Доброго дня всем!
Помогите советом. Есть конфиг:
aaa new-model
!
!
aaa group server radius rad1
server 192.168.2.37 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login h323 group rad1
aaa authentication login use-radius group rad1 local
aaa authentication ppp default local
aaa authentication ppp ppp-radius group rad1
aaa authentication ppp no-authentication none
aaa authorization exec default local
aaa authorization exec h323 group rad1
aaa authorization network default local
aaa accounting network default start-stop group rad1
aaa accounting connection h323 start-stop broadcast group rad1
aaa nas port extended
aaa session-id common
!
interface Serial0:15
no ip address
encapsulation ppp
isdn switch-type primary-net5
isdn incoming-voice modem
isdn send-alerting
isdn sending-complete
!
interface Group-Async0
ip unnumbered Ethernet0
ip accounting output-packets
encapsulation ppp
ip tcp header-compression
autodetect encapsulation ppp
async mode dedicated
peer default ip address pool DialIn-Internet
ppp authentication pap ppp-radius
group-range 1 120
!
ip local pool DialIn-Internet 192.168.0.1 192.168.0.120
!
radius-server host 192.168.2.37 auth-port 1812 acct-port 1813 timeout 60 retransmit 0 key 7 13060516001A0E39
radius-server vsa send accounting
radius-server vsa send authentication
!
line 1 120
login authentication use-radius
modem Dialin
modem autoconfigure discovery
autoselect pppВот при таком раскладе при звонке с модема получаю по debug radius следующее:
00:18:32: %ISDN-6-CONNECT: Interface Serial0:0 is now connected to 2222005 N/A
00:18:48: %LINK-3-UPDOWN: Interface Async64, changed state to up
00:18:48: RADIUS/ENCODE(0000007D):Orig. component type = ISDN
00:18:48: RADIUS/ENCODE: Skip encoding 0 length AAA attribute dnis
00:18:48: RADIUS(0000007D): Storing nasport 64 in rad_db
00:18:48: RADIUS(0000007D): Config NAS IP: 0.0.0.0
00:18:48: RADIUS/ENCODE(0000007D): acct_session_id: 125
00:18:48: RADIUS(0000007D): sending
00:18:48: RADIUS/ENCODE: Best Local IP-Address 192.168.2.39 for Radius-Server 192.168.2.37
00:18:48: RADIUS(0000007D): Send Access-Request to 192.168.2.37:1812 id 1645/3, len 109
00:18:48: RADIUS: authenticator 9A 15 DD 3D 21 14 E5 F1 - D2 08 6D 03 4F 18 40 DA
00:18:48: RADIUS: Framed-Protocol [7] 6 PPP [1]
00:18:48: RADIUS: User-Name [1] 7 "aldon"
00:18:48: RADIUS: User-Password [2] 18 *
00:18:48: RADIUS: Calling-Station-Id [31] 9 "2222005"
00:18:48: RADIUS: Vendor, Cisco [26] 25
00:18:48: RADIUS: cisco-nas-port [2] 19 "Async64*Serial0:0"
00:18:48: RADIUS: NAS-Port [5] 6 64
00:18:48: RADIUS: NAS-Port-Type [61] 6 Async [0]
00:18:48: RADIUS: Service-Type [6] 6 Framed [2]
00:18:48: RADIUS: NAS-IP-Address [4] 6 192.168.2.39
00:18:49: RADIUS: Received from id 1645/3 192.168.2.37:1812, Access-Accept, len 26
00:18:49: RADIUS: authenticator 38 D4 AB FF CD 71 3A F1 - EE 16 47 F7 9A 6C EB 20
00:18:49: RADIUS: Session-Timeout [27] 6 43020
00:18:49: RADIUS(0000007D): Received from id 1645/3
00:18:49: %ISDN-6-DISCONNECT: Interface Serial0:0 disconnected from 2222005 , call lasted 17 seconds
00:18:51: %LINK-5-CHANGED: Interface Async64, changed state to reset
00:18:56: %LINK-3-UPDOWN: Interface Async64, changed state to downна клиенте ошибка: PPP link protokol was terminated 734
Если убираю с interface Group-Async0 строчку ppp authentication pap ppp-radius и логонюсь юзером, прописанным в конфиге, конект проходит нормально.
Куда копать?
А что выдает deb aaa authen и deb ppp neg
aaa authorization exec ppp-radius group rad1
aaa authorization network ppp-radius group rad1
Спасибо!
Победил :)
Ситуация немного изменилась. Теперь модем цепляется к циске,потом отваливается по таймауту. Вот дебаги:00:04:11: %ISDN-6-CONNECT: Interface Serial0:0 is now connected to 2222005 N/A
00:04:32: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0 (not full duplex), with Komtel.almaty_komtel_1 FastEthernet0/0 (full duplex).
