08-06-2003 09:24 AM - edited 03-02-2019 09:24 AM
Hello I am trying to configure my AS5300 access server to authenticate to a certain radius server if our customers dial into a specific dialin number by a aaa dnis map.
So far I can dial into this number and the 5300 will send a request to the proper radius server. Our radius server is receiving the request and displaying a login OK but I do not get logged in. When looking at some debugs on the 5300 the user doesn't get authorized.
The default configuration of the 5300 still works fine and authenticates people on our other radius server.
-------This is what our radius server says when I try to dialin
Thu Jul 31 14:50:46 2003: Auth: Login OK: [mememe] (from nas xxx-test/S50) socket 0 (0 sec)
-------This is what the debug of the 5300 from the same dialin
3w3d: As49 LCP: O CONFACK [ACKrcvd] id 5 len 20
3w3d: As49 LCP: ACCM 0x000A0000 (0x0206000A0000)
3w3d: As49 LCP: MagicNumber 0x004A4BFB (0x0506004A4BFB)
3w3d: As49 LCP: PFC (0x0702)
3w3d: As49 LCP: ACFC (0x0802)
3w3d: As49 LCP: State is Open
3w3d: As49 PPP: Phase is AUTHENTICATING, by this end
3w3d: As49 PAP: I AUTH-REQ id 1 len 20 from "mememe"
3w3d: As49 PAP: Authenticating peer mememe
3w3d: As49 PAP: O AUTH-NAK id 1 len 25 msg is "Authorization failed"
3w3d: As49 PPP: Phase is TERMINATING
3w3d: As49 LCP: O TERMREQ [Open] id 204 len 4
3w3d: As49 LCP: I TERMACK [TERMsent] id 204 len 4
3w3d: As49 LCP: State is Closed
3w3d: As49 PPP: Phase is DOWN
--------This is a copy of the config of the 5300
Building configuration...
Current configuration : 3851 bytes
!
! Last configuration change at 14:47:44 CDT Thu Jul 31 2003 by operator
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xsxsxs
!
boot system flash c5300-i-mz.121-10.bin
no logging console
aaa new-model
aaa group server radius test1
server 222.222.222.222 auth-port 1812 acct-port 1813
!
aaa authentication login default group radius local
aaa authentication login consoleport local
aaa authentication login virtualterminal local
aaa authentication login auxiliaryport local
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting network default wait-start group radius
aaa dnis map enable
aaa dnis map 1111111 authentication ppp group test1
aaa dnis map 1111111 accounting network wait-start group test1
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx/
!
username sssssss password 7 xxxxxxxxxxxxxx
spe 1/0 1/3
firmware location mica-modem-pw.2.7.3.0.bin
spe 2/0 2/3
firmware location mica-modem-pw.2.7.3.0.bin
!
ip address-pool local
modemcap entry mica2.7.3.0:MSC=&F&D2S34=18000S40=10S54=456debugthismodemS71=4
!
controller T1 0
clock source line primary
ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis
cas-custom 0
!
controller T1 1
shutdown
ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis
cas-custom 0
!
controller T1 2
shutdown
clock source line secondary 2
!
controller T1 3
shutdown
clock source line secondary 3
!
!
interface FastEthernet0
ip address xxx.xxx.xxx.113 255.255.255.128
duplex auto
speed auto
no cdp enable
!
interface Group-Async1
ip unnumbered FastEthernet0
encapsulation ppp
ip tcp header-compression passive
async mode interactive
peer default ip address pool async
ppp authentication pap chap
group-range 1 96
!
ip local pool async 112.112.112.65 112.112.112.94
ip classless
ip route 0.0.0.0 0.0.0.0 112.112.112.1
ip route 0.0.0.0 0.0.0.0 Null0 255
no ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol netbios deny
radius-server host 111.111.111.111 auth-port 1812 acct-port 1813
radius-server host 222.222.222.222 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server timeout 3
radius-server key XXXXXXXX
!
line con 0
logging synchronous
login authentication consoleport
line 1 96
modem Dialin
modem autoconfigure type mica2.7.3.0
transport input all
autoselect during-login
autoselect ppp
line aux 0
login authentication auxiliaryport
line vty 0 4
exec-timeout 30 0
login authentication virtualterminal
08-06-2003 06:18 PM
We see an authorization failure, can you please add:
aaa dnis map 1111111 authorization network group test1.
If this fails only with one particular radius server then need to check that it's correctly configured.
deb aaa authen / deb aaa author / deb radius will be useful.
Thanks, Mak.
08-07-2003 06:11 AM
I added the following line to my configuration and it seems to work now.
aaa dnis map 1111111 authentication login group test1
I thought I tried it with this line in before but maybe I did something wrong.
I tried to add the line that you gave me but it wasn't accepted.
xsxsxs(config)#aaa dnis map 1111111 ?
accounting Accounting configurations parameters.
authentication Authentication configurations parameters.
xsxsxs(config)#aaa dnis map 1111111 authentication ?
login Set authentication lists for login.
ppp Set authentication lists for ppp.
Thanks
AL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide