405F4)
.Dec 16 12:29:32.088: Se3/1:16 LCP: EndpointDisc 1 Local (0x130A01737A6572747235)
.Dec 16 12:29:32.088: Se3/1:16 LCP: O CONFREQ [REQsent] id 9 len 15
.Dec 16 12:29:32.088: Se3/1:16 LCP: AuthProto CHAP (0x0305C22305)
.Dec 16 12:29:32.088: Se3/1:16 LCP: MagicNumber 0x3EF7FCD9 (0x05063EF7FCD9)
.Dec 16 12:29:32.112: Se3/1:16 LCP: I CONFACK [REQsent] id 9 len 15
.Dec 16 12:29:32.112: Se3/1:16 LCP: AuthProto CHAP (0x0305C22305)
.Dec 16 12:29:32.112: Se3/1:16 LCP: MagicNumber 0x3EF7FCD9 (0x05063EF7FCD9)
.Dec 16 12:29:32.116: Se3/1:16 LCP: I CONFREQ [ACKrcvd] id 2 len 13
.Dec 16 12:29:32.116: Se3/1:16 LCP: MagicNumber 0x7D795992 (0x05067D795992)
.Dec 16 12:29:32.116: Se3/1:16 LCP: Callback 6 (0x0D0306)
.Dec 16 12:29:32.116: Se3/1:16 LCP: O CONFREJ [ACKrcvd] id 2 len 7
.Dec 16 12:29:32.116: Se3/1:16 LCP: Callback 6 (0x0D0306)
.Dec 16 12:29:32.132: Se3/1:16 LCP: I CONFREQ [ACKrcvd] id 3 len 10
.Dec 16 12:29:32.132: Se3/1:16 LCP: MagicNumber 0x7D795992 (0x05067D795992)
.Dec 16 12:29:32.132: Se3/1:16 LCP: O CONFACK [ACKrcvd] id 3 len 10
.Dec 16 12:29:32.136: Se3/1:16 LCP: MagicNumber 0x7D795992 (0x05067D795992)
.Dec 16 12:29:32.136: Se3/1:16 LCP: State is Open
.Dec 16 12:29:32.140: Se3/1:16 PPP: Phase is AUTHENTICATING, by this end
.Dec 16 12:29:32.140: Se3/1:16 CHAP: O CHALLENGE id 3 len 28 from "szertr5"
.Dec 16 12:29:32.152: Se3/1:16 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x7D795992 MSRASV5.00
.Dec 16 12:29:32.156: Se3/1:16 LCP: I IDENTIFY [Open] id 5 len 24 magic 0x7D795992 MSRAS-1-SZE7090L
.Dec 16 12:29:32.164: Se3/1:16 CHAP: I RESPONSE id 3 len 35 from "europe\test1"
.Dec 16 12:29:32.240: Se3/1:16 CHAP: Unable to validate Response. Username europe\test1: Authenti
cation failure
.Dec 16 12:29:32.244: Se3/1:16 CHAP: O FAILURE id 3 len 14 msg is "RejectedJM"
.Dec 16 12:29:32.244: Se3/1:16 PPP: Phase is TERMINATING
.Dec 16 12:29:32.244: Se3/1:16 LCP: O TERMREQ [Open] id 10 len 4
.Dec 16 12:29:32: %ISDN-6-CONNECT: Interface Serial3/1:16 is now connected to unknown
.Dec 16 12:29:32: %ISDN-6-DISCONNECT: Interface Serial3/1:16 disconnected from unknown , call laste
d 3 seconds
.Dec 16 12:29:32: %LINK-3-UPDOWN: Interface Serial3/1:16, changed state to down
.Dec 16 12:29:32.844: Se3/1:16 LCP: State is Closed
.Dec 16 12:29:32.844: Se3/1:16 PPP: Phase is DOWN
szertr5#
szertr5#
szertr5#u all
All possible debugging has been turned off
szertr5#
szertr5#deb ppp error
PPP protocol errors debugging is on
szertr5#
.Dec 16 12:30:02: %LINK-3-UPDOWN: Interface Serial3/1:26, changed state to up
.Dec 16 12:30:05: %ISDN-6-CONNECT: Interface Serial3/1:26 is now connected to unknown
.Dec 16 12:30:05: %ISDN-6-DISCONNECT: Interface Serial3/1:26 disconnected from unknown , call laste
d 3 seconds
.Dec 16 12:30:05: %LINK-3-UPDOWN: Interface Serial3/1:26, changed state to down
szertr5#
szertr5#
szertr5#u all
All possible debugging has been turned off
szertr5#
szertr5#deb ppp authen
PPP authentication debugging is on
szertr5#
.Dec 16 12:30:36: %LINK-3-UPDOWN: Interface Serial3/1:27, changed state to up
.Dec 16 12:30:36.836: Se3/1:27 PPP: Treating connection as a callin
.Dec 16 12:30:39.468: Se3/1:27 CHAP: O CHALLENGE id 2 len 28 from "szertr5"
.Dec 16 12:30:39.496: Se3/1:27 CHAP: I RESPONSE id 2 len 35 from "europe\test1"
