Thank you very much for the information!
I actually already had the "dialer in-band" (and dialer idle-timeout)
defined for the group-async interface.
I found on CCO that only in version 12.1(7) the RADIUS attribute 19 for
Microsoft callback is supported.
I guess this means that I can not specify the phone number in the user
properties in Active Directory.
However, I assume that callback should work if I define the AV-pair
"lcp:callback-dialstring=1234567".
Unfortunately, I will not have time to troubleshoot any more until next
week.
Thanks again for your help!
Regards,
Harald
"Michael
Taylor To: "Michael Taylor (mitaylor)" <mitaylor@cisco.com>
(mitaylor)" cc: "Harald Astrand" <astrand@unicc.org>, cisco-nas@puck.nether.net
<mitaylor@cisc Subject: Re: [cisco-nas] Callback with Microsoft IAS (RADIUS)
o.com>
04/24/2003
05:11 AM
OK, I've just set this up in my lab using a 5300 and 12.0(7)T, with Merit
RADIUS running on a SUN box.
I did have a couple of issues getting it to work, and I think you are
probably running into:
CSCdv58818: MS Callback fails without dialer in-band if async-mode ...
This DDTS is fixed in 12.2(7), 12.2(7)T etc. BUT, I wouldn't recommend the
pain of upgrading, the workaround is to add 'dialer in-band' to your
'interface Group-Async'
**** WARNING adding 'dialer in-band' will set the idle timeout for all
async users to the default of 120 seconds, so you will probably want to add
'dialer idle-timeout 2147483' or something similar.
*** ALSO, you will need to add a chat script for dialing out. (see config)
I used the same RADIUS profile as below, and here is the bare bones config
of my 5300 to get callback working;
Please let me know if you need any more help with this
Cheers,
Mike Taylor
************************************************************
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vgdbu-5300
!
aaa new-model
aaa group server radius default
server 2.2.2.2 auth-port 1812 acct-port 1813
!
aaa authentication login default none
aaa authentication ppp default group radius
aaa authorization network default group radius
enable password BLAH
!
!
!
resource-pool disable
!
!
!
!
!
ip subnet-zero
!
isdn switch-type primary-net5
isdn voice-call-failure 0
chat-script callback ABORT ERROR "" "ATDT\T" TIMEOUT 90 CONNECT \c
mta receive maximum-recipients 0
!
!
controller E1 0
clock source line primary
pri-group timeslots 1-31
!
controller E1 1
clock source line secondary 1
!
controller E1 2
!
controller E1 3
!
!
!
!
interface Ethernet0
no ip address
no ip directed-broadcast
shutdown
!
interface Serial0:15
no ip address
no ip directed-broadcast
isdn switch-type primary-net5
isdn incoming-voice modem
fair-queue 64 256 0
no cdp enable
!
interface FastEthernet0
ip address 1.1.1.1 255.255.255.0
no ip directed-broadcast
duplex full
speed 100
!
interface Group-Async0
ip unnumbered FastEthernet0
no ip directed-broadcast
encapsulation ppp
dialer in-band
dialer idle-timeout 2147483
async mode dedicated
ppp callback accept
ppp authentication chap pap
group-range 1 72
!
ip classless
no ip http server
!
!
radius-server host 2.2.2.2 auth-port 1812 acct-port 1813 key cisco
!
line con 0
transport input none
line 1 72
script callback callback
modem InOut
transport preferred lat pad telnet rlogin udptn v120 lapb-ta
transport output lat pad telnet rlogin udptn v120 lapb-ta
line aux 0
line vty 0 4
exec-timeout 0 0
!
end
At 08:14 AM Thursday 24/04/2003 +1000, Michael Taylor (mitaylor) wrote:
>Hi,
>
>I've done some work a while back on Callback, here's the RADIUS profile I
>was using:
>
>callback Auth-Type := Local, User-Password == "testing"
> Service-Type = Framed-User,
> Framed-IP-Address = 192.168.1.1,
> Cisco-AVPair = "lcp:callback-dialstring=1234567",
> Cisco-AVPair = "lcp:nocallback-verify=1",
> Cisco-AVPair = "ip:addr=192.168.1.1",
> Fall-Through = Yes
>
>I was working on authentication issues with 12.2T, and haven't actually
>tried it on 12.0(7)T, but I can load it up for a test when I get into the
>office if you like...
>
>Cheers,
>Mike
>
>At 03:20 PM Wednesday 23/04/2003 +0200, Harald Astrand wrote:
>
>
>
>
>>Hi,
>>
>>I am trying to get callback working on an AS5200 (12.0.7(T)) using
RADIUS.
>>The AAA server used is a Windows 2000 Server running IAS.
>>
>>On the AS5200 I have the following AAA configuration:
>>
>>aaa new-model
>>aaa group server radius RASGROUP
>> server 10.168.10.13 auth-port 1645 acct-port 1646
>> server 10.168.10.14 auth-port 1645 acct-port 1646
>>!
>>aaa authentication login RAS group RASGROUP
>>aaa authentication ppp RAS group RASGROUP
>>aaa authorization exec RAS group RASGROUP
>>aaa authorization network RAS group RASGROUP
>>aaa accounting exec RAS start-stop group RASGROUP
>>aaa accounting network RAS start-stop group RASGROUP
>>
>>interface Group-Async 1
>> ppp authentication pap RAS
>> ppp authorization RAS
>> ppp accounting RAS
>>
>>I have set us the policy in IAS to return the following parameters:
>>
>>Framed-Protocol=PPP
>>Service-Type=Framed (there does not seem to be any service-type called
>>Framed-User)
>>Cisco-AV-Pair="lcp:callback-dialstring=12345678"
>>
>>Unfortunately, I am not able to get this to work. Are there any more
>>parameters that I have to return to the NAS?
>>Also, if possible I would like to specify the callback number in the user
>>profile (and not in a AV-pair)
>>
>>Any help would be greatly appreciated!
>>
>>Regards,
>>
>>Harald
>>
>>_______________________________________________
>>cisco-nas mailing list
>>cisco-nas@puck.nether.net
>>http://puck.nether.net/mailman/listinfo/cisco-nas
>
>Cisco Systems
>VGDBU - Voice Gateway and Dial Business Unit
>Customer Engineering
>Sydney, Australia
>Ph: (+61 2) 8446 6044
>Mobile: (+61) 401 890 474
>
>_______________________________________________
>cisco-nas mailing list
>cisco-nas@puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nas
Cisco Systems
VGDBU - Voice Gateway and Dial Business Unit
Customer Engineering
Sydney, Australia
Ph: (+61 2) 8446 6044
Mobile: (+61) 401 890 474