AS5300 - Switching from local to RADIUS

Discussion in 'Cisco' started by Dan Mills, Aug 10, 2004.

  1. Dan Mills

    Dan Mills Guest

    I have an AS5300 that I have been using for modem access to the
    network. I am trying to switch all users over to RADIUS, but still
    have local authentication work while I am moving them. In the
    configuration below, I have added the information for the RADIUS
    server and tried to add the AAA commands for Authentication and
    Authorization, but I'm still having trouble. I can still connect
    through dial-up and get authenticated on the network when I use
    USER1-5. When I try USER6, who has been moved to the RADIUS server, I
    get the challenge from the RADIUS server and password accepted, but I
    just get logged onto the router with the 5300A> prompt. If I close
    the terminal window, I just get disconnected. I'm sure it's obvious,
    but I'm not that experienced yet. Also, if you see any other
    problems, please feel free to point them out.

    Thank you


    Current configuration:
    !
    !
    !
    version 12.0
    no service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname 5300A
    !
    no logging buffered
    no logging console
    no logging monitor
    aaa new-model
    aaa authentication login default local radius
    aaa authentication login authlist local
    aaa authentication ppp default local radius
    aaa authorization network default if-authenticated
    aaa accounting exec default start-stop tacacs+
    aaa accounting network default start-stop tacacs+
    enable password ###############
    !
    username user1 password 7 ################
    username user2 password 7 ################
    username user3 password 7 ################
    username user4 password 7 ################
    username user5 password 7 ################
    modem recovery action none
    ip subnet-zero
    no ip source-route
    ip domain-name mydomain.com
    ip name-server 192.168.1.20
    ip name-server 192.168.1.22
    ip name-server 192.168.1.24
    ip multicast-routing
    ip dvmrp route-limit 20000
    async-bootp dns-server 192.168.1.20 192.168.1.22 192.168.1.24
    isdn switch-type primary-5ess
    clock timezone MST -5
    !
    !
    controller T1 0
    framing esf
    clock source line primary
    linecode b8zs
    pri-group timeslots 1-24
    !
    controller T1 1
    framing esf
    clock source internal
    linecode b8zs
    pri-group timeslots 1-24
    !
    controller T1 2
    shutdown
    framing esf
    clock source internal
    linecode b8zs
    pri-group timeslots 1-24
    !
    controller T1 3
    shutdown
    framing esf
    clock source internal
    linecode b8zs
    pri-group timeslots 1-24
    !
    !
    interface Ethernet0
    no ip address
    no ip directed-broadcast
    shutdown
    !
    interface Serial0:23
    no ip address
    no ip directed-broadcast
    encapsulation ppp
    ip tcp header-compression passive
    dialer rotary-group 1
    dialer-group 1
    isdn switch-type primary-5ess
    isdn incoming-voice modem
    !
    interface Serial1:23
    no ip address
    no ip directed-broadcast
    encapsulation ppp
    ip tcp header-compression passive
    dialer rotary-group 1
    dialer-group 1
    isdn switch-type primary-5ess
    isdn incoming-voice modem
    !
    interface Serial2:23
    no ip address
    no ip directed-broadcast
    encapsulation ppp
    ip tcp header-compression passive
    shutdown
    dialer rotary-group 1
    dialer-group 1
    isdn switch-type primary-5ess
    isdn incoming-voice modem
    !
    interface Serial3:23
    no ip address
    no ip directed-broadcast
    encapsulation ppp
    ip tcp header-compression passive
    shutdown
    dialer rotary-group 1
    dialer-group 1
    isdn switch-type primary-5ess
    isdn incoming-voice modem
    !
    interface FastEthernet0
    ip address 192.168.1.4 255.255.255.0
    no ip directed-broadcast
    ip pim dense-mode
    ip cgmp
    duplex full
    !
    interface Group-Async1
    ip unnumbered FastEthernet0
    no ip directed-broadcast
    encapsulation ppp
    ip tcp header-compression passive
    async mode interactive
    peer default ip address pool 34-80net
    ppp authentication pap chap
    group-range 1 48
    hold-queue 10 in
    !
    interface Dialer1
    ip unnumbered FastEthernet0
    no ip directed-broadcast
    encapsulation ppp
    ip tcp header-compression passive
    dialer in-band
    dialer idle-timeout 3600
    dialer-group 1
    peer default ip address pool 34-80net
    ppp authentication pap chap callin
    ppp multilink
    !
    router eigrp 123
    passive-interface Dialer1
    network 192.168.1.0
    no auto-summary
    !
    ip local pool 34-80net 192.168.1.200 192.168.1.250
    ip classless
    !
    logging 192.168.1.35
    access-list 5 permit 192.168.1.10
    access-list 5 permit 192.168.1.35
    access-list 5 deny any log
    access-list 101 deny eigrp any any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 permit ip any any
    dialer-list 1 protocol ip list 101
    tacacs-server host 192.168.1.35
    tacacs-server key ############
    snmp-server community read RO 5
    snmp-server host 192.168.1.10 traps read
    radius-server host 192.168.1.10 auth-port 1645 acct-port 1646
    radius-server timeout 120
    radius-server key ############
    !
    line con 0
    transport input none
    line 1 48
    autoselect during-login
    autoselect ppp
    modem InOut
    transport input all
    line aux 0
    line vty 0 4
    exec-timeout 0 0
    password 7 ###############
    login authentication authlist
    !
    ntp clock-period 17180140
    ntp update-calendar
    ntp server 192.168.1.35
    ntp server 192.168.1.50
    ntp server 192.168.1.51
    end

