Cisco, DNIS and ISDN Problems
h_maosa at blueyonder.co.uk
h_maosa at blueyonder.co.uk
Thu Aug 4 13:59:39 CEST 2005
You probably have done this already, but if you have not, make sure you
statically specify the authentication port and accouting port numbers in
your cisco AAA configuration, if you are using the newer port numbers.
If you just enable radius authentication on Cisco routers ( at least the
ones I have worked on ), they deafult to the old port numbers. So if your
radius is using the new port numbers, for whatever reason, The Cisco
routers ( the ones I have used ), dont complain about the port mismatch,
rather reject valid users.
So if your radius Authentication is 1812 and accouting port is 1813, make
sure on your cisco box you state this specifically with
radius-server host a.b.c.d authentication-port 1812 accounting-port 1813
Good Luck,
Herbert.
> Hi Everyone,
>
> I have been using Livingston Radius for a very long time, and decided it
> was
> time to upgrade to FreeRadius.
>
> We have various pop's authenticating to our radius server, and to make
> sure
> everything worked ok I first set only the lucent based pop's to
> authenticate
> on FreeRadius. This worked 100% and we decided to let the cisco boxes also
> authenticate on the new radius server.
>
> Suddenly we found the ISDN users can't authenticate.
>
> "tail -f radius.log
> Thu Aug 4 11:24:28 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
> client Windhoek-as2 port 20012 cli 061xxx)
> Thu Aug 4 11:24:30 2005 : Auth: Login incorrect: [sonjapretorius/xxx]
> (from
> client Windhoek-as2 port 20012 cli 061xxx)
> Thu Aug 4 11:24:31 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
> client Windhoek-as2 port 20330 cli 061xxx)
> Thu Aug 4 11:24:33 2005 : Auth: Login incorrect: [japhet/xxx] (from
> client
> Windhoek-as2 port 20330 cli 061xxx)
> Thu Aug 4 11:24:52 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
> client Industria-as1 port 77 cli 061xxx)
> Thu Aug 4 11:24:58 2005 : Auth: Login OK: [lords/<CHAP-Password>] (from
> client Industria-as1 port 77 cli 061xxx)
> Thu Aug 4 11:25:05 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
> client Windhoek-as1 port 20424 cli 061xxx)
> Thu Aug 4 11:25:10 2005 : Auth: Login incorrect: [japhet/xxx] (from
> client
> Windhoek-as1 port 20424 cli 061xxx)
> Thu Aug 4 11:25:51 2005 : Auth: Login incorrect: [dnis:1040/cisco] (from
> client Windhoek-as1 port 72 cli 061xxx)
> Thu Aug 4 11:25:56 2005 : Auth: Login OK: [kaysererongo/<CHAP-Password>]
> (from client Windhoek-as1 port 72 cli 061xxx)
> "
>
> The two Login OK's are Async users. I noticed the port numbers are very
> high
> on the ISDN users, 20000+ while the Async ports are < 200
>
> Just something else, for example the same user "japhet" can connect fine
> as
> he should on the Lucent NAS on ISDN or Async. The moment he connects to
> the
> Cisco I get the Login incorrect. No changes done at all. (Async works fine
> on the Cisco)
>
> On the DNIS:1040 even on my Livingston radius I used to get the dnis:1040
> user every time a user connects to the cisco nas's but this is just a
> minor
> irritation it didn't affect the users operation. How can I get rid of this
> ?
> The National Teleco (running the Cisco's) say there is nothing they can
> do,
> as they share the E1's and modems with all ISP's in our country, but
> determining who's customer it is by the number dialed, and this is where
> the
> dnis:1040 comes from and told me just to ignore it.
>
> Running radiusd -xx gives no info as to why it was rejected.
>
> Hope someone can assist.
>
> Thank you
>
> Wilhelm Lehmann
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list