GroupStudy.com - CCIE, CCNA, CCNP and other Cisco Certifications

Home
BookStore
StudyNotes
Links
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Subject: RE: ISDN Call back with Dialstring problem
From: Justin Menga <Justin.Menga@xxxxxxxxxxxxxx>
Date: Mon, 9 Dec 2002 09:46:59 +1300
Hi Joe

I saw your post awhile back and I had no problems with multilink and AAA
authorization.  I was using 12.2(8)T however (sorry don't have the configs).

Regards,
Justin

-----Original Message-----
From: Joe Wong [mailto:vr2zjw@xxxxxxxxxxx] 
Sent: Monday, December 09, 2002 7:08 AM
To: Keyur Shah; 'li jun'; security@xxxxxxxxxxxxxx
Subject: Re: ISDN Call back with Dialstring problem


More questions:

How to bring up the second BRI channel using ppp multilink and dialer
load-threshold? I have tried it but it doesn't work, any other method
recommended?
----- Original Message -----
From: "Keyur Shah" <kshah@xxxxxxxxxxxxxxxxxx>
To: "'li jun'" <liuyang1976@xxxxxxxxxxx>; <security@xxxxxxxxxxxxxx>
Sent: Sunday, December 08, 2002 1:37 AM
Subject: RE: ISDN Call back with Dialstring problem


> Here is the working config.
>
> here is working config for tacacs callback without using dialer map on 
> r5. r4 calls r5 and r5 calls r4 back using ACS config. r5 has 
> secondary e0 ip
to
> connect to tacacs server for this config.
>
> r4#wr t
> Building configuration...
>
> Current configuration : 1966 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r4
> !
> enable secret 5 $1$P3FI$GslZd0LmjeenzjT0i8HfG0
> !
> username R5 password 0 hello
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> isdn switch-type basic-ni
> !
> key chain keyr1
> key 1
> key-string 12345
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 44.44.44.44 255.255.255.0
> !
> interface Ethernet0
> ip address 172.16.44.4 255.255.255.0
> !
> interface Serial0
> ip address 150.50.24.4 255.255.255.0
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 hello
> ip ospf network point-to-point
> frame-relay map ip 150.50.24.2 142 broadcast
> frame-relay lmi-type ansi
> !
> interface Serial1
> ip address 150.50.46.4 255.255.255.0
> ip authentication mode eigrp 100 md5
> ip authentication key-chain eigrp 100 keyr1
> encapsulation frame-relay
> frame-relay map ip 150.50.46.6 246 broadcast
> !
> interface BRI0
> ip address 145.45.45.4 255.255.255.240
> encapsulation ppp
> ip ospf demand-circuit
> dialer idle-timeout 30
> dialer map ip 145.45.45.5 8358662
> dialer-group 5
> isdn switch-type basic-ni
> isdn spid1 0835866101
> isdn spid2 0835866301
> no cdp enable
> ppp authentication chap callin
> ppp chap hostname router4
> !
> router eigrp 100
> redistribute ospf 100 metric 10000 10 255 1 1500
> network 150.50.46.0 0.0.0.255
> no auto-summary
> no eigrp log-neighbor-changes
> !
> router ospf 100
> router-id 44.44.44.44
> log-adjacency-changes
> redistribute eigrp 100 subnets
> network 44.44.44.0 0.0.0.255 area 1
> network 145.45.45.0 0.0.0.15 area 1
> network 150.50.24.0 0.0.0.255 area 1
> network 172.16.44.0 0.0.0.255 area 1
> distribute-list 10 in Serial0
> !
> ip classless
> ip http server
> !
> access-list 10 deny 10.0.0.0 0.0.0.255
> access-list 10 deny 172.16.0.0 0.15.255.255
> access-list 10 deny 192.168.0.0 0.0.255.255
> access-list 10 permit any
> dialer-list 5 protocol ip permit
> !
> !
> line con 0
> logging synchronous
> line aux 0
> line vty 0 4
> !
> end
>
> r4#
> ts23#2
> [Resuming connection 2 to r5 ... ]
>
> 0
> r5#wr t
> Building configuration...
>
> Current configuration : 2145 bytes
> !
> version 12.2
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r5
> !
