Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. BBA
12.2(16b) crashing with per-user RADIUS entries
deryk at mod-soft
Jun 25, 2003, 12:47 PM
Post #1 of 4 (3346 views)
Permalink
Hi all,

I've got a 3640 running 12.2(16b) (previously 12.2(16)). It's acting as
an LNS for DSL, ISDN and analog dial-up customers. The 3640 is using
AAA to authenticate users via FreeRADIUS (previously Cistron RADIUS) on
a Linux box. Normally this works fine. However, I recently decided to
have a go at per-user access-lists and routes. My first try at per-user
access-lists seemed to work, but the router crashed a few seconds after
I issued the "clear int virtual-accessXXX" command to boot the test
user. Note that I made no configuration changes to the router, only the
RADIUS entries on the Linux box. The router also reboots if the test
user disconnects on its own, or if the router needs loses contact (PPP
keealives) and needs to clear the session. Once or twice it seems to
have rebooted for no reason (only when using per-user ACLs)

I'm using the inacl and outacl AV pairs to download the access-list to
the router. Again, the access-lists appear no problem on the
Virtual-Access interface and are dynamically named Virtual-AccessXXX#1
and Virtual-AccessXXX#0. However, the router just seems to want to
spontaneously reboot.

I've got a case open with TAC, but I thought I'd check here to see if
anybody else has seen this problem.

My AAA config is as follows:

aaa new-model
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
aaa accounting update newinfo
aaa accounting network default start-stop group radius

Should I try removing the accounting entries?

Thanks in advance,

DP



Deryk Piper, B.Asc
Network Manager
Applications Development
Modular Software Ltd.

Web: www.mod-soft.com
Email: deryk@mod-soft.com
Phone: 905.890.3778 x225
FAX: 905.890.3845
Re: 12.2(16b) crashing with per-user RADIUS entries [ In reply to ]
dpeng at cisco
Jun 25, 2003, 1:20 PM
Post #2 of 4 (3240 views)
Permalink
Can you send me the RADIUS profile which causes the problem to occur?

Dennis

Deryk Piper [deryk@mod-soft.com] wrote:
> Hi all,
>
> I've got a 3640 running 12.2(16b) (previously 12.2(16)). It's acting as
> an LNS for DSL, ISDN and analog dial-up customers. The 3640 is using
> AAA to authenticate users via FreeRADIUS (previously Cistron RADIUS) on
> a Linux box. Normally this works fine. However, I recently decided to
> have a go at per-user access-lists and routes. My first try at per-user
> access-lists seemed to work, but the router crashed a few seconds after
> I issued the "clear int virtual-accessXXX" command to boot the test
> user. Note that I made no configuration changes to the router, only the
> RADIUS entries on the Linux box. The router also reboots if the test
> user disconnects on its own, or if the router needs loses contact (PPP
> keealives) and needs to clear the session. Once or twice it seems to
> have rebooted for no reason (only when using per-user ACLs)
>
> I'm using the inacl and outacl AV pairs to download the access-list to
> the router. Again, the access-lists appear no problem on the
> Virtual-Access interface and are dynamically named Virtual-AccessXXX#1
> and Virtual-AccessXXX#0. However, the router just seems to want to
> spontaneously reboot.
>
> I've got a case open with TAC, but I thought I'd check here to see if
> anybody else has seen this problem.
>
> My AAA config is as follows:
>
> aaa new-model
> aaa authentication login default local
> aaa authentication ppp default group radius
> aaa authorization exec default local
> aaa authorization network default group radius if-authenticated
> aaa accounting update newinfo
> aaa accounting network default start-stop group radius
>
> Should I try removing the accounting entries?
>
> Thanks in advance,
>
> DP
>
>
>
> Deryk Piper, B.Asc
> Network Manager
> Applications Development
> Modular Software Ltd.
>
> Web: www.mod-soft.com
> Email: deryk@mod-soft.com
> Phone: 905.890.3778 x225
> FAX: 905.890.3845
>
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-bba

--
-------------------------------------------------------------------------
|| || Dennis Peng
|| || Cisco Systems, Inc. Escalation Engineer
|||| |||| 170 West Tasman Drive Phone: (408) 526-6143
..:||||||:..:||||||:.. San Jose, CA 95134 Fax: (408) 232-2343
Cisco Systems Inc. dpeng@cisco.com
-------------------------------------------------------------------------
RE: 12.2(16b) crashing with per-user RADIUS entries [ In reply to ]
deryk at mod-soft
Jun 25, 2003, 2:02 PM
Post #3 of 4 (3232 views)
Permalink
Hi Dennis,

