Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NAS
ISDN and Async Dialup over same PRI
matthias.schaerer at anyweb
Jun 9, 2006, 7:55 AM
Post #1 of 5 (4874 views)
Permalink
Hi,

I am having trouble with the configuration of a dialup scenario where I
want to have three types of connections:

- Remote Routers dialing in via ISDN
- Remote ISDN Clients
- Remote Modem Users

To make things a bit more complicated I have to use RADIUS for
authentication and for a part of the configuration of the remote sites.
The
router-router connections are fine as well as the modem connections
(dialer profiles for each
site, group-async Interface for the modems.

The thing I do not get to work are the remote ISDN clients. I have tried
to use a Virtual-template interface and want to add IP address and subnet
mask
via RADIUS. I see the user dialing in, he gets authenticated and RADIUS
sends ip
addr, subnet mask, framed protocol ppp and service type framed to the NAS
(3745, 12.3(19)).
The NAS continues with the PPP negotiation but does not use the ip addr
that is
provided by RADIUS but first uses the address from the unnumbered
interface and then
reverts to 0.0.0.0 as proposed addresss and finally drops the call.

I get messages like that:
Jun 9 13:23:52.845: Vi2 IPCP: No peer address configured
Jun 9 13:23:52.845: Vi2 IPCP: Neither side knows remote address

What do I need to add to the config that RADIUS info is propagated to
the client, so the PPP negotiation could succeed?

I add the part of the config that I consider being relevant for the
dialup so you can have a look at my status at the time.

Any hints are very welcome.
Thanks.
Mat


---------------------------------
aaa new-model
!
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authentication ppp DialInAndOut if-needed group radius
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network DialInAndOut group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
!
virtual-profile virtual-template 1
!
controller E1 1/0
pri-group timeslots 1-31
!
interface FastEthernet0/0
ip address 172.16.128.124 255.255.255.128
no ip redirects
speed 100
full-duplex
!
interface Serial1/0:15
no ip address
encapsulation ppp
dialer pool-member 1
no snmp trap link-status
isdn switch-type primary-net5
isdn incoming-voice modem
no peer default ip address
ppp authentication chap DialInAndOut
ppp chap hostname charlie
ppp multilink
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no snmp trap link-status
no peer default ip address
ppp authentication chap DialInAndOut
ppp authorization DialInAndOut
!
interface Group-Async0
ip unnumbered FastEthernet0/0
encapsulation ppp
ip tcp header-compression
dialer in-band
dialer idle-timeout 120 either
dialer-group 1
no snmp trap link-status
async mode interactive
no peer default ip address
ppp authentication chap DialInAndOut
ppp authorization DialInAndOut
group-range 65 94
!
interface Dialer0
ip unnumbered FastEthernet0/0
encapsulation ppp
ip tcp header-compression passive
dialer pool 1
dialer idle-timeout 120 either
dialer-group 1
no peer default ip address
no cdp enable
ppp authentication chap DialInAndOut
ppp authorization DialInAndOut
ppp chap hostname charlie
ppp multilink
!
interface Dialer1
ip address 192.168.7.1 255.255.255.252
encapsulation ppp
dialer pool 1
dialer remote-name chaplin
dialer-group 1
no cdp enable
ppp authentication chap DialInAndOut
ppp chap hostname charlie
------------------------------------------
Re: ISDN and Async Dialup over same PRI [ In reply to ]
Aaron at cisco
Jun 9, 2006, 2:12 PM
Post #2 of 5 (4690 views)
Permalink
Matthias,

Looks like Serial1/0:15 is missing the command "ppp authorization
DialInAndOut".

Regards,

Aaron

---

>
> Hi,
>
> I am having trouble with the configuration of a dialup scenario where I
> want to have three types of connections:
>
> - Remote Routers dialing in via ISDN
> - Remote ISDN Clients
> - Remote Modem Users
>
> To make things a bit more complicated I have to use RADIUS for
> authentication and for a part of the configuration of the remote
> sites. The
> router-router connections are fine as well as the modem connections
> (dialer profiles for each
> site, group-async Interface for the modems.
>
> The thing I do not get to work are the remote ISDN clients. I have tried
> to use a Virtual-template interface and want to add IP address and
> subnet mask
> via RADIUS. I see the user dialing in, he gets authenticated and
> RADIUS sends ip
> addr, subnet mask, framed protocol ppp and service type framed to the
> NAS (3745, 12.3(19)).
> The NAS continues with the PPP negotiation but does not use the ip
> addr that is
> provided by RADIUS but first uses the address from the unnumbered
> interface and then
> reverts to _0.0.0.0_ <http://0.0.0.0/> as proposed addresss and
> finally drops the call.
>
> I get messages like that:
> Jun 9 13:23:52.845: Vi2 IPCP: No peer address configured
> Jun 9 13:23:52.845: Vi2 IPCP: Neither side knows remote address
>
> What do I need to add to the config that RADIUS info is propagated to
> the client, so the PPP negotiation could succeed?
>
> I add the part of the config that I consider being relevant for the
> dialup so you can have a look at my status at the time.
>
> Any hints are very welcome.
> Thanks.
> Mat
>
>
> ---------------------------------
> aaa new-model
> !
> aaa authentication login default group tacacs+ line
> aaa authentication enable default group tacacs+ enable
> aaa authentication ppp DialInAndOut if-needed group radius
> aaa authorization config-commands
> aaa authorization exec default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
> aaa authorization network DialInAndOut group radius
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting network default start-stop group tacacs+
> aaa accounting connection default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
> aaa session-id common
> !
> virtual-profile virtual-template 1
> !
> controller E1 1/0
> pri-group timeslots 1-31
> !
> interface FastEthernet0/0
> ip address _172.16.128.124_ <http://172.16.128.124/> _255.255.255.128_
> <http://255.255.255.128/>
> no ip redirects
> speed 100
> full-duplex
> !
> interface Serial1/0:15
> no ip address
> encapsulation ppp
> dialer pool-member 1
> no snmp trap link-status
> isdn switch-type primary-net5
> isdn incoming-voice modem
> no peer default ip address
> ppp authentication chap DialInAndOut
> ppp chap hostname charlie
> ppp multilink
> !
> interface Virtual-Template1
> ip unnumbered FastEthernet0/0
> no snmp trap link-status
> no peer default ip address
> ppp authentication chap DialInAndOut
> ppp authorization DialInAndOut
> !
> interface Group-Async0
> ip unnumbered FastEthernet0/0
> encapsulation ppp
> ip tcp header-compression
> dialer in-band
> dialer idle-timeout 120 either
> dialer-group 1
> no snmp trap link-status
> async mode interactive
> no peer default ip address
> ppp authentication chap DialInAndOut
> ppp authorization DialInAndOut
> group-range 65 94
> !
> interface Dialer0
> ip unnumbered FastEthernet0/0
> encapsulation ppp
> ip tcp header-compression passive
> dialer pool 1
> dialer idle-timeout 120 either
> dialer-group 1
> no peer default ip address
> no cdp enable
> ppp authentication chap DialInAndOut
> ppp authorization DialInAndOut
> ppp chap hostname charlie
> ppp multilink
> !
> interface Dialer1
> ip address _192.168.7.1_ <http://192.168.7.1/> _255.255.255.252_
> <http://255.255.255.252/>
> encapsulation ppp
> dialer pool 1
> dialer remote-name chaplin
> dialer-group 1
> no cdp enable
> ppp authentication chap DialInAndOut
> ppp chap hostname charlie
> ------------------------------------------
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
>