> aaa new-model
> aaa authentication login mylogin group tacacs+
> aaa authentication ppp tacacscallback group tacacs+
> aaa authorization network tacacscallback group tacacs+
> enable secret 5 $1$dY3g$rFHRvOF5xCkHXWw.Tyr0A1
> !
> username R4 password 0 hello
> ip subnet-zero
> !
> !
> no ip domain-lookup
> !
> ip audit notify log
> ip audit po max-events 100
> ip ssh time-out 120
> ip ssh authentication-retries 3
> !
> isdn switch-type basic-ni
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 55.55.55.55 255.255.255.0
> !
> interface Ethernet0/0
> ip address 150.50.111.11 255.255.255.0 secondary
> ip address 150.50.15.5 255.255.255.0
> half-duplex
> !
> interface Serial0/0
> ip address 150.50.57.5 255.255.255.0
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 hello
> ip ospf network point-to-point
> frame-relay map ip 150.50.57.7 157 broadcast
> !
> interface BRI0/0
> ip address 145.45.45.5 255.255.255.240
> encapsulation ppp
> ip ospf demand-circuit
> dialer idle-timeout 30
> dialer-group 5
> isdn switch-type basic-ni
> isdn spid1 0835866201
> isdn spid2 0835866401
> no cdp enable
> ppp authentication chap tacacscallback
> ppp authorization tacacscallback
> ppp multilink
> !
> router ospf 100
> router-id 55.55.55.55
> log-adjacency-changes
> redistribute rip subnets
> network 55.55.55.0 0.0.0.255 area 0
> network 145.45.45.0 0.0.0.15 area 1
> network 150.50.15.0 0.0.0.255 area 0
> distribute-list 10 in Serial0/0
> !
> router rip
> version 2
> redistribute ospf 100 metric 2
> passive-interface Ethernet0/0
> network 150.50.0.0
> !
> ip classless
> ip http server
> ip pim bidir-enable
> !
> access-list 10 deny 10.0.0.0 0.0.0.255
> access-list 10 deny 172.16.0.0 0.15.255.255
> access-list 10 deny 192.168.0.0 0.0.255.255
> access-list 10 permit any
> dialer-list 5 protocol ip permit
> !
> tacacs-server host 150.50.111.100 key hello
> !
> voice-port 1/0/0
> !
> voice-port 1/0/1
> !
> dial-peer cor custom
> !
> !
> !
> !
> !
> line con 0
> logging synchronous
> line aux 0
> line vty 0
> login authentication mylogin
> line vty 1 4
> !
> no scheduler allocate
> end
>
> r5#
> ts23#1
> [Resuming connection 1 to r4 ... ]
>
> 09
> r4#sh dialer
>
> BRI0 - dialer type = ISDN
>
> Dial String Successes Failures Last DNIS Last status
> 8358662 7 0 00:01:13 successful
> 0 incoming call(s) have been screened.
> 0 incoming call(s) rejected for callback.
>
> BRI0:1 - dialer type = ISDN
> Idle timer (30 secs), Fast idle timer (20 secs)
> Wait for carrier (30 secs), Re-enable (15 secs)
> Dialer state is idle
>
> BRI0:2 - dialer type = ISDN
> Idle timer (30 secs), Fast idle timer (20 secs)
> Wait for carrier (30 secs), Re-enable (15 secs)
> Dialer state is idle
> r4#sh isdn active
> ----------------------------------------------------------------------
> ----
--
> ----
> ISDN ACTIVE CALLS
> ----------------------------------------------------------------------
> ----
--
> ----
> Call Calling Called Remote Seconds Seconds Seconds Charges Type Number 
