List, I will appear entirely uneducated in this cry for assistance, but must, at the expense of revealing ignorance, show my true colors if I expect to find any help.
We are an ISP. I've installed FreeRadius on a server that heretofore has been used solely for the aaa needs of a PortMaster 3 (dialup users). This company recently began reselling Qwest's DSL service, which was delivered to us over an ATM T1 into a Cisco 2621. Initially, it seemed there was no need to go through the learning curve of getting the Cisco to aaa against the FreeRadius server, but now, with an increase of orders that require static IP addresses, and the Virtual-Template limitations on the router, I must get the Cisco to aaa against FreeRadius. Earlier this month (September) I found another gentleman with an almost identical dilemma - one pool of addresses doled out to dhcp customers (from an ip address pool on the Cisco), and another Virtual-Template that allowed customers requiring static IP's, to get their addresses from the FreeRadius server. He obviously found a solution, though it wasn't spelled out in his victory-message to the list...and my searches through the past 3 years of list-activity, while enlightening, have not yielded a working configuration. The server has FreeRadius 0.9.0 running. The server is a RedHat Linux box (kernel 2.4.9-e.27smp). I am simply authenticating against the system (etc/password, etc/shadow, etc/group) until I get a better grasp of working with MySQL. Yesterday, I attempted the implementation of what configuration I'd derived through many hours of research...and the result was - the only activity on the FreeRadius server, was that of authenticating me on the console session through the loopback0 interface. I had a test customer reset their modem (Actiontek - actually a router), and there was no indication in the FreeRadius debug (radiusd -sfxxyz -l stdout) that the router even sent a request for authentication. Below is my 2621's aaa configuration (as well as a sample pvc and Virtual-Template). {Actually, I had to remove the aaa new-model commands in order for the customers to get back online... Nevertheless, this is what I'm still prepared to re-enter this evening, unless someone on this list can show me better.} aaa new-model aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa processes 6 radius-server host 10.99.101.3 auth-port 1812 acct-port 1813 radius-server attribute 8 include-in-access-req ip radius source-interface loopback0 interface loopback0 ip address 10.99.13.254 255.255.255.255 radius-server unique-ident 99 radius-server configure-nas radius-server key ctte/dbtr interface Virtual-Template2 description StaticGroup ip unnumbered FastEthernet0/0 no peer default ip address ppp authentication pap callin access-list 1 permit 10.99.13.0 0.0.0.255 When no requests seemed to be hitting the FreeRadius server, I tried "debug radius"...and totally lost control of the router. It continued to cycle through attempts at authenticating Virtual-Access5...but with no such evidence on the radius server. As to my FreeRadius configuration...I don't want to overload you (though I probably already have)...but, I've set up my Huntgroups file as follows... DSLHost NAS-IP-Address == 10.99.13.254 (note: this is loopback0 for the router) PM3 NAS-IP-Address == 10.99.105.1 Dynamic NAS-IP-Address == 10.99.13.254 User-Name = RodCom, User-Name = FarBur, (and the list goes on) Static1 NAS-IP-Address == 10.99.13.254 User-Name = NecOlo And, my Users file looks like so (just an example) Mark Auth-Type := System, Huntgroup-Name == "PM3" Fall-Through = Yes RodCom Auth-Type := System, Huntgroup-Name == "DSLHost" Fall-Through = Yes NecOlo Auth-Type := System, Huntgroup-Name == "DSLHost" Fall-Through = Yes DEFAULT Service-Type == Framed-User, Huntgroup-Name == "PM3" Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Framed-Protocol = PPP, Service-Type = Framed-User, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Service-Type == Framed-User, Huntgroup-name == "dynamic" Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Service-Type == Framed-User, Huntgroup-Name == "static1" Framed-IP-Address = 10.99.12.15, Framed-IP-Netmask = 255.255.255.255, Framed-MTU = 1500, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP Now, I may have a problem in part of my radiusd.conf file...in that, in the authorization section there is no entry for PAP, while there is such an entry in the authenticate section. Could anyone tell me if I should be using the loopback0 address, as the NAS-IP-Address, or the FastEthernet0/0 address? I recognize this may be too lengthly or long-winded for your taste, but am hoping to give enough detail to avail you an honest opportunity to zero-in on what's wrong. Sincerest Regards, D. Paul Sparks Operations rodinetechnology.com [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html