In our Institution we have 2 dialup routers a Cisco 3640 and a new 5400.
The 3640 has one ISDN PRI line (E1 module) accepting only ISDN calls and
the 5400 has two ISDN PRI lines (up to 8 E1 controllers) and 240 modems.
Authentication is done by a radius server (FreeRadius in Linux) serving
both routers. Everything works fine except the double login detection
for the 5400 calls. Both routers have the same IOS version (12.2) and
are running the same aaa configuration. The double login detection is
done with SNMP (snmpget into the router MIB. If it returns 0 --> no
double login, if 1 --> double login ) and it works fine with the 3640
but not with the 5400.
Here it is the aaa configuration for both routers (3540:
195.130.102.130, 5400: 195.130.98.1)
--------------------------------------------------------------------------------------------------------
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default group radius local
aaa authentication ppp dialin if-needed local
aaa authorization exec default if-authenticated local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting network default start-stop group radius
aaa processes 6 (only in 3640, cannot find the same in 5400)
.......................................................................
ip radius source-interface Loopback0 (3640)
radius-server host 195.130.100.47 auth-port 1645 acct-port 1646 (3640)
radius-server key xxxxxxxxxx (3640)
radius-server retransmit 3 (3640)
......................................................................
ip radius source-interface Loopback0 (5400)
radius-server host 195.130.100.47 auth-port 1645 acct-port 1646 (5400)
radius-server timeout 10 (5400)
radius-server key xxxxxxxxxx (5400)
radius-server authorization permit missing Service-Type (5400)
------------------------------------------------------------------------------------------------------
Please find attached the "debug radius" for both routers and the radius
server (195.130.100.47) log.
Any idea or help is welcome...
Thanks
Yannis Xydas
NOC manager
Technological Institution of Athens
The 3640 has one ISDN PRI line (E1 module) accepting only ISDN calls and
the 5400 has two ISDN PRI lines (up to 8 E1 controllers) and 240 modems.
Authentication is done by a radius server (FreeRadius in Linux) serving
both routers. Everything works fine except the double login detection
for the 5400 calls. Both routers have the same IOS version (12.2) and
are running the same aaa configuration. The double login detection is
done with SNMP (snmpget into the router MIB. If it returns 0 --> no
double login, if 1 --> double login ) and it works fine with the 3640
but not with the 5400.
Here it is the aaa configuration for both routers (3540:
195.130.102.130, 5400: 195.130.98.1)
--------------------------------------------------------------------------------------------------------
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default group radius local
aaa authentication ppp dialin if-needed local
aaa authorization exec default if-authenticated local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting network default start-stop group radius
aaa processes 6 (only in 3640, cannot find the same in 5400)
.......................................................................
ip radius source-interface Loopback0 (3640)
radius-server host 195.130.100.47 auth-port 1645 acct-port 1646 (3640)
radius-server key xxxxxxxxxx (3640)
radius-server retransmit 3 (3640)
......................................................................
ip radius source-interface Loopback0 (5400)
radius-server host 195.130.100.47 auth-port 1645 acct-port 1646 (5400)
radius-server timeout 10 (5400)
radius-server key xxxxxxxxxx (5400)
radius-server authorization permit missing Service-Type (5400)
------------------------------------------------------------------------------------------------------
Please find attached the "debug radius" for both routers and the radius
server (195.130.100.47) log.
Any idea or help is welcome...
Thanks
Yannis Xydas
NOC manager
Technological Institution of Athens
Attached Files:
-
3640_doubleLogin_detect.txt (8.75 KB)
-
5400_DoubleLogin_fail.txt (11.6 KB)
-
radius.log (6.85 KB)