00:04:33: %LINK-3-UPDOWN: Interface Async61, changed state to up
00:04:33: As61 PPP: Using modem call direction
00:04:33: As61 PPP: Treating connection as a callin
00:04:33: As61 PPP: Phase is ESTABLISHING, Passive Open
00:04:33: As61 LCP: State is Listen
00:04:34: As61 LCP: I CONFREQ [Listen] id 2 len 23
00:04:34: As61 LCP: ACCM 0x00000000 (0x020600000000)
00:04:34: As61 LCP: MagicNumber 0x66086AEB (0x050666086AEB)
00:04:34: As61 LCP: PFC (0x0702)
00:04:34: As61 LCP: ACFC (0x0802)
00:04:34: As61 LCP: Callback 6 (0x0D0306)
00:04:34: As61 LCP: O CONFREQ [Listen] id 11 len 24
00:04:34: As61 LCP: ACCM 0x000A0000 (0x0206000A0000)
00:04:34: As61 LCP: AuthProto PAP (0x0304C023)
00:04:34: As61 LCP: MagicNumber 0xE0230DEE (0x0506E0230DEE)
00:04:34: As61 LCP: PFC (0x0702)
00:04:34: As61 LCP: ACFC (0x0802)
00:04:34: As61 LCP: O CONFREJ [Listen] id 2 len 7
00:04:34: As61 LCP: Callback 6 (0x0D0306)
00:04:34: As61 LCP: I CONFACK [REQsent] id 11 len 24
00:04:34: As61 LCP: ACCM 0x000A0000 (0x0206000A0000)
00:04:34: As61 LCP: AuthProto PAP (0x0304C023)
00:04:34: As61 LCP: MagicNumber 0xE0230DEE (0x0506E0230DEE)
00:04:34: As61 LCP: PFC (0x0702)
00:04:34: As61 LCP: ACFC (0x0802)
00:04:34: As61 LCP: I CONFREQ [ACKrcvd] id 3 len 20
00:04:34: As61 LCP: ACCM 0x00000000 (0x020600000000)
00:04:34: As61 LCP: MagicNumber 0x66086AEB (0x050666086AEB)
00:04:34: As61 LCP: PFC (0x0702)
00:04:34: As61 LCP: ACFC (0x0802)
00:04:34: As61 LCP: O CONFACK [ACKrcvd] id 3 len 20
00:04:34: As61 LCP: ACCM 0x00000000 (0x020600000000)
00:04:34: As61 LCP: MagicNumber 0x66086AEB (0x050666086AEB)
00:04:34: As61 LCP: PFC (0x0702)
00:04:34: As61 LCP: ACFC (0x0802)
00:04:34: As61 LCP: State is Open
00:04:34: As61 PPP: Phase is AUTHENTICATING, by this end
00:04:34: As61 LCP: I IDENTIFY [Open] id 4 len 18 magic 0x66086AEB MSRASV5.00
00:04:34: As61 LCP: I IDENTIFY [Open] id 5 len 21 magic 0x66086AEB MSRAS-1-ALDON
00:04:34: As61 PAP: I AUTH-REQ id 30 len 21 from "aldon"
00:04:34: As61 PAP: Authenticating peer aldon
00:04:34: As61 PPP: Phase is FORWARDING, Attempting Forward
00:04:34: As61 PPP: Phase is AUTHENTICATING, Unauthenticated User
00:04:34: AAA/AUTHEN/PPP (0000007B): Pick method list 'ppp-radius'
00:04:34: RADIUS/ENCODE(0000007B):Orig. component type = ISDN
00:04:34: RADIUS/ENCODE: Skip encoding 0 length AAA attribute dnis
00:04:34: RADIUS(0000007B): Storing nasport 61 in rad_db
00:04:34: RADIUS(0000007B): Config NAS IP: 0.0.0.0
00:04:34: RADIUS/ENCODE(0000007B): acct_session_id: 123
00:04:34: RADIUS(0000007B): sending
00:04:34: RADIUS/ENCODE: Best Local IP-Address 87.247.15.112 for Radius-Server 87.247.15.102
00:04:34: RADIUS(0000007B): Send Access-Request to 87.247.15.102:1812 id 1645/1, len 99
00:04:34: RADIUS: authenticator F5 0D C9 06 1D 3A 6E BC - 02 32 49 DC 22 D2 D6 5B
00:04:34: RADIUS: Framed-Protocol [7] 6 PPP [1]
00:04:34: RADIUS: User-Name [1] 7 "aldon"
00:04:34: RADIUS: User-Password [2] 18 *
00:04:34: RADIUS: Calling-Station-Id [31] 9 "2222005"
00:04:34: RADIUS: Vendor, Cisco [26] 15
00:04:34: RADIUS: cisco-nas-port [2] 9 "Async61"
00:04:34: RADIUS: NAS-Port [5] 6 61
00:04:34: RADIUS: NAS-Port-Type [61] 6 Async [0]
00:04:34: RADIUS: Service-Type [6] 6 Framed [2]
00:04:34: RADIUS: NAS-IP-Address [4] 6 87.247.15.112
00:04:38: As61 PAP: I AUTH-REQ id 31 len 21 from "aldon"
00:04:38: As61 PAP: Ignoring Additional Request
00:04:42: As61 PAP: I AUTH-REQ id 32 len 21 from "aldon"
00:04:42: As61 PAP: Ignoring Additional Request
00:04:44: As61 AUTH: Timeout 1
00:04:46: As61 PAP: I AUTH-REQ id 33 len 21 from "aldon"
00:04:46: As61 PAP: Ignoring Additional Request
00:04:50: As61 PAP: I AUTH-REQ id 34 len 21 from "aldon"
00:04:50: As61 PAP: Ignoring Additional Request