> Number Name Used Left Idle Units/Currency
> ----------------------------------------------------------------------
> ----
--
> ----
> ----------------------------------------------------------------------
> ----
--
> ----
>
> r4#
> ts23#2
> [Resuming connection 2 to r5 ... ]
>
> r5#sh debug
> General OS:
> AAA Authentication debugging is on
> AAA Authorization debugging is on
> PPP:
> PPP authentication debugging is on
> r5#
> ts23#1
> [Resuming connection 1 to r4 ... ]
>
> r4#ping 145.45.45.5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 145.45.45.5, timeout is 2 seconds:
>
> ts23#2
> [Resuming connection 2 to r5 ... ]
>
> 0
> 09:54:118111600613: BR0/0:1 PPP: Treating connection as a callin
> 09:54:27: BR0/0:1 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
> 09:54:27: BR0/0:1 CHAP: O CHALLENGE id 50 len 23 from "r5"
> 09:54:27: BR0/0:1 CHAP: I RESPONSE id 50 len 28 from "router4"
> 09:54:27: AAA: parse name=BRI0/0:1 idb type=14 tty=-1
> 09:54:27: AAA: name=BRI0/0:1 flags=0x55 type=2 shelf=0 slot=0 
> adapter=0 port=0 channel=1
> 09:54:27: AAA: parse name= idb type=-1 tty=-1
> 09:54:27: AAA/MEMORY: create_user (0x8296B0A0) user='router4' 
> ruser='NULL' ds0=0 port='BRI0/0:1' rem_addr='8358661/8358662' 
> authen_type=CHAP service=PPP priv=1 initial_task_id='0'
> 09:54:27: AAA/AUTHEN/START (595399565): port='BRI0/0:1' 
> list='tacacscallback' action=LOGIN service=PPP
> 09:54:27: AAA/AUTHEN/START (595399565): found list tacacscallback
> 09:54:27: AAA/AUTHEN/START (595399565): Method=tacacs+ (tacacs+)
> 09:54:27: TAC+: send AUTHEN/START packet ver=193 id=595399565
> 09:54:28: TAC+: ver=193 id=595399565 received AUTHEN status = PASS
> 09:54:28: AAA/AUTHEN (595399565): status = PASS
> 09:54:28: BR0/0:1 AAA/AUTHOR/LCP: Authorize LCP
> 09:54:28: BR0/0:1 AAA/AUTHOR/LCP (3325970013): Port='BRI0/0:1' 
> list='tacacscallback' service=NET
> 09:54:28: AAA/AUTHOR/LCP: BR0/0:1 (3325970013) user='router4'
> 09:54:28: BR0/0:1 AAA/AUTHOR/LCP (3325970013): send AV service=ppp
> 09:54:28: BR0/0:1 AAA/AUTHOR/LCP (3325970013): send AV protocol=lcp
> 09:54:28: BR0/0:1 AAA/AUTHOR/LCP (3325970013): found list 
> "tacacscallback"
> 09:54:28: BR0/0:1 AAA/AUTHOR/LCP (3325970013): Method=tacacs+ (tacacs+)
> 09:54:28: AAA/AUTHOR/TAC+: (3325970013): user=router4
> 09:54:28: AAA/AUTHOR/TAC+: (3325970013): send AV service=ppp
> 09:54:28: AAA/AUTHOR/TAC+: (3325970013): send AV protocol=lcp
> 09:54:28: TAC+: (3325970013): received author response status = PASS_ADD
> 09:54:28: BR0/0:1 AAA/AUTHOR (3325970013): Post authorization status =
> PASS_ADD
> 09:54:28: BR0/0:1 AAA/AUTHOR/LCP: Processing AV service=ppp
> 09:54:28: BR0/0:1 AAA/AUTHOR/LCP: Processing AV protocol=lcp
> 09:54:28: BR0/0:1 AAA/AUTHOR/LCP: Processing AV
callback-dialstring=8358662
> 09:54:28: BR0/0:1 AAA/AUTHOR/LCP: Processing AV nocallback-verify=1
> 09:54:28: BR0/0:1 CHAP: O SUCCESS id 50 len 4
> 09:54:28: BR0/0:1 AAA/AUTHOR/FSM: (0): Can we start IPCP?