.Dec 16 12:30:39.596: Se3/1:27 CHAP: Unable to validate Response. Username europe\test1: Authenti
cation failure
.Dec 16 12:30:39.596: Se3/1:27 CHAP: O FAILURE id 2 len 14 msg is "RejectedJM"
.Dec 16 12:30:40: %ISDN-6-CONNECT: Interface Serial3/1:27 is now connected to unknown
.Dec 16 12:30:40: %ISDN-6-DISCONNECT: Interface Serial3/1:27 disconnected from unknown , call laste
d 3 seconds
.Dec 16 12:30:40: %LINK-3-UPDOWN: Interface Serial3/1:27, changed state to down
szertr5#
szertr5#u all
All possible debugging has been turned off
szertr5#
szertr5#deb aaa authen
AAA Authentication debugging is on
szertr5#
.Dec 16 12:31:10: %LINK-3-UPDOWN: Interface Serial3/1:13, changed state to up
.Dec 16 12:31:13.072: AAA: parse name=Serial3/1:13 idb type=13 tty=-1
.Dec 16 12:31:13.072: AAA: name=Serial3/1:13 flags=0x55 type=1 shelf=0 slot=3 adapter=0 port=1 chann
el=13
.Dec 16 12:31:13.072: AAA: parse name=
.Dec 16 12:31:13.072: AAA/MEMORY: create_user (0x6134F4E8) user='europe\test1' ruser='' port='Seri
al3/1:13' rem_addr='/000' authen_type=CHAP service=PPP priv=1
.Dec 16 12:31:13.072: AAA/AUTHEN/START (4068851079): port='Serial3/1:13' list='' action=LOGIN servic
e=PPP
.Dec 16 12:31:13.072: AAA/AUTHEN/START (4068851079): using "default" list
.Dec 16 12:31:13.072: AAA/AUTHEN/START (4068851079): Method=LOCAL
.Dec 16 12:31:13.076: AAA/AUTHEN (4068851079): status = ERROR
.Dec 16 12:31:13.076: AAA/AUTHEN/START (4068851079): Method=radius (radius)
.Dec 16 12:31:13.144: AAA/AUTHEN (4068851079): status = FAIL
.Dec 16 12:31:13.148: AAA/MEMORY: free_user (0x6134F4E8) user='europe\test1' ruser='' port='Serial
3/1:13' rem_addr='/000' authen_type=CHAP service=PPP priv=1
.Dec 16 12:31:13: %ISDN-6-CONNECT: Interface Serial3/1:13 is now connected to unknown
.Dec 16 12:31:13: %ISDN-6-DISCONNECT: Interface Serial3/1:13 disconnected from unknown , call laste
d 2 seconds
.Dec 16 12:31:13: %LINK-3-UPDOWN: Interface Serial3/1:13, changed state to down
szertr5#
szertr5#u all
All possible debugging has been turned off
szertr5#deb radiu
Radius protocol debugging is on
szertr5#
.Dec 16 12:31:57: %LINK-3-UPDOWN: Interface Serial3/1:29, changed state to up
.Dec 16 12:32:00.312: RADIUS: ustruct sharecount=1
.Dec 16 12:32:00.316: RADIUS: added cisco VSA 2 len 12 "Serial3/1:29"
.Dec 16 12:32:00.316: RADIUS: Initial Transmit Serial3/1:29 id 49 A.B.87.236:1645, Access-Reques
t, len 110
.Dec 16 12:32:00.316: Attribute 4 6 9BF87CF6
.Dec 16 12:32:00.316: Attribute 5 6 00004EA1
.Dec 16 12:32:00.316: Attribute 26 20 00000009020E5365
.Dec 16 12:32:00.316: Attribute 61 6 00000002
.Dec 16 12:32:00.316: Attribute 1 16 6575726F
.Dec 16 12:32:00.316: Attribute 30 5 30303003
.Dec 16 12:32:00.316: Attribute 3 19 0378CDCC
.Dec 16 12:32:00.316: Attribute 6 6 00000002
.Dec 16 12:32:00.316: Attribute 7 6 00000001
.Dec 16 12:32:00.364: RADIUS: Received from id 49 A.B.87.236:1645, Access-Reject, len 32
.Dec 16 12:32:00.364: Attribute 18 12 52656A65
.Dec 16 12:32:00: %ISDN-6-CONNECT: Interface Serial3/1:29 is now connected to unknown
.Dec 16 12:32:00: %ISDN-6-DISCONNECT: Interface Serial3/1:29 disconnected from unknown , call laste
d 3 seconds
.Dec 16 12:32:00: %LINK-3-UPDOWN: Interface Serial3/1:29, changed state to down
szertr5#
szertr5#
I realized from deb outputs that the routers excepts CHAP authentication although that is configured for MS-CHAP.
