RE: cisco authorization through freeradius

Wed, 19 Nov 2003 08:42:59 -0800 

>
>
> On Tue, 18 Nov 2003, John A. Hengstler wrote:
>
> > Greetings.
> > I have an Cisco as5300 that I am using for Dial customers.
> > The customer connects, the authentication comes through, but then at the
> > "authorization" level the connection gets dropped by the nas..
> > Are there any suggested attributes to put into radgroupreply for ISDN dial
> > in customers to the Cisco 5300  or do I have an incorrect setting on the
> > Nas..
> > Here is a snapshot of what I have for the cisco config:
> > aaa new-model
> > aaa authentication login default local
> > aaa authentication ppp default group radius
> > aaa authorization network default group radius if-authenticated
> > aaa accounting delay-start
> > interface Serial0:23
> >  ip unnumbered Ethernet0
> >  encapsulation ppp
> >  dialer-group 1
> >  isdn switch-type primary-ni
> >  isdn tei-negotiation first-call
> >  isdn incoming-voice modem
> >  peer default ip address pool DIAL6_POOL
> >  ppp authentication pap chap
> > interface Group-Async1
> >  ip unnumbered Ethernet0
> >  encapsulation ppp
> >  ip tcp header-compression passive
> >  no ip mroute-cache
> >  async mode interactive
> >  peer default ip address pool DIAL6_POOL
> >  ppp authentication chap pap
> >  group-range 1 96
> > RADIUS:    radgroupreply contains:
> > |  1 | dialerrouter  | Session-Timeout    | 28800               | ==   |
> > NULL
> > |  5 | dialerrouter  | Idle-Timeout       | 1200                | ==   |
> > NULL |
> > |  8 | dialerrouter  | Service-Type       | Framed-User         | ==   |
> > NULL |
> > |  9 | dialerrouter  | Framed-Protocol    | PPP                 | ==   |
> > NULL |
> > | 10 | dialerrouter  | Auth-Type          | Local               | ==   |
> > NULL |
> > RADIUS:    radcheck    contains diallerouter for the user
> > All modem dial up customers work just fine, but ISDN dial in fails as
> > indicated above.
> > Can anyone shed some pointers on this.   I still haven't figured it out..
> >
> > Regards,
> > John Hengstler
> >
> >
>
>
> I don't actually work with the NAS, but we also send back Framed-Routing =
> None in our radius replies.  Might want to give it a shot.
>
> -

Oh and we also send Framed-IP-Netmask = whateveryournetmask is.  I really
know nothing about the NAS, just letting you know what freeradius does for
our dial isdn guys in case one of those helps.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to