Cisco, DNIS and ISDN Problems

Wilhelm Lehmann wilhelm at namibnet.com
Thu Aug 4 14:06:12 CEST 2005 

Thank you for the reply, but this is done. 

Still does not explain why the user works on Async but not on ISDN
connecting to the same cisco box. 

The same user works 100% on Async and ISDN on the lucent NAS.

Just a note, switching the IP on the Cisco for authentication and accounting
back to the Livingston radius (port 1812 and 1813) all works fine again
(ISDN and Async)

It is just on freeradius my ISDN calls are rejected and only on the cisco
NAS. The Lucent (Livingston) pass NAS-Port = 0 for all ISDN users. But the
High ports the Cisco pass of ISDN works fine on my old radius box.

Thanks 

Wilhelm

-----Original Message-----
From: h_maosa at blueyonder.co.uk [mailto:h_maosa at blueyonder.co.uk] 
Sent: 04 August 2005 01:00 PM
To: wilhelm at namibnet.com; FreeRadius users mailing list
Subject: Re: Cisco, DNIS and ISDN Problems

You probably have done this already, but if you have not, make sure you
statically specify the authentication port and accouting port numbers in
your cisco AAA configuration, if you are using the newer port numbers.

If you just enable radius authentication on Cisco routers ( at least the
ones I have worked on ), they deafult to the old port numbers. So if your
radius is using the new port numbers, for whatever reason, The Cisco
routers ( the ones I have used ), dont complain about the port mismatch,
rather reject valid users.

So if your radius Authentication is 1812 and accouting port is 1813, make
sure on your cisco box you state this specifically with

radius-server host a.b.c.d authentication-port 1812 accounting-port 1813

Good Luck,
Herbert.

> Hi Everyone,
>
> I have been using Livingston Radius for a very long time, and decided it
> was
> time to upgrade to FreeRadius.
>
> We have various pop's authenticating to our radius server, and to make
> sure
> everything worked ok I first set only the lucent based pop's to
> authenticate
> on FreeRadius. This worked 100% and we decided to let the cisco boxes also
> authenticate on the new radius server.
>
> Suddenly we found the ISDN users can't authenticate.
>
> "tail -f radius.log
> Thu Aug  4 11:24:28 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
> client Windhoek-as2 port 20012 cli 061xxx)
> Thu Aug  4 11:24:30 2005 : Auth: Login incorrect: [sonjapretorius/xxx]
> (from
> client Windhoek-as2 port 20012 cli 061xxx)
> Thu Aug  4 11:24:31 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
> client Windhoek-as2 port 20330 cli 061xxx)
> Thu Aug  4 11:24:33 2005 : Auth: Login incorrect: [japhet/xxx] (from
> client
> Windhoek-as2 port 20330 cli 061xxx)
> Thu Aug  4 11:24:52 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
> client Industria-as1 port 77 cli 061xxx)
> Thu Aug  4 11:24:58 2005 : Auth: Login OK: [lords/<CHAP-Password>] (from
> client Industria-as1 port 77 cli 061xxx)
> Thu Aug  4 11:25:05 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
> client Windhoek-as1 port 20424 cli 061xxx)
> Thu Aug  4 11:25:10 2005 : Auth: Login incorrect: [japhet/xxx] (from
> client
> Windhoek-as1 port 20424 cli 061xxx)
> Thu Aug  4 11:25:51 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
> client Windhoek-as1 port 72 cli 061xxx)
> Thu Aug  4 11:25:56 2005 : Auth: Login OK: [kaysererongo/<CHAP-Password>]
> (from client Windhoek-as1 port 72 cli 061xxx)
> "
>
> The two Login OK's are Async users. I noticed the port numbers are very
> high
> on the ISDN users, 20000+ while the Async ports are < 200
>
> Just something else, for example the same user "japhet" can connect fine
> as
> he should on the Lucent NAS on ISDN or Async. The moment he connects to
> the
> Cisco I get the Login incorrect. No changes done at all. (Async works fine
> on the Cisco)
>
> On the DNIS:1040 even on my Livingston radius I used to get the dnis:1040
> user every time a user connects to the cisco nas's but this is just a
> minor
> irritation it didn't affect the users operation. How can I get rid of this
> ?
> The National Teleco (running the Cisco's) say there is nothing they can
> do,
> as they share the E1's and modems with all ISP's in our country, but
> determining who's customer it is by the number dialed, and this is where
> the
> dnis:1040 comes from and told me just to ignore it.
>
> Running radiusd -xx gives no info as to why it was rejected.
>
> Hope someone can assist.
>
> Thank you
>
> Wilhelm Lehmann
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list