    5300A#
    Dan Mills, Aug 10, 2004
    #1
    1. Advertising

  2. Dan Mills

    Scooby Guest

    "Dan Mills" <> wrote in message
    news:...
    > I have an AS5300 that I have been using for modem access to the
    > network. I am trying to switch all users over to RADIUS, but still
    > have local authentication work while I am moving them. In the
    > configuration below, I have added the information for the RADIUS
    > server and tried to add the AAA commands for Authentication and
    > Authorization, but I'm still having trouble. I can still connect
    > through dial-up and get authenticated on the network when I use
    > USER1-5. When I try USER6, who has been moved to the RADIUS server, I
    > get the challenge from the RADIUS server and password accepted, but I
    > just get logged onto the router with the 5300A> prompt. If I close
    > the terminal window, I just get disconnected. I'm sure it's obvious,
    > but I'm not that experienced yet. Also, if you see any other
    > problems, please feel free to point them out.
    >
    > Thank you
    >
    >
    > Current configuration:
    > !
    > !
    > !
    > version 12.0
    > no service timestamps debug uptime
    > no service timestamps log uptime
    > service password-encryption
    > !
    > hostname 5300A
    > !
    > no logging buffered
    > no logging console
    > no logging monitor
    > aaa new-model
    > aaa authentication login default local radius
    > aaa authentication login authlist local
    > aaa authentication ppp default local radius
    > aaa authorization network default if-authenticated
    > aaa accounting exec default start-stop tacacs+
    > aaa accounting network default start-stop tacacs+
    > enable password ###############
    > !
    > username user1 password 7 ################
    > username user2 password 7 ################
    > username user3 password 7 ################
    > username user4 password 7 ################
    > username user5 password 7 ################
    > modem recovery action none
    > ip subnet-zero
    > no ip source-route
    > ip domain-name mydomain.com
    > ip name-server 192.168.1.20
    > ip name-server 192.168.1.22
    > ip name-server 192.168.1.24
    > ip multicast-routing
    > ip dvmrp route-limit 20000
    > async-bootp dns-server 192.168.1.20 192.168.1.22 192.168.1.24
    > isdn switch-type primary-5ess
    > clock timezone MST -5
    > !
    > !
    > controller T1 0
    > framing esf
    > clock source line primary
    > linecode b8zs
    > pri-group timeslots 1-24
    > !
    > controller T1 1
    > framing esf
    > clock source internal
    > linecode b8zs
    > pri-group timeslots 1-24
    > !
    > controller T1 2
    > shutdown
    > framing esf
    > clock source internal
    > linecode b8zs
    > pri-group timeslots 1-24
    > !
    > controller T1 3
    > shutdown
    > framing esf
    > clock source internal
    > linecode b8zs
    > pri-group timeslots 1-24
    > !
    > !
    > interface Ethernet0
    > no ip address
    > no ip directed-broadcast
    > shutdown
    > !
    > interface Serial0:23
    > no ip address
    > no ip directed-broadcast
    > encapsulation ppp
    > ip tcp header-compression passive
    > dialer rotary-group 1
    > dialer-group 1
    > isdn switch-type primary-5ess
    > isdn incoming-voice modem
    > !
    > interface Serial1:23
    > no ip address
    > no ip directed-broadcast
    > encapsulation ppp
    > ip tcp header-compression passive
    > dialer rotary-group 1
    > dialer-group 1
    > isdn switch-type primary-5ess
    > isdn incoming-voice modem
