Hi everyone, I'm having trouble with MS IAS and a 3640 for dial-in. The user is authenticated fine - but authorizatin fails with: "RADIUS: no appropriate authorization type for user"
>From what I've found these would be the case when the attributes Service-Type=Framed and Framed-Protocol=PPP are missing from the RADIUS-server. These setting are however there in the default dial-in profile in MS IAS. Any thoughts?? Config and debug below. Thanks ! Johan 3w6d: %ISDN-6-CONNECT: Interface Serial1/0:2 is now connected to 858714800 3w6d: %LINK-3-UPDOWN: Interface Async30, changed state to up 3w6d: As30 PPP: Treating connection as a dedicated line 3w6d: As30 AAA/AUTHOR/FSM: (0): LCP succeeds trivially 3w6d: AAA/ACCT/DS0: channel=2, ds1=0, t3=0, slot=1, ds0=16777218 3w6d: As30 MS-CHAP: O CHALLENGE id 6 len 22 from "Cisco-RAS" 3w6d: As30 AAA/AUTHOR/FSM: (0): LCP succeeds trivially 3w6d: AAA/ACCT/DS0: channel=2, ds1=0, t3=0, slot=1, ds0=16777218 3w6d: As30 MS-CHAP: O CHALLENGE id 7 len 22 from "Cisco-RAS" 3w6d: As30 MS-CHAP: I RESPONSE id 7 len 70 from "INSIDE\rasdialin" 3w6d: AAA: parse name=Async30 idb type=10 tty=30 3w6d: AAA: name=Async30 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=30 chann el=0 3w6d: AAA: parse name=Serial1/0:2 idb type=13 tty=-1 3w6d: AAA: name=Serial1/0:2 flags=0x55 type=1 shelf=0 slot=1 adapter=0 port=0 ch annel=2 3w6d: AAA/ACCT/DS0: channel=2, ds1=0, t3=0, slot=1, ds0=16777218 3w6d: AAA/MEMORY: create_user (0x615B78A0) user='INSIDE\rasdialin' ruser='NULL' port='Async30' rem_addr='858714800/0858765920' authen_type=MSCHAP service=PPP pr iv=1 initial_task_id='0' 3w6d: RADIUS: ustruct sharecount=0 3w6d: Radius: radius_port_info() success=1 radius_nas_port=1 3w6d: RADIUS: Initial Transmit Async30 id 43 172.16.16.252:1645, Access-Request, len 165 3w6d: Attribute 4 6 AC1010FB 3w6d: Attribute 5 6 0000001E 3w6d: Attribute 61 6 00000000 3w6d: Attribute 1 18 494E5349 3w6d: Attribute 30 12 30383538 3w6d: Attribute 31 11 38353837 3w6d: Attribute 26 16 000001370B0A64BA 3w6d: Attribute 26 58 0000013701340701 3w6d: Attribute 6 6 00000002 3w6d: Attribute 7 6 00000001 3w6d: RADIUS: Received from id 43 172.16.16.252:1645, Access-Accept, len 119 3w6d: Attribute 7 6 00000001 3w6d: Attribute 6 6 00000004 3w6d: Attribute 25 32 5F1B06C0 3w6d: Attribute 26 40 000001370C224097 3w6d: Attribute 26 15 000001370A090749 3w6d: As30 AAA/AUTHOR/LCP: Authorize LCP 3w6d: As30 AAA/AUTHOR/LCP (548968306): Port='Async30' list='' service=NET 3w6d: AAA/AUTHOR/LCP: As30 (548968306) user='INSIDE\rasdialin' 3w6d: As30 AAA/AUTHOR/LCP (548968306): send AV service=ppp 3w6d: As30 AAA/AUTHOR/LCP (548968306): send AV protocol=lcp 3w6d: As30 AAA/AUTHOR/LCP (548968306): found list "default" 3w6d: As30 AAA/AUTHOR/LCP (548968306): Method=radius (radius) 3w6d: RADIUS: unrecognized Microsoft VSA type 10 3w6d: RADIUS: no appropriate authorization type for user. 3w6d: As30 AAA/AUTHOR (548968306): Post authorization status = FAIL 3w6d: As30 AAA/AUTHOR/LCP: Denied 3w6d: As30 MS-CHAP: O FAILURE id 7 len 24 msg is "Authorization failed" 3w6d: AAA/MEMORY: free_user (0x615B78A0) user='INSIDE\rasdialin' ruser='NULL' po rt='Async30' rem_addr='858714800/0858765920' authen_type=MSCHAP service=PPP