_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: ISDN and Async Dialup over same PRI [ In reply to ]
jlewis at lewis
Jun 10, 2006, 8:12 AM
Post #3 of 5 (4697 views)
Permalink
On Fri, 9 Jun 2006, Aaron Leonard wrote:

> Matthias,
>
> Looks like Serial1/0:15 is missing the command "ppp authorization
> DialInAndOut".

Might he also need virtual-profile aaa ?

----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
Re: ISDN and Async Dialup over same PRI [ In reply to ]
matthias.schaerer at anyweb
Jun 11, 2006, 3:08 AM
Post #4 of 5 (4692 views)
Permalink
John,

thanks for your reply. I came around this command as well and it seems to
be one of the great mysteries of Cisco. What I found out so far is that
the command existed for a limited time but is not visible in newer IOS
versions. I use a 12.3(19) mainline and the command isn't there anymore.
What I have been reading in another forum is that the function that the
command controls is carried out by default by the IOS software now. So I
think there's no need to issue the command.

However to make things more complicated Cisco did remove the command in
IOS but keeps copying the command in all documentations and examples. I
found it in 12.2 and 12.4 documentation and probably not just me is having
problems reading documentation and not finding the commands. Cisco
definitely should clarify this.

Regards,
Mat




Jon Lewis <jlewis@lewis.org>
10.06.2006 17:12


To: Aaron Leonard <Aaron@cisco.com>
cc: Matthias Schaerer <matthias.schaerer@anyweb.ch>, cisco-nas@puck.nether.net
Subject: Re: [cisco-nas] ISDN and Async Dialup over same PRI


On Fri, 9 Jun 2006, Aaron Leonard wrote:

> Matthias,
>
> Looks like Serial1/0:15 is missing the command "ppp authorization
> DialInAndOut".

Might he also need virtual-profile aaa ?

----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Re: ISDN and Async Dialup over same PRI [ In reply to ]
Aaron at cisco
Jun 12, 2006, 10:33 AM
Post #5 of 5 (4691 views)
Permalink
Mat,

You're right - as of 12.2(5.7)T (CSCdv19928), "virtual-profile aaa"
isn't needed any more, because a virtual profile will always be used if
the attributes from AAA require one.

I've submitted a doc bug to get this cleaned up.

Aaron

---

> John,
>
> thanks for your reply. I came around this command as well and it seems
> to be one of the great mysteries of Cisco. What I found out so far is
> that the command existed for a limited time but is not visible in
> newer IOS versions. I use a 12.3(19) mainline and the command isn't
> there anymore. What I have been reading in another forum is that the
> function that the command controls is carried out by default by the
> IOS software now. So I think there's no need to issue the command.
>
> However to make things more complicated Cisco did remove the command
> in IOS but keeps copying the command in all documentations and
> examples. I found it in 12.2 and 12.4 documentation and probably not
> just me is having problems reading documentation and not finding the
> commands. Cisco definitely should clarify this.
>
> Regards,
> Mat
>
>
>
> *Jon Lewis <jlewis@lewis.org>*
>
> 10.06.2006 17:12
>
>
> To: Aaron Leonard <Aaron@cisco.com>
> cc: Matthias Schaerer <matthias.schaerer@anyweb.ch>,
> cisco-nas@puck.nether.net
> Subject: Re: [cisco-nas] ISDN and Async Dialup over
> same PRI
>
>
>
>
> On Fri, 9 Jun 2006, Aaron Leonard wrote:
>
> > Matthias,
> >
> > Looks like Serial1/0:15 is missing the command "ppp authorization
> > DialInAndOut".
>
> Might he also need virtual-profile aaa ?
>
> ----------------------------------------------------------------------
> Jon Lewis | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>

_______________________________________________
cisco-nas mailing list
cisco-nas@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal