GroupStudy.com GroupStudy.com - A virtual community of network engineers
Home BookStore StudyNotes Links Archives StudyRooms HelpWanted Discounts Login
RE: ISDN Call back with Dialstring problem posted 12/07/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next] 
Here is the working config.

here is working config for tacacs callback without using dialer map on r5.
r4 calls r5 and r5 calls r4 back using ACS config. r5 has secondary e0 ip to
connect to tacacs server for this config.

r4#wr t
Building configuration...

Current configuration : 1966 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r4
!
enable secret 5 $1$P3FI$GslZd0LmjeenzjT0i8HfG0
!
username R5 password 0 hello
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-ni
!
key chain keyr1
key 1 
key-string 12345
!
!
!
!
!
interface Loopback0
ip address 44.44.44.44 255.255.255.0
!
interface Ethernet0
ip address 172.16.44.4 255.255.255.0
!
interface Serial0
ip address 150.50.24.4 255.255.255.0
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 hello
ip ospf network point-to-point
frame-relay map ip 150.50.24.2 142 broadcast
frame-relay lmi-type ansi
!
interface Serial1
ip address 150.50.46.4 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 keyr1
encapsulation frame-relay
frame-relay map ip 150.50.46.6 246 broadcast
!
interface BRI0
ip address 145.45.45.4 255.255.255.240
encapsulation ppp
ip ospf demand-circuit
dialer idle-timeout 30
dialer map ip 145.45.45.5 8358662
dialer-group 5
isdn switch-type basic-ni
isdn spid1 0835866101
isdn spid2 0835866301
no cdp enable
ppp authentication chap callin
ppp chap hostname router4
!
router eigrp 100
redistribute ospf 100 metric 10000 10 255 1 1500
network 150.50.46.0 0.0.0.255
no auto-summary
no eigrp log-neighbor-changes
!
router ospf 100
router-id 44.44.44.44
log-adjacency-changes
redistribute eigrp 100 subnets
network 44.44.44.0 0.0.0.255 area 1
network 145.45.45.0 0.0.0.15 area 1
network 150.50.24.0 0.0.0.255 area 1
network 172.16.44.0 0.0.0.255 area 1
distribute-list 10 in Serial0
!
ip classless
ip http server
!
access-list 10 deny 10.0.0.0 0.0.0.255
access-list 10 deny 172.16.0.0 0.15.255.255
access-list 10 deny 192.168.0.0 0.0.255.255
access-list 10 permit any
dialer-list 5 protocol ip permit
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
end

r4# 
ts23#2
[Resuming connection 2 to r5 ... ]

0
r5#wr t
Building configuration...

Current configuration : 2145 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r5
!
aaa new-model
aaa authentication login mylogin group tacacs+
aaa authentication ppp tacacscallback group tacacs+
aaa authorization network tacacscallback group tacacs+ 
enable secret 5 $1$dY3g$rFHRvOF5xCkHXWw.Tyr0A1
!
username R4 password 0 hello
ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
isdn switch-type basic-ni
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 55.55.55.55 255.255.255.0
!
interface Ethernet0/0
ip address 150.50.111.11 255.255.255.0 secondary
ip address 150.50.15.5 255.255.255.0
half-duplex
!
interface Serial0/0
ip address 150.50.57.5 255.255.255.0
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 hello
ip ospf network point-to-point
frame-relay map ip 150.50.57.7 157 broadcast
!
interface BRI0/0
ip address 145.45.45.5 255.255.255.240
encapsulation ppp
ip ospf demand-circuit
dialer idle-timeout 30
dialer-group 5
isdn switch-type basic-ni
isdn spid1 0835866201
isdn spid2 0835866401
no cdp enable
ppp authentication chap tacacscallback
ppp authorization tacacscallback
ppp multilink
!
router ospf 100
router-id 55.55.55.55
log-adjacency-changes
redistribute rip subnets
network 55.55.55.0 0.0.0.255 area 0
network 145.45.45.0 0.0.0.15 area 1
network 150.50.15.0 0.0.0.255 area 0
distribute-list 10 in Serial0/0
!
router rip
version 2
redistribute ospf 100 metric 2
passive-interface Ethernet0/0
network 150.50.0.0
!
ip classless
ip http server
ip pim bidir-enable
!
access-list 10 deny 10.0.0.0 0.0.0.255
access-list 10 deny 172.16.0.0 0.15.255.255
access-list 10 deny 192.168.0.0 0.0.255.255
access-list 10 permit any
dialer-list 5 protocol ip permit
!
tacacs-server host 150.50.111.100 key hello
!
voice-port 1/0/0
!
voice-port 1/0/1
!
dial-peer cor custom
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0
login authentication mylogin
line vty 1 4
!
no scheduler allocate
end

