Cisco, DNIS and ISDN Problems

Wilhelm Lehmann wilhelm at namibnet.com
Thu Aug 4 13:30:15 CEST 2005


Hi Everyone, 

I have been using Livingston Radius for a very long time, and decided it was
time to upgrade to FreeRadius.

We have various pop's authenticating to our radius server, and to make sure
everything worked ok I first set only the lucent based pop's to authenticate
on FreeRadius. This worked 100% and we decided to let the cisco boxes also
authenticate on the new radius server.

Suddenly we found the ISDN users can't authenticate. 

"tail -f radius.log 
Thu Aug  4 11:24:28 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
client Windhoek-as2 port 20012 cli 061xxx)
Thu Aug  4 11:24:30 2005 : Auth: Login incorrect: [sonjapretorius/xxx] (from
client Windhoek-as2 port 20012 cli 061xxx)
Thu Aug  4 11:24:31 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
client Windhoek-as2 port 20330 cli 061xxx)
Thu Aug  4 11:24:33 2005 : Auth: Login incorrect: [japhet/xxx] (from client
Windhoek-as2 port 20330 cli 061xxx)
Thu Aug  4 11:24:52 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
client Industria-as1 port 77 cli 061xxx)
Thu Aug  4 11:24:58 2005 : Auth: Login OK: [lords/<CHAP-Password>] (from
client Industria-as1 port 77 cli 061xxx)
Thu Aug  4 11:25:05 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
client Windhoek-as1 port 20424 cli 061xxx)
Thu Aug  4 11:25:10 2005 : Auth: Login incorrect: [japhet/xxx] (from client
Windhoek-as1 port 20424 cli 061xxx)
Thu Aug  4 11:25:51 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
client Windhoek-as1 port 72 cli 061xxx)
Thu Aug  4 11:25:56 2005 : Auth: Login OK: [kaysererongo/<CHAP-Password>]
(from client Windhoek-as1 port 72 cli 061xxx)
"

The two Login OK's are Async users. I noticed the port numbers are very high
on the ISDN users, 20000+ while the Async ports are < 200

Just something else, for example the same user "japhet" can connect fine as
he should on the Lucent NAS on ISDN or Async. The moment he connects to the
Cisco I get the Login incorrect. No changes done at all. (Async works fine
on the Cisco)

On the DNIS:1040 even on my Livingston radius I used to get the dnis:1040
user every time a user connects to the cisco nas's but this is just a minor
irritation it didn't affect the users operation. How can I get rid of this ?
The National Teleco (running the Cisco's) say there is nothing they can do,
as they share the E1's and modems with all ISP's in our country, but
determining who's customer it is by the number dialed, and this is where the
dnis:1040 comes from and told me just to ignore it.

Running radiusd -xx gives no info as to why it was rejected.

Hope someone can assist.

Thank you 

Wilhelm Lehmann




More information about the Freeradius-Users mailing list