00:04:54: As61 PAP: I AUTH-REQ id 35 len 21 from "aldon"
00:04:54: As61 PAP: Ignoring Additional Request
00:04:54: As61 AUTH: Timeout 2
00:04:58: As61 PAP: I AUTH-REQ id 36 len 21 from "aldon"
00:04:58: As61 PAP: Ignoring Additional Request
00:05:02: As61 PAP: I AUTH-REQ id 37 len 21 from "aldon"
00:05:02: As61 PAP: Ignoring Additional Request
00:05:04: As61 AUTH: Timeout 3
00:05:06: As61 PAP: I AUTH-REQ id 38 len 21 from "aldon"
00:05:06: As61 PAP: Ignoring Additional Request
00:05:10: As61 PAP: I AUTH-REQ id 39 len 21 from "aldon"
00:05:10: As61 PAP: Ignoring Additional Request
00:05:10: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0 (not full duplex), with gtk-gw1-alma FastEthernet0 (full duplex).
00:05:14: As61 LCP: I TERMREQ [Open] id 6 len 16 (0x66086AEB003CCD74000002CE)
00:05:14: As61 LCP: O TERMACK [Open] id 6 len 4
00:05:14: As61 PPP: Sending Acct Event[Down] id[7B]
00:05:14: As61 PPP: Phase is TERMINATING
00:05:15: %ISDN-6-DISCONNECT: Interface Serial0:0 disconnected from 2222005 , call lasted 64 seconds
00:05:16: As61 LCP: TIMEout: State TERMsent
00:05:16: As61 LCP: State is Closed
00:05:16: As61 PPP: Phase is DOWN
00:05:17: %LINK-5-CHANGED: Interface Async61, changed state to reset
00:05:22: %LINK-3-UPDOWN: Interface Async61, changed state to downчто посоветуете?
Проблема с радиусом решена! Всем спасибо за ответы.
Но возникла новая. Не получается настроить НАТ. Модем к циске подключается, получает ип адрес. А пинг проходит только до себя. Вот конфиг, подскажите что я не доделал :Building configuration...
Current configuration : 3431 bytes
!version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!!
boot-start-marker
boot system tftp c5300-is-mz.123-12a.bin x.x.x.x
boot-end-marker
!spe 1/0 2/9
firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
clock timezone gmt 6
!
modem country mica russia
aaa new-model
!
!
aaa authentication login NONE none
aaa authentication login LOCAL local
aaa authentication login use-radius group radius local
aaa authentication ppp ppp-radius group radius
aaa authentication ppp no-authentication none
aaa authorization network default group radius local
aaa authorization network no-authorization none
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero
ip rcmd rsh-enable
ip domain name komtel_dialup1
ip name-server x.x.x.x
!
async-bootp dns-server x.x.x.x
vty-async
vty-async virtual-template 1
!
isdn switch-type primary-net5
isdn voice-call-failure 0
!
!
!
!
!
!
!
!
!
!
fax interface-type modem
!
!
controller E1 0
clock source line primary
pri-group timeslots 1-31
!
controller E1 1
shutdown
clock source line secondary 1
pri-group timeslots 1-31
!
controller E1 2
shutdown
!
controller E1 3
shutdown
!
!
interface Ethernet0
ip address x.x.x.x y.y.y.y
ip nat outside
!
interface Serial0:15
no ip address
encapsulation ppp
isdn switch-type primary-net5
isdn incoming-voice modem
no keepalive
no fair-queue
!
interface Serial1:15
no ip address
encapsulation ppp
isdn switch-type primary-net5
isdn incoming-voice modem
isdn send-alerting
isdn sending-complete
no keepalive
no fair-queue
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Group-Async0
ip unnumbered FastEthernet0
ip nat inside
encapsulation ppp
ip tcp header-compression
ip policy route-map forced-proxy
async mode dedicated
peer default ip address pool DialIn-Internet
group-range 1 120
!
ip local pool DialIn-Internet 192.168.0.1 192.168.0.120
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
snmp-server community public RO
!
radius-server host x.x.x.x auth-port 1812 acct-port 1813 timeout 60 retransmit 0 key 7 13060516001A0E39
radius-server vsa send accounting
radius-server vsa send authentication
!