This is a router config. I altered only the usernames and the class B address:
wr t
Building configuration...
Current configuration : 8840 bytes
!
! Last configuration change at 12:11:47 UTC Mon Dec 16 2002 by test1
!
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname szertr5
!
logging buffered 8196 debugging
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default local group radius
aaa authentication ppp Dradius if-needed group radius local
aaa authorization exec default group tacacs+ none
aaa authorization network default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
enable secret 5 xxxxxxxxxxxxxxxxxxx
!
username aaaaa password 7 011E55574F5A080870
username szertr5 password 7 14161E060D022B
username bbbbb password 7 075E3248400F0B0D
username ccccc password 7 091D5D0D1703051A
username ddddd password 7 15130701052C2A
username eeeee password 7 06571C2542481B11
username fffff password 7 141A41581855242C75
username ggggg password 7 0702721F5A58170246
username hhhhh password 7 00051F0B055D0A
username iiiii password 7 020708560A000E
!
!
!
!
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
ip ftp username dump
ip ftp password 7 141307061C557878
ip domain-name net.eur.alcoa.com
ip name-server A.B.98.11
!
async-bootp dns-server A.B.98.11 A.B.124.30 A.B.184.4
async-bootp nbns-server A.B.184.10 A.B.84.246
isdn switch-type primary-net5
chat-script offhook "" "ATH1" OK
chat-script reset "" "atz" OK
chat-script default-dialscript ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" "ATZ" OK "ATDT\T" TIMEOUT
90 CONNECT \c
chat-script dial ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" "ATZ" OK "ATDT\T" TIMEOUT 90 CONNECT \c
!
controller E1 3/0
shutdown
!
controller E1 3/1
pri-group timeslots 1-31
!
!
!
interface Loopback0
description MODEM loopback
ip address A.B.170.1 255.255.255.0
!
interface Loopback1
description ISDN Loopback
ip address A.B.232.34 255.255.255.224
!
interface Loopback2
ip address A.B.199.165 255.255.255.255
!
interface Loopback3
no ip address
!
interface Ethernet0/0
ip address A.B.124.246 255.255.255.0
!
interface Serial0/0
description *** Direct cable connection to szertr ***
bandwidth 2000
ip address A.B.253.254 255.255.255.252
no ip mroute-cache
shutdown
bridge-group 1
!
interface Serial3/1:15
no ip address
encapsulation ppp
no ip route-cache
dialer pool-member 1
isdn switch-type primary-net5
isdn incoming-voice modem
no fair-queue
no cdp enable
ppp authentication chap
ppp multilink
!
interface Group-Async1
bandwidth 115
ip unnumbered Loopback0
encapsulation ppp
no ip route-cache
no ip mroute-cache
load-interval 30
dialer in-band
dialer idle-timeout 3600
dialer-group 1
async mode interactive
peer default ip address pool dialin_pool
fair-queue 1024 32 64
no cdp enable
ppp authentication ms-chap
group-range 65 82
!
interface Dialer0
ip unnumbered Loopback0
encapsulation ppp
no ip route-cache
ip tcp header-compression passive
no ip mroute-cache
load-interval 30
dialer-group 1
peer default ip address pool dialin_pool
fair-queue 1024 32 64
no cdp enable
ppp authentication ms-chap callin
ppp multilink
hold-queue 200 in
!