I'll qualify the following by saying that things have changed a bit over
the course of testing, but here's the jist of it:

user@realm Auth-Type := Local, Password == "xxx"
Framed-IP-Address = 10.1.253.3,
Framed-IP-Netmask = 255.255.255.255,
# Cisco-AVPair += "ip:route=10.1.2.0 255.255.255.0 10.1.253.3",
Cisco-AVPair += "ip:inacl#1=permit ip host 10.1.253.3 any",
Cisco-AVPair += "ip:inacl#2=permit ip 10.1.2.0 0.0.0.255 any",
Service-Type = Framed,
Framed-Protocol = PPP,
Fall-Through = No

Anyhow, there it is. Information gets inserted on the router correctly,
as previously stated.

Thanks,

DP


> -----Original Message-----
> From: Dennis Peng [mailto:dpeng@cisco.com]
> Sent: Wednesday, June 25, 2003 4:20 PM
> To: Deryk Piper
> Cc: cisco-bba@puck.nether.net
> Subject: Re: [cisco-bba] 12.2(16b) crashing with per-user
> RADIUS entries
>
>
> Can you send me the RADIUS profile which causes the problem to occur?
>
> Dennis
>
> Deryk Piper [deryk@mod-soft.com] wrote:
> > Hi all,
> >
> > I've got a 3640 running 12.2(16b) (previously 12.2(16)).
> It's acting as
> > an LNS for DSL, ISDN and analog dial-up customers. The
> 3640 is using
> > AAA to authenticate users via FreeRADIUS (previously
> Cistron RADIUS) on
> > a Linux box. Normally this works fine. However, I
> recently decided to
> > have a go at per-user access-lists and routes. My first
> try at per-user
> > access-lists seemed to work, but the router crashed a few
> seconds after
> > I issued the "clear int virtual-accessXXX" command to boot the test
> > user. Note that I made no configuration changes to the
> router, only the
> > RADIUS entries on the Linux box. The router also reboots
> if the test
> > user disconnects on its own, or if the router needs loses
> contact (PPP
> > keealives) and needs to clear the session. Once or twice
> it seems to
> > have rebooted for no reason (only when using per-user ACLs)
> >
> > I'm using the inacl and outacl AV pairs to download the
> access-list to
> > the router. Again, the access-lists appear no problem on the
> > Virtual-Access interface and are dynamically named
> Virtual-AccessXXX#1
> > and Virtual-AccessXXX#0. However, the router just seems to want to
> > spontaneously reboot.
> >
> > I've got a case open with TAC, but I thought I'd check here
> to see if
> > anybody else has seen this problem.
> >
> > My AAA config is as follows:
> >
> > aaa new-model
> > aaa authentication login default local
> > aaa authentication ppp default group radius
> > aaa authorization exec default local
> > aaa authorization network default group radius if-authenticated
> > aaa accounting update newinfo
> > aaa accounting network default start-stop group radius
> >
> > Should I try removing the accounting entries?
> >
> > Thanks in advance,
> >
> > DP
> >
> >
> >
> > Deryk Piper, B.Asc
> > Network Manager
> > Applications Development
> > Modular Software Ltd.
> >
> > Web: www.mod-soft.com
> > Email: deryk@mod-soft.com
> > Phone: 905.890.3778 x225
> > FAX: 905.890.3845
> >
> >
> > _______________________________________________
> > cisco-bba mailing list
> > cisco-bba@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-bba
>
> --
> --------------------------------------------------------------
> -----------
> || || Dennis Peng
> || || Cisco Systems, Inc. Escalation Engineer
> |||| |||| 170 West Tasman Drive Phone:
> (408) 526-6143
> ..:||||||:..:||||||:.. San Jose, CA 95134 Fax:
> (408) 232-2343
> Cisco Systems Inc. dpeng@cisco.com
> --------------------------------------------------------------
> -----------
>
RE: 12.2(16b) crashing with per-user RADIUS entries [ In reply to ]
deryk at mod-soft
Jun 26, 2003, 6:18 AM
Post #4 of 4 (3242 views)
Permalink
Just to give anybody a heads-up who might be interested...

At Dennis' suggestion I removed IP Inspection from the Virtual-Template
interface that's cloned for PPP sessions. This stopped the crashing.
There's an outstanding bug - CSCea56700 - that corresponds to this
problem. It's at severity 2 and is currently assigned.

