2511 Dialup help - Client connectivity

utawakevou · ‎11-05-2002

I have two cisco 2511 router(will change soon to 3660 router) for our dialup services. We are using Radius. All Our users who dialin using

Windows NT or 2000 or XP have to have SHOW TERMINAL WINDOW enable so that dialup users can establish an exec

connection where they will have to input their usernames and passwords. Our users who uses Win 95 or 98 will

have to run a script to get connected.

I dont want this as most of our users using our dialup services are using Win NT or 2000 or XP. Enabling that

SHOW TERMINAL WINDOW is quite complicated for them. What I want is for the users to get through when they first

enter their usernames and password on that dialup window.

Below is my current config:

SuvaDialUpRouter02#sho conf

Using 2271 out of 32762 bytes

!

version 11.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname SuvaDialUpRouter02

!

aaa new-model

aaa authentication login use-radius radius local

aaa authentication ppp use-radius if-needed radius local

aaa authorization exec radius local if-authenticated

aaa authorization network radius local if-authenticated

enable secret 5 $1$bqWV$wMaKBOd6n4jimQWbzn.g0.

enable password 7 045802150C2E

!

username test password 7 120D000406

async-bootp dns-server 10.1.85.156

async-bootp nbns-server 10.1.85.156

chat-script cisco-default ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 30 \c CONNc

!

interface Ethernet0

ip address 10.1.85.3 255.255.255.0

no mop enabled

!

interface Serial0

no ip address

no ip mroute-cache

shutdown

!

interface Serial1

no ip address

shutdown

!

interface Group-Async1

ip unnumbered Ethernet0

encapsulation ppp

no ip route-cache

no ip mroute-cache

keepalive 10

async dynamic address

async mode interactive

peer default ip address pool dialin

ppp reliable-link

ppp authentication chap use-radius

group-range 1 16

!

ip local pool dialin 10.1.86.65 10.1.86.80

ip default-gateway 10.1.85.22

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.85.22

!

radius-server host 10.1.85.156 auth-port 1645 acct-port 1646

radius-server key RoLalabalavu29

!

line con 0

line 1 16

autobaud

autoselect during-login

script dialer cisco-default

login authentication use-radius

modem InOut

transport input all

flowcontrol hardware

line aux 0

line vty 0 4

password 7 15181E1F102E242D3C

!

end

Please Help

regards

tepatel · ‎11-06-2002

Just configure "autoselect ppp" command under the line 1 16 config..That will serve both the purpose.

mljohnson · ‎11-06-2002

Do you purposely want the users to get an exec session? Or are they all PPP users? If they are all PPP users, you should be able to add either "autoselect ppp" under the line, or "async mode dedicated" under the interface, and all users will be logged into a PPP session using their dialup window info.

utawakevou · ‎11-06-2002

No, I dont want users to get an exec session. I have add that command.

I got this error message when I try to dial in from a Win 2K pc.

"Error 691:Access was denied because the username and/or password was invalid on the Domain "

Did debug Radius and got this result:

16w6d: RADIUS: Received from id 227 10.1.85.156:1645, Access-Reject, len 20

16w6d: %LINK-5-CHANGED: Interface Async15, changed state to reset

16w6d: %LINK-3-UPDOWN: Interface Async15, changed state to down

16w6d: RADIUS: Initial Transmit id 228 10.1.85.156:1645, Access-Request, len 83

16w6d: Attribute 4 6 0A015503

16w6d: Attribute 5 6 0000000F

16w6d: Attribute 61 6 00000000

16w6d: Attribute 1 12 75746177

16w6d: Attribute 30 2 03130379

16w6d: Attribute 3 19 03799D11

16w6d: Attribute 6 6 00000002

16w6d: Attribute 7 6 00000001

Im absolutely sure that Im inputting the right username and password.

mljohnson · ‎11-06-2002

Try removing the "if-needed" option under AAA, then capture the entire output of "debug ppp auth", "debug aaa authen", and "debug radius".

utawakevou · ‎11-07-2002

OK this is what I did. I remove the if-needed part, enter async mode dedicated to the Int Group-async 1

and enter auto select ppp on line 1 16

Debug aaa athen, ppp authen, radius.

When I dial in, manage to connect but when it comes to verify username and password, that is

where it gets disconnected and redial. Error message "remote computer is not responding"

There was no debug output on my screen. Even though I turn terminal monitor on.

Could it be my Radius Server allowing only exec connection?

Or could be some settings dialup properties of the clients ?

Anyway here is the configuration I did change

SuvaDialUpRouter02#sho conf

Using 2275 out of 32762 bytes

!

version 11.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname SuvaDialUpRouter02

!

aaa new-model

aaa authentication login use-radius radius local

aaa authentication ppp use-radius radius local

aaa authorization exec radius local if-authenticated

aaa authorization network radius local if-authenticated

enable secret 5 $1$bqWV$wMaKBOd6n4jimQWbzn.g0.

enable password 7 045802150C2E

!

username usaia password 7 104D011C061C1B1F03113E

username test password 7 120D000406

username alfred password 7 00171614125208031C70

username imm password 7 141E1F060503382A30213C3B

username localgovt password 7 0507090C204049060F11

username maff password 7 110418031143595F

ip domain-list govnet.gov.fj

ip domain-list itc.gov.fj

ip name-server 10.1.85.156

ip name-server 10.1.85.158

async-bootp dns-server 10.1.85.156

async-bootp nbns-server 10.1.85.156

chat-script cisco-default ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 30 \c CONNc

!

interface Ethernet0

ip address 10.1.85.3 255.255.255.0

no mop enabled

!

interface Serial0

no ip address

no ip mroute-cache

shutdown

!

interface Serial1

no ip address

shutdown

!

interface Group-Async1

ip unnumbered Ethernet0

encapsulation ppp

no ip route-cache

no ip mroute-cache

keepalive 10

async dynamic address

async mode dedicated

peer default ip address pool dialin

ppp reliable-link

ppp authentication chap use-radius

group-range 1 16

!

ip local pool dialin 10.1.86.65 10.1.86.80

ip default-gateway 10.1.85.22

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.85.22

!

radius-server host 10.1.85.156 auth-port 1645 acct-port 1646

radius-server key RoLalabalavu29

banner motd ^Cc

Welcome to ITC Services

=========================

Access to this Service is RESTRICTED to Authorised Government Users

Only.

Please direct any queries to the HELPDESK on Phone 306005

Use by Unauthorised persons is prohibited

^C

!

line con 0

line 1 16

autobaud

autoselect during-login

autoselect ppp

script dialer cisco-default

login authentication use-radius

modem InOut

transport input all

flowcontrol hardware

line aux 0

line vty 0 4

password 7 15181E1F102E242D3C

!

end

mljohnson · ‎11-08-2002

It's hard to say what is happening without the debug. If you can't see if on your screen, try "clear log", enable the debug, run a test, disable the debug, and then "Show log". You may also want to increase your logging buffer with the config command "logging buffer". Check the RADIUS profile, too, to see that it allows who/what you want.

utawakevou · ‎11-08-2002

OK this is the debug result I got when I DONT put autoselect ppp on line 1 16 or async mode dedicated on int group-async 1. In other words making an exec connection.

17w1d: AAA/AUTHEN: create_user (0x1A2648) user='' ruser='' port='tty15' rem_add1

17w1d: AAA/AUTHEN/START (1302562061): port='tty15' list='use-radius' action=LOGN

17w1d: AAA/AUTHEN/START (1302562061): found list use-radius

17w1d: AAA/AUTHEN/START (1302562061): Method=RADIUS