> 09:54:28: BR0/0:1 AAA/AUTHOR/FSM (2934079407): Port='BRI0/0:1' 
> list='tacacscallback' service=NET
> 09:54:28: AAA/AUTHOR/FSM: BR0/0:1 (2934079407) user='router4'
> 09:54:28: BR0/0:1 AAA/AUTHOR/FSM (2934079407): send AV service=ppp
> 09:54:28: BR0/0:1 AAA/AUTHOR/FSM (2934079407): send AV protocol=ip
> 09:54:28: BR0/0:1 AAA/AUTHOR/FSM (2934079407): found list 
> "tacacscallback"
> 09:54:28: BR0/0:1 AAA/AUTHOR/FSM (2934079407): Method=tacacs+ (tacacs+)
> 09:54:28: AAA/AUTHOR/TAC+: (2934079407): user=router4
> 09:54:28: AAA/AUTHOR/TAC+: (2934079407): send AV service=ppp
> 09:54:28: AAA/AUTHOR/TAC+: (2934079407): send AV protocol=ip
> 09:54:28: TAC+: (2934079407): received author response status = PASS_ADD
> 09:54:28: BR0/0:1 AAA/AUTHOR (2934079407): Post authorization status =
> PASS_ADD
> 09:54:28: BR0/0:1 AAA/AUTHOR/FSM: We can start IPCP
> 09:54:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
changed
> state to up
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Start. Her address 145.45.45.4, we 
> want 0.0.0.0
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): Port='BRI0/0:1' 
> list='tacacscallback' service=NET
> 09:54:30: AAA/AUTHOR/IPCP: BR0/0:1 (2003900139) user='router4'
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): send AV service=ppp
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): send AV protocol=ip
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): send AV 
> addr*145.45.45.4
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): found list
"tacacscallback"
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP (2003900139): Method=tacacs+ 
> (tacacs+)
> 09:54:30: AAA/AUTHOR/TAC+: (2003900139): user=router4
> 09:54:30: AAA/AUTHOR/TAC+: (2003900139): send AV service=ppp
> 09:54:30: AAA/AUTHOR/TAC+: (2003900139): send AV protocol=ip
> 09:54:30: AAA/AUTHOR/TAC+: (2003900139): send AV addr*145.45.45.4
> 09:54:30: TAC+: (2003900139): received author response status = PASS_ADD
> 09:54:30: BR0/0:1 AAA/AUTHOR (2003900139): Post authorization status =
> PASS_ADD
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Processing AV service=ppp
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Processing AV protocol=ip
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Processing AV addr*145.45.45.4
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Authorization succeeded
> 09:54:30: BR0/0:1 AAA/AUTHOR/IPCP: Done. Her address 145.45.45.4, we want
> 145.45.45.4
> r5#
> r5#
> 09:54:33: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 8358661
> router4
> r5#
> r5#
> ts23#1
> [Resuming connection 1 to r4 ... ]
> .
> 0
> r4#ping 145.45.45.5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 145.45.45.5, timeout is 2 seconds: 
> !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 
> 32/34/36 ms r4#sh dialer
>
> BRI0 - dialer type = ISDN
>
> Dial String Successes Failures Last DNIS Last status
> 8358662 8 0 00:00:14 successful
> 0 incoming call(s) have been screened.
> 0 incoming call(s) rejected for callback.
>
> BRI0:1 - dialer type = ISDN
> Idle timer (30 secs), Fast idle timer (20 secs)
> Wait for carrier (30 secs), Re-enable (15 secs)
> Dialer state is data link layer up
> Dial reason: ip (s=145.45.45.4, d=145.45.45.5)
> Time until disconnect 27 secs
> Connected to 8358662 (r5)
>
> BRI0:2 - dialer type = ISDN
> Idle timer (30 secs), Fast idle timer (20 secs)
> Wait for carrier (30 secs), Re-enable (15 secs)
> Dialer state is idle
> r4#sh isdn active
> ----------------------------------------------------------------------
> ----
--
> ----
> ISDN ACTIVE CALLS
> ----------------------------------------------------------------------
> ----
--
> ----
> Call Calling Called Remote Seconds Seconds Seconds Charges Type Number 
> Number Name Used Left Idle Units/Currency
> ----------------------------------------------------------------------
> ----
--
> ----
> Out 8358662 r5 17 23 6 0
> ----------------------------------------------------------------------
> ----
--
> ----
>
> r4#
> ts23#2
> [Resuming connection 2 to r5 ... ]
>
> r5#sh dialer
>
> BRI0/0 - dialer type = ISDN
>
> Dial String Successes Failures Last DNIS Last status
> 0 incoming call(s) have been screened.
> 0 incoming call(s) rejected for callback.