!
!
gateway
!
banner motd ^CCUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. PROPERTY "Komtel" LLC Kazakhstan Almaty +7(3272)714500^C
alias exec ct configure terminal
alias exec sr sh run
!
line con 0
exec-timeout 0 0
line 1 120
login authentication use-radius
modem Dialin
modem autoconfigure discovery
autoselect ppp
line aux 0
line vty 0 4
exec-timeout 0 0
!
ntp clock-period 17179792
ntp server 192.168.2.3
ntp server 195.128.128.3
ntp server 129.132.98.11
ntp server 128.173.14.71
ntp server 18.26.4.105
ntp server 209.81.9.7
ntp server 149.156.4.11
ntp server 137.189.6.18
end
Все, все проблемы решил. Во всем виновна невнимательность. Всем спасибо!
>Все, все проблемы решил. Во всем виновна невнимательность. Всем спасибо!
А можно, узнать, как Вы решили проблему того, что модем цеплялся к Циске, а потом отваливался по тайм-ауту? У меня, похожая проблема,если не трудно, оставьте комментарий в соседней ветке или, если можно, посмотреть ваш нынешний работающий конфиг?
Вот конфиг:Building configuration...
Current configuration : 3494 bytes
!
! Last configuration change at 16:47:28 gmt Sun Jul 2 2006 by KeViCh
! NVRAM config last updated at 17:30:31 gmt Sun Jul 2 2006 by KeViCh
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Komtel_dial_up
!
boot-start-marker
boot system tftp c5300-is-mz.123-12a.bin x.x.x.x
boot-end-marker
!
enable password 7 020C0B550205
!
username KeViCh password 7 132205370C231613
username test6 password 7 0355095852
username max password 7 011E071C
spe 1/0 2/9
firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
clock timezone gmt 6
!
modem country mica russia
aaa new-model
!
!
aaa authentication login NONE none
aaa authentication login LOCAL local
aaa authentication login use-radius group radius local
aaa authentication ppp ppp-radius group radius
aaa authentication ppp no-authentication none
aaa authorization network default group radius local
aaa authorization network no-authorization none
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero
ip rcmd rsh-enable
ip domain name komtel_dialup1
ip name-server x.x.x.x
!
vty-async
vty-async virtual-template 1
!
isdn switch-type primary-net5
isdn voice-call-failure 0
!
!
!
!
!
!
!
!
!
!
fax interface-type modem
!
!
controller E1 0
clock source line primary
pri-group timeslots 1-31
!
controller E1 1
shutdown
clock source line secondary 1
pri-group timeslots 1-31
!
controller E1 2
shutdown
!
controller E1 3
shutdown
!
!
interface Ethernet0
ip address x.x.x.x y.y.y.y
ip nat outside
!
interface Serial0:15
no ip address
encapsulation ppp
isdn switch-type primary-net5
isdn incoming-voice modem
no keepalive
no fair-queue
!
interface Serial1:15
no ip address
encapsulation ppp
isdn switch-type primary-net5
isdn incoming-voice modem
isdn send-alerting
isdn sending-complete
no keepalive
no fair-queue
!
interface FastEthernet0
ip address 192.168.2.39 255.255.255.0
shutdown
duplex auto
speed auto
!
interface Group-Async0
ip unnumbered Ethernet0
ip nat inside
encapsulation ppp
ip tcp header-compression
async dynamic address
async dynamic routing
async mode dedicated
peer default ip address pool DialIn-Internet
group-range 1 120
!
ip local pool DialIn-Internet 192.168.0.1 192.168.0.120
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
snmp-server community public RO
!
radius-server host x.x.x.x auth-port 1812 acct-port 1813 timeout 60 retransmit 0 key 7 13060516001A0E39
radius-server vsa send accounting
radius-server vsa send authentication
!
!
!
gateway
!
banner motd ^CCUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. PROPERTY "Komtel" LLC Kazakhstan Almaty +7(3272)714500^C
alias exec ct configure terminal
alias exec sr sh run
!
line con 0
exec-timeout 0 0
line 1 120
login authentication use-radius
modem Dialin
modem autoconfigure discovery
autoselect ppp
line aux 0
line vty 0 4
exec-timeout 0 0
!
ntp clock-period 17179679
ntp server 192.168.2.3
ntp server 195.128.128.3
ntp server 129.132.98.11
ntp server 128.173.14.71
ntp server 18.26.4.105
ntp server 209.81.9.7
ntp server 149.156.4.11
ntp server 137.189.6.18
end