r5# 
ts23#1
[Resuming connection 1 to r4 ... ]

09
r4#sh dialer

BRI0 - dialer type = ISDN

Dial String Successes Failures Last DNIS Last status
8358662 7 0 00:01:13 successful
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.

BRI0:1 - dialer type = ISDN
Idle timer (30 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle

BRI0:2 - dialer type = ISDN
Idle timer (30 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
r4#sh isdn active
----------------------------------------------------------------------------
----
ISDN ACTIVE CALLS
----------------------------------------------------------------------------
----
Call Calling Called Remote Seconds Seconds Seconds Charges
Type Number Number Name Used Left Idle Units/Currency
----------------------------------------------------------------------------
----
----------------------------------------------------------------------------
----

r4# 
ts23#2
[Resuming connection 2 to r5 ... ]

r5#sh debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
PPP:
PPP authentication debugging is on
r5#
ts23#1
[Resuming connection 1 to r4 ... ]

r4#ping 145.45.45.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 145.45.45.5, timeout is 2 seconds:

ts23#2
[Resuming connection 2 to r5 ... ]

0
09:54:118111600613: BR0/0:1 PPP: Treating connection as a callin
09:54:27: BR0/0:1 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
09:54:27: BR0/0:1 CHAP: O CHALLENGE id 50 len 23 from "r5"
09:54:27: BR0/0:1 CHAP: I RESPONSE id 50 len 28 from "router4"
09:54:27: AAA: parse name=BRI0/0:1 idb type=14 tty=-1
09:54:27: AAA: name=BRI0/0:1 flags=0x55 type=2 shelf=0 slot=0 adapter=0
port=0 channel=1
09:54:27: AAA: parse name= idb type=-1 tty=-1
09:54:27: AAA/MEMORY: create_user (0x8296B0A0) user='router4' ruser='NULL'
ds0=0 port='BRI0/0:1' rem_addr='8358661/8358662' authen_type=CHAP
service=PPP priv=1 initial_task_id='0'
09:54:27: AAA/AUTHEN/START (595399565): port='BRI0/0:1'
list='tacacscallback' action=LOGIN service=PPP
09:54:27: AAA/AUTHEN/START (595399565): found list tacacscallback
09:54:27: AAA/AUTHEN/START (595399565): Method=tacacs+ (tacacs+)
09:54:27: TAC+: send AUTHEN/START packet ver=193 id=595399565
09:54:28: TAC+: ver=193 id=595399565 received AUTHEN status = PASS
09:54:28: AAA/AUTHEN (595399565): status = PASS
09:54:28: BR0/0:1 AAA/AUTHOR/LCP: Authorize LCP
09:54:28: BR0/0:1 AAA/AUTHOR/LCP (3325970013): Port='BRI0/0:1'
list='tacacscallback' service=NET
09:54:28: AAA/AUTHOR/LCP: BR0/0:1 (3325970013) user='router4'
09:54:28: BR0/0:1 AAA/AUTHOR/LCP (3325970013): send AV service=ppp
09:54:28: BR0/0:1 AAA/AUTHOR/LCP (3325970013): send AV protocol=lcp
09:54:28: BR0/0:1 AAA/AUTHOR/LCP (3325970013): found list "tacacscallback"
09:54:28: BR0/0:1 AAA/AUTHOR/LCP (3325970013): Method=tacacs+ (tacacs+)
09:54:28: AAA/AUTHOR/TAC+: (3325970013): user=router4
09:54:28: AAA/AUTHOR/TAC+: (3325970013): send AV service=ppp
09:54:28: AAA/AUTHOR/TAC+: (3325970013): send AV protocol=lcp
09:54:28: TAC+: (3325970013): received author response status = PASS_ADD
09:54:28: BR0/0:1 AAA/AUTHOR (3325970013): Post authorization status =
PASS_ADD
09:54:28: BR0/0:1 AAA/AUTHOR/LCP: Processing AV service=ppp