priv =1 3w6d: As30 AAA/AUTHOR/FSM: (0): LCP succeeds trivially 3w6d: AAA/ACCT/DS0: channel=2, ds1=0, t3=0, slot=1, ds0=16777218 3w6d: %ISDN-6-DISCONNECT: Interface Serial1/0:2 disconnected from 858714800 , c all lasted 25 seconds version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Cisco-RAS ! no logging rate-limit aaa new-model aaa authentication login default group radius local aaa authentication login NO_AUTHEN none aaa authentication ppp default if-needed group radius local aaa authorization network default group radius enable secret xxxxxxxxxxxxxxxxxxxxx enable password xxxxxxxxxxxxxxxxx ! modem country mica sweden ip subnet-zero ! ! no ip domain-lookup ! no ip dhcp-client network-discovery isdn switch-type primary-net5 ! controller E1 1/0 framing NO-CRC4 pri-group timeslots 1-31 ! controller E1 1/1 ! ! interface FastEthernet1/0 ip address 172.16.16.251 255.255.240.0 duplex auto speed auto ! interface Serial1/0:15 ip unnumbered FastEthernet1/0 encapsulation ppp dialer pool-member 1 isdn switch-type primary-net5 isdn incoming-voice modem no fair-queue ppp callback accept ppp authentication pap ppp multilink ! interface Group-Async1 ip unnumbered FastEthernet1/0 encapsulation ppp async mode interactive peer default ip address dhcp ppp callback accept ppp authentication ms-chap chap group-range 1 30 ! interface Dialer1 ip unnumbered FastEthernet1/0 encapsulation ppp dialer pool 1 dialer-group 1 peer default ip address dhcp ppp callback accept ppp authentication ms-chap chap ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.16.254 no ip http server ! dialer-list 1 protocol ip permit radius-server host 172.16.16.252 auth-port 1645 acct-port 1646 key 7 121A0C04110 402013E3C2B3A383C2C14 radius-server retransmit 3 ! line con 0 exec-timeout 0 0 password xxxxxxxxxx logging synchronous login authentication NO_AUTHEN line 1 30 no exec modem InOut modem autoconfigure type mica rotary 1 transport preferred telnet transport input all autoselect ppp line aux 0 password xxxxxx line vty 0 4 exec-timeout 0 0 password xxxxxxxx ! ! end isco Internetwork Operating System Software IOS (tm) 3600 Software (C3620-I-M), Version 12.2(2)T, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Sat 02-Jun-01 14:56 by ccai Image text-base: 0x600089A8, data-base: 0x60AA0000 ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (f c1) ROM: 3600 Software (C3620-I-M), Version 12.2(2)T, RELEASE SOFTWARE (fc1) Cisco-RAS uptime is 3 weeks, 6 days, 17 minutes System returned to ROM by reload System image file is "flash:c3620-i-mz.122-2.t.bin" cisco 3620 (R4700) processor (revision 0x81) with 26624K/6144K bytes of memory. Processor board ID 26387501 R4700 CPU at 80Mhz, Implementation 33, Rev 1.0 MICA-6DM Firmware: CP ver 2720 - 5/30/2000, SP ver 2720 - 5/30/2000. Channelized E1, Version 1.0. Bridging software. X.25 software, Version 3.0.0. Primary Rate ISDN software, Version 1.1. 1 FastEthernet/IEEE 802.3 interface(s) 31 Serial network interface(s) 30 terminal line(s) 2 Channelized E1/PRI port(s) DRAM configuration is 32 bits wide with parity disabled. 29K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41814&t=41814 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