>
> BRI0/0:1 - dialer type = ISDN
> Idle timer (30 secs), Fast idle timer (20 secs)
> Wait for carrier (30 secs), Re-enable (15 secs)
> Dialer state is data link layer up
> Time until disconnect 17 secs
> Connected to 8358661 (router4)
>
> BRI0/0:2 - dialer type = ISDN
> Idle timer (30 secs), Fast idle timer (20 secs)
> Wait for carrier (30 secs), Re-enable (15 secs)
> Dialer state is idle
> r5#sh isdn active
> ----------------------------------------------------------------------
> ----
--
> ----
> ISDN ACTIVE CALLS
> ----------------------------------------------------------------------
> ----
--
> ----
> Call Calling Called Remote Seconds Seconds Seconds Charges Type Number 
> Number Name Used Left Idle Units/Currency
> ----------------------------------------------------------------------
> ----
--
> ----
> In 8358661 8358662 router4 27 14 15
> ----------------------------------------------------------------------
> ----
--
> ----
>
> r5#
> 09:55:35252680244: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected
from
> 8358661 router4, call lasted 41 seconds
> 09:55:09: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down 
> r5#
> 09:55:09: AAA/MEMORY: free_user (0x8296B0A0) user='router4' 
> ruser='NULL' port='BRI0/0:1' rem_addr='8358661/8358662' 
> authen_type=CHAP service=PPP priv=1 r5#
> 09:55:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
changed
> state to down
> r5#
>
>
> -----Original Message-----
> From: li jun [mailto:liuyang1976@xxxxxxxxxxx]
> Sent: Friday, December 06, 2002 8:36 PM
> To: security@xxxxxxxxxxxxxx
> Subject: ISDN Call back with Dialstring problem
>
>
> Cisco guys and security expert,
> here I meet a problem. I have condfig 2 router use ISDN call back 
> successfully. and authention the call back server to TACACS server. do
step
> by step with Cisco DOC, everything works.
> then next step I try let call back server get the callback-dialstring 
> from TACACS server, I can see the callback-dialer string has been send 
> to call back server  from TACACS server, but call back server does not 
> call back
to
> the client.
>
> could you pls help me to check what's the problem or give me the Cisco 
> web site to find the correct answer? thanks
>
> here is my config fot your reference.
>
> this is call back client configure:
>
> interface BRI0/0
>  ip address 200.50.35.5 255.255.255.252
>  encapsulation ppp
>  ip ospf authentication message-digest
>  ip ospf message-digest-key 2 md5 7 cisco
>  ip ospf demand-circuit
>  no ip mroute-cache
>  dialer idle-timeout 40
>  dialer map ip 200.50.35.6 name r1 broadcast 384960
>  dialer load-threshold 100 either
>  dialer-group 1
>  isdn switch-type basic-net3
>  no peer neighbor-route
>  no cdp enable
>  ppp callback request
>  ppp authentication chap callin
>  ppp chap hostname r1
>  ppp multilink
>
> dialer-list 1 protocol ip permit
>
> here is the config of call back server
>
> aaa new-model
> aaa authentication login loginau group tacacs+ local
> aaa authentication ppp default group tacacs+
>
> interface BRI0/0
>  ip address 200.50.35.6 255.255.255.252
>  encapsulation ppp
>  no ip route-cache
>  ip ospf authentication message-digest
>  ip ospf message-digest-key 2 md5 7 cisco
>  no ip mroute-cache
>  dialer callback-secure
>  dialer aaa     ===> want to get the dialer string from TACACS server
>  dialer map ip 200.50.35.5 name r4 class callback broadcast  dialer 
> load-threshold 1 either  dialer-group 1
>  isdn switch-type basic-net3
>  no cdp enable
>  ppp callback accept
>  ppp authentication chap
>  ppp multilink
>
> map-class dialer callback
>  dialer callback-server username
> dialer-list 1 protocol ip permit
>
>
> _________________________________________________________________
> SkA*;z5DEsSQ=xPP=;Aw#,GkJ9SC MSN Messenger: 
> http://messenger.msn.com/cn
Prev by Date: RE: SA Timeouts
Next by Date: Re: NAT\Alias
Previous by thread: Re: ISDN Call back with Dialstring problem
Next by thread: Hello
Index(es):
- Date
- Thread