09:54:28: BR0/0:1 AAA/AUTHOR/LCP: Processing AV protocol=lcp
09:54:28: BR0/0:1 AAA/AUTHOR/LCP: Processing AV callback-dialstring=8358662
09:54:28: BR0/0:1 AAA/AUTHOR/LCP: Processing AV nocallback-verify=1
09:54:28: BR0/0:1 CHAP: O SUCCESS id 50 len 4
09:54:28: BR0/0:1 AAA/AUTHOR/FSM: (0): Can we start IPCP?
09:54:28: BR0/0:1 AAA/AUTHOR/FSM (2934079407): Port='BRI0/0:1'
list='tacacscallback' service=NET
09:54:28: AAA/AUTHOR/FSM: BR0/0:1 (2934079407) user='router4'
09:54:28: BR0/0:1 AAA/AUTHOR/FSM (2934079407): send AV service=ppp
09:54:28: BR0/0:1 AAA/AUTHOR/FSM (2934079407): send AV protocol=ip
09:54:28: BR0/0:1 AAA/AUTHOR/FSM (2934079407): found list "tacacscallback"
09:54:28: BR0/0:1 AAA/AUTHOR/FSM (2934079407): Method=tacacs+ (tacacs+)
09:54:28: AAA/AUTHOR/TAC+: (2934079407): user=router4
09:54:28: AAA/AUTHOR/TAC+: (2934079407): send AV service=ppp
09:54:28: AAA/AUTHOR/TAC+: (2934079407): send AV protocol=ip
09:54:28: TAC+: (2934079407): received author response status = PASS_ADD
09:54:28: BR0/0:1 AAA/AUTHOR (2934079407): Post authorization status =
PASS_ADD
09:54:28: BR0/0:1 AAA/AUTHOR/FSM: We can start IPCP
09:54:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed
state to up
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Start. Her address 145.45.45.4, we want
0.0.0.0
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): Port='BRI0/0:1'
list='tacacscallback' service=NET
09:54:30: AAA/AUTHOR/IPCP: BR0/0:1 (2003900139) user='router4'
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): send AV service=ppp
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): send AV protocol=ip
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): send AV addr*145.45.45.4
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): found list "tacacscallback"
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): Method=tacacs+ (tacacs+)
09:54:30: AAA/AUTHOR/TAC+: (2003900139): user=router4
09:54:30: AAA/AUTHOR/TAC+: (2003900139): send AV service=ppp
09:54:30: AAA/AUTHOR/TAC+: (2003900139): send AV protocol=ip
09:54:30: AAA/AUTHOR/TAC+: (2003900139): send AV addr*145.45.45.4
09:54:30: TAC+: (2003900139): received author response status = PASS_ADD
09:54:30: BR0/0:1 AAA/AUTHOR (2003900139): Post authorization status =
PASS_ADD
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Processing AV service=ppp
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Processing AV protocol=ip
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Processing AV addr*145.45.45.4
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Authorization succeeded
09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Done. Her address 145.45.45.4, we want
145.45.45.4
r5#
r5#
09:54:33: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 8358661
router4
r5#
r5#
ts23#1
[Resuming connection 1 to r4 ... ]
.
0
r4#ping 145.45.45.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 145.45.45.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/34/36 ms
r4#sh dialer

BRI0 - dialer type = ISDN

Dial String Successes Failures Last DNIS Last status
8358662 8 0 00:00:14 successful
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.