interface Dialer3
description *** ISDN backup interface for MRH (Mor, Hungary) ***
bandwidth 128
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name aaaaa
dialer idle-timeout 3600
dialer-group 1
priority-group 1
no cdp enable
ppp authentication chap
ppp multilink
bridge-group 1
bridge-group 1 path-cost 5700
!
interface Dialer4
description *** ISDN backup interface for SZR (Szekesfehervar, Hungary) ***
bandwidth 16
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name ddddd
dialer idle-timeout 3600
dialer-group 1
no cdp enable
ppp authentication chap
!
interface Dialer5
description *** ISDN backup interface for TSM (Torokszentmiklos, Hungary) ***
bandwidth 16
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name eeeee
dialer idle-timeout 3600
dialer-group 1
no cdp enable
ppp authentication chap
bridge-group 1
bridge-group 1 path-cost 5700
!
interface Dialer6
bandwidth 16
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
shutdown
dialer pool 1
dialer remote-name ggggg
dialer idle-timeout 3600
dialer-group 1
no cdp enable
ppp authentication chap
!
interface Dialer7
description *** ISDN backup interface for NAD (Nadab, Romania) ***
bandwidth 16
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name iiiii
dialer idle-timeout 3600
dialer-group 1
no cdp enable
ppp authentication chap
ppp multilink
!
interface Dialer8
description *** ISDN backup interface for Synergon ***
bandwidth 16
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name hhhhh
dialer idle-timeout 3600
dialer-group 1
no cdp enable
ppp authentication chap
!
interface Dialer13
ip unnumbered Ethernet0/0
no ip redirects
ip directed-broadcast
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer idle-timeout 1800
dialer-group 1
peer default ip address pool dialin_pool
no fair-queue
compress mppc ignore-pfc
no cdp enable
ppp authentication ms-chap callin Dradius
ppp ipcp dns A.B.98.11 A.B.124.30
ppp ipcp wins A.B.184.10 A.B.84.246
!
interface Dialer98
description ***** Aluminium Warehouse, Budapest ***
ip unnumbered Loopback0
encapsulation ppp
no ip split-horizon
dialer pool 1
dialer remote-name szewh
dialer-group 9
peer default ip address pool dialin_pool
pulse-time 0
no cdp enable
ppp authentication chap pap callin
ppp multilink
!
interface Dialer99
description connected to Dial-inPCs(ISDN)
ip unnumbered Loopback0
encapsulation ppp
no ip split-horizon
dialer pool 1
dialer remote-name vpntest
dialer-group 9
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap callin
ppp multilink
!
router eigrp 200
redistribute rip
passive-interface Dialer0
passive-interface Dialer98
network A.B.0.0
auto-summary
no eigrp log-neighbor-changes
!
ip local pool dialin_pool A.B.170.2 A.B.170.31
ip default-gateway A.B.124.254
ip classless
ip route 0.0.0.0 0.0.0.0 A.B.232.33 255
ip tacacs source-interface Loopback2
no ip http server
!
logging source-interface Loopback2
logging A.B.124.21
logging A.B.124.19
access-list 1 permit A.B.87.236
access-list 1 permit A.B.124.0 0.0.0.31
access-list 3 permit A.B.0.0 0.0.255.255
access-list 112 permit ip any host A.B.246.10
access-list 112 permit tcp any any eq telnet
access-list 112 permit tcp any eq telnet any
access-list 188 deny ip 0.0.0.0 255.255.255.128 host A.B.191.188
access-list 188 permit ip any any
access-list 199 deny eigrp any any
access-list 199 permit ip any any
priority-list 1 protocol ip high list 112
dialer-list 1 protocol ip permit
dialer-list 1 protocol bridge permit
dialer-list 9 protocol ip permit
tacacs-server host A.B.87.236
tacacs-server host A.B.124.27
tacacs-server timeout 10
tacacs-server key test
snmp-server community spice RO 1
snmp-server community mars RW 1
snmp-server queue-length 20
snmp-server enable traps snmp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps hsrp
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps frame-relay
snmp-server enable traps syslog
snmp-server host A.B.124.19 snmp
snmp-server host A.B.124.21 snmp
radius-server host A.B.87.236 auth-port 1645 acct-port 1646
radius-server host A.B.124.27 auth-port 1645 acct-port 1646
radius-server retransmit 4
radius-server timeout 6
radius-server key test
radius-server vsa send authentication
bridge 1 protocol dec
banner motd ^C
For Maintenance call: +36 22 53 1666
^C
!
line con 0
access-class 3 in
password 7 14141B180F0B
line 65 82
session-timeout 60 output
access-class 3 in
access-class 37 out
script dialer dial
script callback dial
modem InOut
rotary 1
transport input all
autoselect during-login
autoselect ppp
callback forced-wait 5
line aux 0
modem DTR-active
terminal-type vt100
transport input all
line vty 0 4
exec-timeout 30 0
length 25
history size 200
!
exception protocol ftp
exception dump A.B.124.21
ntp clock-period 17179843
ntp server A.B.87.254
end
szertr5#
szertr5#
szertr5#
During dial with ISDN TA the ACS reports the "CS CHAP password invalid" message.