Thanks Dennis,

DP

> -----Original Message-----
> From: cisco-bba-bounces@puck.nether.net
> [mailto:cisco-bba-bounces@puck.nether.net]On Behalf Of Deryk Piper
> Sent: Wednesday, June 25, 2003 5:02 PM
> To: Dennis Peng
> Cc: cisco-bba@puck.nether.net
> Subject: RE: [cisco-bba] 12.2(16b) crashing with per-user
> RADIUS entries
>
>
> Hi Dennis,
>
> I'll qualify the following by saying that things have changed
> a bit over
> the course of testing, but here's the jist of it:
>
> user@realm Auth-Type := Local, Password == "xxx"
> Framed-IP-Address = 10.1.253.3,
> Framed-IP-Netmask = 255.255.255.255,
> # Cisco-AVPair += "ip:route=10.1.2.0 255.255.255.0 10.1.253.3",
> Cisco-AVPair += "ip:inacl#1=permit ip host 10.1.253.3 any",
> Cisco-AVPair += "ip:inacl#2=permit ip 10.1.2.0 0.0.0.255 any",
> Service-Type = Framed,
> Framed-Protocol = PPP,
> Fall-Through = No
>
> Anyhow, there it is. Information gets inserted on the router
> correctly,
> as previously stated.
>
> Thanks,
>
> DP
>
>
> > -----Original Message-----
> > From: Dennis Peng [mailto:dpeng@cisco.com]
> > Sent: Wednesday, June 25, 2003 4:20 PM
> > To: Deryk Piper
> > Cc: cisco-bba@puck.nether.net
> > Subject: Re: [cisco-bba] 12.2(16b) crashing with per-user
> > RADIUS entries
> >
> >
> > Can you send me the RADIUS profile which causes the problem
> to occur?
> >
> > Dennis
> >
> > Deryk Piper [deryk@mod-soft.com] wrote:
> > > Hi all,
> > >
> > > I've got a 3640 running 12.2(16b) (previously 12.2(16)).
> > It's acting as
> > > an LNS for DSL, ISDN and analog dial-up customers. The
> > 3640 is using
> > > AAA to authenticate users via FreeRADIUS (previously
> > Cistron RADIUS) on
> > > a Linux box. Normally this works fine. However, I
> > recently decided to
> > > have a go at per-user access-lists and routes. My first
> > try at per-user
> > > access-lists seemed to work, but the router crashed a few
> > seconds after
> > > I issued the "clear int virtual-accessXXX" command to
> boot the test
> > > user. Note that I made no configuration changes to the
> > router, only the
> > > RADIUS entries on the Linux box. The router also reboots
> > if the test
> > > user disconnects on its own, or if the router needs loses
> > contact (PPP
> > > keealives) and needs to clear the session. Once or twice
> > it seems to
> > > have rebooted for no reason (only when using per-user ACLs)
> > >
> > > I'm using the inacl and outacl AV pairs to download the
> > access-list to
> > > the router. Again, the access-lists appear no problem on the
> > > Virtual-Access interface and are dynamically named
> > Virtual-AccessXXX#1
> > > and Virtual-AccessXXX#0. However, the router just seems
> to want to
> > > spontaneously reboot.
> > >
> > > I've got a case open with TAC, but I thought I'd check here
> > to see if
> > > anybody else has seen this problem.
> > >
> > > My AAA config is as follows:
> > >
> > > aaa new-model
> > > aaa authentication login default local
> > > aaa authentication ppp default group radius
> > > aaa authorization exec default local
> > > aaa authorization network default group radius if-authenticated
> > > aaa accounting update newinfo
> > > aaa accounting network default start-stop group radius
> > >
> > > Should I try removing the accounting entries?
> > >
> > > Thanks in advance,
> > >
> > > DP
> > >
> > >
> > >
> > > Deryk Piper, B.Asc
> > > Network Manager
> > > Applications Development
> > > Modular Software Ltd.
> > >
> > > Web: www.mod-soft.com
> > > Email: deryk@mod-soft.com
> > > Phone: 905.890.3778 x225
> > > FAX: 905.890.3845
> > >
> > >
> > > _______________________________________________
> > > cisco-bba mailing list
> > > cisco-bba@puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/cisco-bba
> >
> > --
> > --------------------------------------------------------------
> > -----------
> > || || Dennis Peng
> > || || Cisco Systems, Inc.
> Escalation Engineer
> > |||| |||| 170 West Tasman Drive Phone:
> > (408) 526-6143
> > ..:||||||:..:||||||:.. San Jose, CA 95134 Fax:
> > (408) 232-2343
> > Cisco Systems Inc. dpeng@cisco.com
> > --------------------------------------------------------------
> > -----------
> >
>
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-bba
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal