Hello Steve -
On Fri, 04 Feb 2000, Steve Suehring wrote:
> Hello-
>
> I'm having the following problem with people dialing in single channel
> ISDN into Cisco AS5300. The reason I'm posting this to the Radiator list
> is that the problem only started after we switched from Merit to Radiator.
>
> For the past week I've been pursuing it from the Cisco end with no
> luck.
>
> Here are details.
>
> When a user dials in with PPP for single-channel isdn, it will not
> authenticate. The Cisco debug shows that it fails during the
> Authorization stage. Specifically here is the debug from the cisco:
>
> 3w2d: %LINK-3-UPDOWN: Interface Async93, changed state to down
> 3w2d: %LINK-3-UPDOWN: Interface Serial0:13, changed state to up
> 3w2d: Se0:13 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
> 3w2d: Se0:13 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
> 3w2d: AAA: parse name=Serial0:13 idb type=12 tty=-1
> 3w2d: AAA: name=Serial0:13 flags=0x51 type=1 shelf=0 slot=0 adapter=0
> port=0 cha
> nnel=13
> 3w2d: Se0:13 AAA/AUTHOR/LCP: Authorize LCP
> 3w2d: AAA/AUTHOR/LCP Se0:13 (843752075): Port='Serial0:13' list=''
> service=NET
> 3w2d: AAA/AUTHOR/LCP: Se0:13 (843752075) user='vanhalen'
> 3w2d: AAA/AUTHOR/LCP: Se0:13 (843752075) send AV service=ppp
> 3w2d: AAA/AUTHOR/LCP: Se0:13 (843752075) send AV protocol=lcp
> 3w2d: AAA/AUTHOR/LCP (843752075) found list "default"
> 3w2d: AAA/AUTHOR/LCP: Se0:13 (843752075) Method=RADIUS
> 3w2d: AAA/AUTHOR (843752075): Post authorization status = PASS_REPL
> 3w2d: Se0:13 AAA/AUTHOR/LCP: Processing AV service=ppp
> 3w2d: Se0:13 AAA/AUTHOR/LCP: Processing AV idletime=900
> 3w2d: Se0:13 AAA/AUTHOR/LCP: idletime failed
> 3w2d: Se0:13 AAA/AUTHOR/LCP: Denied
> 3w2d: Se0:13 AAA/AUTHOR: Duplicate per-user event LCP_DOWN ignored
> 3w2d: %ISDN-6-DISCONNECT: Interface Serial0:13 disconnected from
> 7153415211 , c
> all lasted 2 seconds
> 3w2d: %LINK-3-UPDOWN: Interface Serial0:13, changed state to down
>
>
> Okay, quite obviosly it didn't like the idletime value. The problem is
> that this idle time value is the same for users dialing in with Multilink
> as well as users dialing in with regular modems. That's where I'm greatly
> confused. Why does it work for those others but not single channel ISDN?
>
> One angle I've thought of is to strip the idletime value from the reply
> for ISDN service types, but that doesn't seem to be a _solution_ rather it
> seems like a band-aid.
>
> Is anyone else having any problems like this? If _not_, then could you
> let me know so we can compare notes on AS5300 & radiator config?
>
What dictionary are you using? The standard Radiator dictionary specifies this:
ATTRIBUTE Idle-Timeout 28 integer
And what about Service-Type? Cisco's are very picky about requiring a
Service-Type that matches the request in the Access-Accept.
If you could send us a trace 4 debug it would help greatly.
thanks
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