Is it possible to accomodate all dialin facility (even backup) into one router?
Regards,
Balázs
12-16-2002 07:17 AM
Have the ISDN TA users dialed in succesfully with async calls from the same Windows machine? If both fail, you may have an issue with v2 like in Win2k.
From your debugs, note the method for authentication used is local first then RADIUS. This tells me the call terminates on a dialer interface other than the one you wish to use, which is in Dialer 13 I believe.
If you add:
europe\test1 password xxxxxxxx
does it work?
If so, remove the local username and add the ppp authentication ms-chap Dradius statement to int dialer 0 and see if it works.
12-16-2002 07:58 AM
I forgot to mention, send the output of debug dialer event to see which dialer profile the TA calls bind to if you still have issues.
12-17-2002 02:43 AM
I tried both method(asyn and ISDN) from the same W2k machine.
To avoid the conflict I configured the Dialer0 interface for the same as Dialer 13 and shut down the other unused Dialer interfaces.
Te deb dialer event commend doesn't provide any result regarding the call which dialer interface binds to. See the debug below. But once again, the only possible interface is Dialer 0.
I've added the correspondig username europe\test1 password xxxx to the config and got the following result:
szertr5#
szertr5#undeb all
All possible debugging has been turned off
szertr5#
szertr5#ter mon
szertr5#deb dialer event
Dial on demand events debugging is on
szertr5#
Dec 17 07:30:00: %LINK-3-UPDOWN: Interface Serial3/1:11, changed state to up
Dec 17 07:30:03: %ISDN-6-CONNECT: Interface Serial3/1:11 is now connected to unknown
Dec 17 07:30:03: %ISDN-6-DISCONNECT: Interface Serial3/1:11 disconnected from unknown , call lasted
3 seconds
Dec 17 07:30:03: %LINK-3-UPDOWN: Interface Serial3/1:11, changed state to down
szertr5#
szertr5#
szertr5#
szertr5#
szertr5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
szertr5(config)#
szertr5(config)#username europe\test1 password xxxxx
szertr5(config)#
Dec 17 07:30:42: %LINK-3-UPDOWN: Interface Serial3/1:25, changed state to up
Dec 17 07:30:45: %ISDN-6-CONNECT: Interface Serial3/1:25 is now connected to europe\test1
Dec 17 07:30:45: %ISDN-6-DISCONNECT: Interface Serial3/1:25 disconnected from europe\test1, call
lasted 2 seconds
Dec 17 07:30:45: %LINK-3-UPDOWN: Interface Serial3/1:25, changed state to down
szertr5(config)#
szertr5#
szertr5#
szertr5#deb ppp neg
PPP protocol negotiation debugging is on
szertr5#
Dec 17 07:31:15: %LINK-3-UPDOWN: Interface Serial3/1:22, changed state to up
Dec 17 07:31:18: %ISDN-6-CONNECT: Interface Serial3/1:22 is now connected to europe\test1
Dec 17 07:31:18: %ISDN-6-DISCONNECT: Interface Serial3/1:22 disconnected from europe\test1, call
lasted 2 seconds
Dec 17 07:31:18: %LINK-3-UPDOWN: Interface Serial3/1:22, changed state to down
szertr5#
szertr5#sh deb
Dial on demand:
Dial on demand events debugging is on
PPP:
PPP protocol negotiation debugging is on
szertr5#
Dec 17 07:31:45: %LINK-3-UPDOWN: Interface Serial3/1:12, changed state to up
Dec 17 07:31:48: %ISDN-6-CONNECT: Interface Serial3/1:12 is now connected to europe\test1
Dec 17 07:31:48: %ISDN-6-DISCONNECT: Interface Serial3/1:12 disconnected from europe\test1, call
lasted 2 seconds
Dec 17 07:31:48: %LINK-3-UPDOWN: Interface Serial3/1:12, changed state to downu ll all
All possible debugging has been turned off
szertr5#
szertr5#
szertr5#
szertr5#deb aaa authen
AAA Authentication debugging is on
szertr5#
Dec 17 07:32:18: %LINK-3-UPDOWN: Interface Serial3/1:5, changed state to up
Dec 17 07:32:24.538: AAA: parse name=