BRI0:1 - dialer type = ISDN
Idle timer (30 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: ip (s=145.45.45.4, d=145.45.45.5)
Time until disconnect 27 secs
Connected to 8358662 (r5)

BRI0:2 - dialer type = ISDN
Idle timer (30 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
r4#sh isdn active
----------------------------------------------------------------------------
----
ISDN ACTIVE CALLS
----------------------------------------------------------------------------
----
Call Calling Called Remote Seconds Seconds Seconds Charges
Type Number Number Name Used Left Idle Units/Currency
----------------------------------------------------------------------------
----
Out 8358662 r5 17 23 6 0 
----------------------------------------------------------------------------
----

r4#
ts23#2
[Resuming connection 2 to r5 ... ]

r5#sh dialer

BRI0/0 - dialer type = ISDN

Dial String Successes Failures Last DNIS Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.

BRI0/0:1 - dialer type = ISDN
Idle timer (30 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Time until disconnect 17 secs
Connected to 8358661 (router4)

BRI0/0:2 - dialer type = ISDN
Idle timer (30 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
r5#sh isdn active
----------------------------------------------------------------------------
----
ISDN ACTIVE CALLS
----------------------------------------------------------------------------
----
Call Calling Called Remote Seconds Seconds Seconds Charges
Type Number Number Name Used Left Idle Units/Currency
----------------------------------------------------------------------------
----
In 8358661 8358662 router4 27 14 15 
----------------------------------------------------------------------------
----

r5#
09:55:35252680244: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected from
8358661 router4, call lasted 41 seconds
09:55:09: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
r5#
09:55:09: AAA/MEMORY: free_user (0x8296B0A0) user='router4' ruser='NULL'
port='BRI0/0:1' rem_addr='8358661/8358662' authen_type=CHAP service=PPP
priv=1
r5#
09:55:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed
state to down
r5#


-----Original Message-----
From: li jun [mailto:liuyang1976@xxxxxxxxxxx] 
Sent: Friday, December 06, 2002 8:36 PM
To: security@xxxxxxxxxxxxxx
Subject: ISDN Call back with Dialstring problem


Cisco guys and security expert,
here I meet a problem. I have condfig 2 router use ISDN call back 
successfully. and authention the call back server to TACACS server. do step 
by step with Cisco DOC, everything works. 
then next step I try let call back server get the callback-dialstring from 
TACACS server, I can see the callback-dialer string has been send to call 
back server  from TACACS server, but call back server does not call back to 
the client. 

could you pls help me to check what's the problem or give me the Cisco web 
site to find the correct answer? thanks

here is my config fot your reference. 

this is call back client configure:

interface BRI0/0
 ip address 200.50.35.5 255.255.255.252
 encapsulation ppp
 ip ospf authentication message-digest
 ip ospf message-digest-key 2 md5 7 cisco
 ip ospf demand-circuit
 no ip mroute-cache
 dialer idle-timeout 40
 dialer map ip 200.50.35.6 name r1 broadcast 384960
 dialer load-threshold 100 either
 dialer-group 1
 isdn switch-type basic-net3
 no peer neighbor-route
 no cdp enable
 ppp callback request
 ppp authentication chap callin
 ppp chap hostname r1
 ppp multilink

dialer-list 1 protocol ip permit

here is the config of call back server

aaa new-model
aaa authentication login loginau group tacacs+ local
aaa authentication ppp default group tacacs+

interface BRI0/0
 ip address 200.50.35.6 255.255.255.252
 encapsulation ppp
 no ip route-cache
 ip ospf authentication message-digest
 ip ospf message-digest-key 2 md5 7 cisco
 no ip mroute-cache
 dialer callback-secure
 dialer aaa     ===> want to get the dialer string from TACACS server
 dialer map ip 200.50.35.5 name r4 class callback broadcast 
 dialer load-threshold 1 either
 dialer-group 1
 isdn switch-type basic-net3
 no cdp enable
 ppp callback accept
 ppp authentication chap
 ppp multilink

map-class dialer callback
 dialer callback-server username
dialer-list 1 protocol ip permit


_________________________________________________________________
SkA*;z5DEsSQ=xPP=;Aw#,GkJ9SC MSN Messenger: http://messenger.msn.com/cn