    > !
    > interface Serial2:23
    > no ip address
    > no ip directed-broadcast
    > encapsulation ppp
    > ip tcp header-compression passive
    > shutdown
    > dialer rotary-group 1
    > dialer-group 1
    > isdn switch-type primary-5ess
    > isdn incoming-voice modem
    > !
    > interface Serial3:23
    > no ip address
    > no ip directed-broadcast
    > encapsulation ppp
    > ip tcp header-compression passive
    > shutdown
    > dialer rotary-group 1
    > dialer-group 1
    > isdn switch-type primary-5ess
    > isdn incoming-voice modem
    > !
    > interface FastEthernet0
    > ip address 192.168.1.4 255.255.255.0
    > no ip directed-broadcast
    > ip pim dense-mode
    > ip cgmp
    > duplex full
    > !
    > interface Group-Async1
    > ip unnumbered FastEthernet0
    > no ip directed-broadcast
    > encapsulation ppp
    > ip tcp header-compression passive
    > async mode interactive
    > peer default ip address pool 34-80net
    > ppp authentication pap chap
    > group-range 1 48
    > hold-queue 10 in
    > !
    > interface Dialer1
    > ip unnumbered FastEthernet0
    > no ip directed-broadcast
    > encapsulation ppp
    > ip tcp header-compression passive
    > dialer in-band
    > dialer idle-timeout 3600
    > dialer-group 1
    > peer default ip address pool 34-80net
    > ppp authentication pap chap callin
    > ppp multilink
    > !
    > router eigrp 123
    > passive-interface Dialer1
    > network 192.168.1.0
    > no auto-summary
    > !
    > ip local pool 34-80net 192.168.1.200 192.168.1.250
    > ip classless
    > !
    > logging 192.168.1.35
    > access-list 5 permit 192.168.1.10
    > access-list 5 permit 192.168.1.35
    > access-list 5 deny any log
    > access-list 101 deny eigrp any any
    > access-list 101 deny ip host 255.255.255.255 any
    > access-list 101 permit ip any any
    > dialer-list 1 protocol ip list 101
    > tacacs-server host 192.168.1.35
    > tacacs-server key ############
    > snmp-server community read RO 5
    > snmp-server host 192.168.1.10 traps read
    > radius-server host 192.168.1.10 auth-port 1645 acct-port 1646
    > radius-server timeout 120
    > radius-server key ############
    > !
    > line con 0
    > transport input none
    > line 1 48
    > autoselect during-login
    > autoselect ppp
    > modem InOut
    > transport input all
    > line aux 0
    > line vty 0 4
    > exec-timeout 0 0
    > password 7 ###############
    > login authentication authlist
    > !
    > ntp clock-period 17180140
    > ntp update-calendar
    > ntp server 192.168.1.35
    > ntp server 192.168.1.50
    > ntp server 192.168.1.51
    > end
    >
    > 5300A#


    Dan,

    First, your Radius server must be setting the priv level to 15. If you are
    sure that is happening, then you also need to set the exec level in your aaa
    statments. Here is mine, you'll probably want the same syntax for yours:

    aaa authorization exec default local group radius if-authenticated

    Hope that helps,

    Jim
    Scooby, Aug 11, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Awie

    RADIUS for AS5300

    Awie, Jul 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,122
  2. jsw

    Re: RADIUS for AS5300

    jsw, Jul 17, 2003, in forum: Cisco
    Replies:
    0
    Views:
    426
  3. David
    Replies:
    0
    Views:
    2,623
    David
    Nov 6, 2003
  4. altu
    Replies:
    1
    Views:
    972
  5. dukgu

    AS5300 VPDN and local auth

    dukgu, Mar 27, 2007, in forum: Cisco
    Replies:
    0
    Views:
    623
    dukgu
    Mar 27, 2007
Loading...

Share This Page