Dec 17 07:32:24.538: AAA/MEMORY: create_user (0x6134DC78) user='europe\test1' ruser='' port='Seria
l3/1:5' rem_addr='/000' authen_type=CHAP service=PPP priv=1
Dec 17 07:32:24.538: AAA/AUTHEN/START (4183270362): port='Serial3/1:5' list='' action=LOGIN service=
PPP
Dec 17 07:32:24.538: AAA/AUTHEN/START (4183270362): using "default" list
Dec 17 07:32:24.538: AAA/AUTHEN/START (4183270362): Method=LOCAL
Dec 17 07:32:24.538: AAA/AUTHEN (4183270362): status = PASS
Dec 17 07:32:24: %ISDN-6-CONNECT: Interface Serial3/1:5 is now connected to unknown
Dec 17 07:32:25.174: TAC+: (1988103800): received author response status = PASS_ADD
Dec 17 07:32:25: %ISDN-6-DISCONNECT: Interface Serial3/1:5 disconnected from europe\test1, call
lasted 6 seconds
Dec 17 07:32:25: %LINK-3-UPDOWN: Interface Serial3/1:5, changed state to down
Dec 17 07:32:25.642: AAA/MEMORY: free_user (0x6134DC78) user='europe\test1' ruser='' port='Serial3
/1:5' rem_addr='/000' authen_type=CHAP service=PPP priv=1
Well, the local authentication seems to be success but I got the following error message: "error 619, the specific port is not connected" on my laptop. In that case the authentication is OK (see debug output above) but the client will be disconnected in seconds. And the authentication method is still CHAP although MS-CHAP is configured for Dialer 0 interface.
The config after the modofication:
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname szertr5
!
logging buffered 8196 debugging
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default local group radius
aaa authentication ppp Dradius if-needed group radius local
aaa authorization exec default group tacacs+ none
aaa authorization network default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
enable secret 5 $1$2ZF1$BLo42nqJn7jvAwls/H/GM/
!
username aaaaa password 7 011E55574F5A080870
username szertr5 password 7 14161E060D022B
username bbbbb password 7 075E3248400F0B0D
username ccccc password 7 091D5D0D1703051A
username ddddd password 7 15130701052C2A
username eeeee password 7 06571C2542481B11
username fffff password 7 141A41581855242C75
username ggggg password 7 0702721F5A58170246
username hhhhh password 7 00051F0B055D0A
username iiiii password 7 020708560A000E
username europe\test1 password 7 11191B160D13090351
!
!
!
!
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
ip ftp username dump
ip ftp password 7 141307061C557878
ip domain-name net.eur.alcoa.com
ip name-server A.B.98.11
!
async-bootp dns-server A.B.98.11 A.B.124.30 A.B.184.4
async-bootp nbns-server A.B.184.10 A.B.84.246
isdn switch-type primary-net5
chat-script offhook "" "ATH1" OK
chat-script reset "" "atz" OK
chat-script default-dialscript ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" "ATZ" OK "ATDT\T" TIMEOUT
90 CONNECT \c
chat-script dial ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" "ATZ" OK "ATDT\T" TIMEOUT 90 CONNECT \c
!
controller E1 3/0
shutdown
!
controller E1 3/1
pri-group timeslots 1-31
!
!
!
interface Loopback0
description MODEM loopback
ip address A.B.170.1 255.255.255.0
!
interface Loopback1
description ISDN Loopback
ip address A.B.232.34 255.255.255.224
!
interface Loopback2
ip address A.B.199.165 255.255.255.255
!
interface Loopback3
no ip address
!
interface Ethernet0/0
ip address A.B.124.246 255.255.255.0
!
interface Serial0/0
description *** Direct cable connection to szertr ***
bandwidth 2000
ip address A.B.253.254 255.255.255.252
no ip mroute-cache
shutdown
bridge-group 1
!
interface Serial3/1:15
no ip address
encapsulation ppp
no ip route-cache
dialer pool-member 1
isdn switch-type primary-net5
isdn incoming-voice modem
no fair-queue
no cdp enable
ppp authentication chap
ppp multilink
!
interface Group-Async1
bandwidth 115
ip unnumbered Loopback0
encapsulation ppp
no ip route-cache
no ip mroute-cache
load-interval 30
dialer in-band
dialer idle-timeout 3600
dialer-group 1
async mode interactive
peer default ip address pool dialin_pool
fair-queue 1024 32 64
no cdp enable
ppp authentication ms-chap
group-range 65 82
!
interface Dialer0
ip unnumbered Loopback0
encapsulation ppp
no ip route-cache
ip tcp header-compression passive
no ip mroute-cache
load-interval 30
dialer pool 1
dialer-group 1
peer default ip address pool dialin_pool
fair-queue 1024 32 64
no cdp enable
ppp authentication ms-chap callin Dradius
ppp ipcp dns A.B.98.11 A.B.124.30
ppp ipcp wins A.B.184.10 A.B.84.246
hold-queue 200 in
!
interface Dialer3
description *** ISDN backup interface for MRH (Mor, Hungary) ***
bandwidth 128
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name aaaaa
dialer idle-timeout 3600
dialer-group 1
priority-group 1
no cdp enable
ppp authentication chap
ppp multilink
bridge-group 1
bridge-group 1 path-cost 5700
!
interface Dialer4
description *** ISDN backup interface for SZR (Szekesfehervar, Hungary) ***
bandwidth 16
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name ddddd
dialer idle-timeout 3600
dialer-group 1
no cdp enable
ppp authentication chap
!
interface Dialer5
description *** ISDN backup interface for TSM (Torokszentmiklos, Hungary) ***
bandwidth 16
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name eeeee
dialer idle-timeout 3600
dialer-group 1
no cdp enable
ppp authentication chap
bridge-group 1
bridge-group 1 path-cost 5700
!
interface Dialer6
bandwidth 16
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
shutdown
dialer pool 1
dialer remote-name ggggg
dialer idle-timeout 3600
dialer-group 1
no cdp enable
ppp authentication chap
!
interface Dialer7
description *** ISDN backup interface for NAD (Nadab, Romania) ***
bandwidth 16
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name iiiii
dialer idle-timeout 3600
dialer-group 1
no cdp enable
ppp authentication chap
ppp multilink
!
interface Dialer8
description *** ISDN backup interface for Synergon ***
bandwidth 16
ip unnumbered Loopback1
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name hhhhh
dialer idle-timeout 3600
dialer-group 1
no cdp enable
ppp authentication chap
!
interface Dialer13
ip unnumbered Ethernet0/0
no ip redirects
ip directed-broadcast
encapsulation ppp
no ip mroute-cache
shutdown
dialer pool 1
dialer idle-timeout 1800
dialer-group 1
peer default ip address pool dialin_pool
no fair-queue
compress mppc ignore-pfc
no cdp enable
ppp authentication ms-chap callin Dradius
ppp ipcp dns A.B.98.11 A.B.124.30
ppp ipcp wins A.B.184.10 A.B.84.246
!
interface Dialer98
description ***** Aluminium Warehouse, Budapest ***
ip unnumbered Loopback0
encapsulation ppp
no ip split-horizon
dialer pool 1
dialer remote-name szewh
dialer-group 9
peer default ip address pool dialin_pool
pulse-time 0
no cdp enable
ppp authentication chap pap callin
ppp multilink
!
interface Dialer99
description connected to Dial-inPCs(ISDN)
ip unnumbered Loopback0
encapsulation ppp
no ip split-horizon
shutdown
dialer pool 1
dialer remote-name vpntest
dialer-group 9
peer default ip address pool dialin_pool
no cdp enable
ppp authentication chap pap callin
ppp multilink
!
router eigrp 200
redistribute rip
passive-interface Dialer0
passive-interface Dialer98
network A.B.0.0
auto-summary
no eigrp log-neighbor-changes
!
ip local pool dialin_pool A.B.170.2 A.B.170.31
ip default-gateway A.B.124.254
ip classless
ip route 0.0.0.0 0.0.0.0 A.B.232.33 255
ip tacacs source-interface Loopback2
no ip http server
!
logging source-interface Loopback2
logging A.B.124.21
logging A.B.124.19
access-list 1 permit A.B.87.236
access-list 1 permit A.B.124.0 0.0.0.31
access-list 3 permit A.B.0.0 0.0.255.255
access-list 112 permit ip any host A.B.246.10
access-list 112 permit tcp any any eq telnet
access-list 112 permit tcp any eq telnet any
access-list 188 deny ip 0.0.0.0 255.255.255.128 host A.B.191.188
access-list 188 permit ip any any
access-list 199 deny eigrp any any
access-list 199 permit ip any any
priority-list 1 protocol ip high list 112
dialer-list 1 protocol ip permit
dialer-list 1 protocol bridge permit
dialer-list 9 protocol ip permit
tacacs-server host A.B.87.236
tacacs-server host A.B.124.27
tacacs-server timeout 10
tacacs-server key test
snmp-server community spice RO 1
snmp-server community mars RW 1
snmp-server queue-length 20
snmp-server enable traps snmp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps hsrp
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps frame-relay
snmp-server enable traps syslog
snmp-server host A.B.124.19 snmp
snmp-server host A.B.124.21 snmp
radius-server host A.B.87.236 auth-port 1645 acct-port 1646
radius-server host A.B.124.27 auth-port 1645 acct-port 1646
radius-server retransmit 4
radius-server timeout 6
radius-server key test
radius-server vsa send authentication
bridge 1 protocol dec
banner motd ^C
For Maintenance call: +36 22 53 1666
^C
!
line con 0
access-class 3 in
password 7 14141B180F0B
line 65 82
session-timeout 60 output
access-class 3 in
access-class 37 out
script dialer dial
script callback dial
modem InOut
rotary 1
transport input all
autoselect during-login
autoselect ppp
callback forced-wait 5
line aux 0
modem DTR-active
terminal-type vt100
transport input all
line vty 0 4
exec-timeout 30 0
length 25
history size 200
!
exception protocol ftp
exception dump A.B.124.21
ntp clock-period 17179850
ntp server A.B.87.254
end
szertr5#
szertr5#
szertr5#
And finally I removed the europe\test1 and dialed via ISDN again.
I got the same result as earlier: CS invalid password log in the ACS failed attemp section.
Any idee would be appreciated....
Regards,
Balázs
12-17-2002 08:35 AM
Does async work from this machine?
You are probably getting that error because you used TAC+ for network authorization yet, you are using local. If you removed the aaa authorization network default tacacs+ statement my guess is it would pass locally. You could see the failure with debug aaa authorization.
This is not your issue at present, but do you have any reason for using TAC+ for network authorization when you are using RADIUS for authentication?
Try debug dialer packet to see if that gives you anything.
When you post your debugs, please turn them all on at the same time and send the captured output: debug aaa authentication, debug aaa authorization, debug radius, debug ppp error, debug ppp negotiation, debug dialer packets.
01-16-2003 01:52 AM
The working config:
Virtual template intermface must be defined!!!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default local group radius
aaa authentication ppp radiusz if-needed group radius local
aaa authorization exec default group tacacs+
aaa authorization network default none
virtual-profile virtual-template 1
virtual-profile aaa
interface Serial3/1:15
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type primary-net5
isdn incoming-voice modem
no fair-queue
compress mppc
no cdp enable
ppp authentication ms-chap chap callin radiusz
interface Virtual-Template1
description *** Virtual interface foa dialin users ***
ip unnumbered Loopback1
no ip redirects
ip directed-broadcast
no ip route-cache
ip tcp header-compression
load-interval 30
peer default ip address pool dialin_pool
compress mppc
ppp authentication ms-chap callin radiusz
ppp authorization radiusz
ppp ipcp dns x.x.x.x
ppp ipcp wins y.y.y.y
hold-queue 200 in
!
interface Group-Async1
description *** Dialer interface for analogue dialin users ***
bandwidth 115
ip unnumbered Loopback0
encapsulation ppp
no ip route-cache
no ip mroute-cache
load-interval 30
dialer in-band
dialer idle-timeout 3600
dialer-group 1
async mode interactive
peer default ip address pool dialin_pool
fair-queue 1024 32 64
no cdp enable
ppp authentication ms-chap callin radiusz
ppp authorization radiusz
group-range 65 82
!
interface Dialer0
description *** Dialer interface for ISDN dialin users ***
ip unnumbered Loopback1
no ip redirects
ip directed-broadcast
encapsulation ppp
no ip route-cache
ip tcp header-compression passive
no ip mroute-cache
load-interval 30
dialer pool 1
peer default ip address pool dialin_pool
no fair-queue
pulse-time 0
compress mppc
no cdp enable
ppp authentication ms-chap callin radiusz
ppp authorization radiusz
ppp ipcp dns x.x.x.x
ppp ipcp wins y.y.y.y
ppp multilink
hold-queue 200 in
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide