|
|
This section describes how to configure the Cisco AS5300 and AS5800 for PPP and local authentication.
The following sections are provided:
In this case study, Maui Onions and THEnet perform these same tasks to configure their network access servers (NAS). Maui Onions uses a Cisco AS5300; THEnet uses a Cisco AS5800. After local authentication if verified, Maui Onions expects to use TACACS+ and a remote authentication server. THEnet expects to use RADIUS.
Configure AAA to perform login authentication by using the local username database. The login keyword authenticates EXEC terminal shell users. Additionally, configure PPP authentication to use the local database if the session was not already authenticated by login.
!username admin password adminpasshere username dude password dudepasshere!
 |
Warning This step also prevents you from getting locked out of the NAS. If you get locked out, you must reboot the device and perform password recovery. |
Step 2 Configure local AAA security in global configuration mode. You must enter the aaa new-model command before the other two authentication commands.
!aaa new-model aaa authentication login default local aaa authentication ppp default if-needed local!
Step 3 Log in with your username and password:
5800-NAS#loginThis is a secured device.Unauthorized use is prohibited by law.User Access Verification Username:dude Password: 5800-NAS#
Create a pool of IP addresses to assign to the PC clients dialing in. As the clients connect, they request IP addresses from the NAS.
 |
Tips Remote ISDN LANs and remote nodes are primarily differentiated by an IP addressing scheme. Remote LANs can appear as remote nodes by using port address translation (PAT). |
!ip local pool addr-pool 172.22.90.2 172.22.90.254!async-bootp dns-server 172.30.10.1 172.30.10.2!
For clients using server-assigned addressing (if there are any) you must specify primary and secondary DNS servers. The clients send config-requests to the NAS if the clients are configured to receive NAS assigned WINS and DNS servers.
 |
Note RFC 1877 describes DNS and NBNS servers. The domain name must also be configured on the client. |
Step 2 Verify that the IP address pool was created:
5800-NAS#show ip local poolPool Begin End Free In useaddr-pool 172.22.90.2 172.22.90.254 253 05800-NAS#
The group-async interface is a template that controls the configuration of all the asynchronous interfaces in the NAS.
Asynchronous interfaces:
The client PPP framing must match the Cisco IOS interface. Figure 5-1 shows this concept.
Framing
The following group-async configuration applies to asynchronous interfaces 1/2/00 through 1/10/143:
!interface Group-Async0 ip unnumbered FastEthernet0/1/0 encapsulation ppp async mode interactive ppp authentication chap pap peer default ip address pool addr-pool no cdp enable no ip directed-broadcast group-range 1/2/00 1/10/143!
Table 5-1 describes the previous configuration snippet in more detail:
| Command | Purpose |
|---|---|
ip unnumbered FastEthernet0/1/0 | Conserves IP address space by configuring the asynchronous interfaces as unnumbered. |
encapsulation ppp | Enables PPP. |
async mode interactive | Configures interactive mode on the asynchronous interfaces. Interactive means that users can dial in and get to a shell or PPP session on that line. |
ppp authentication chap pap | Enables CHAP and PAP authentication on the interface during LCP negotiation. The NAS first requests to authenticate with CHAP. If CHAP is rejected by the remote client (modem), then PAP authentication is requested. |
peer default ip address pool addr-pool | Assigns dial-in client IP addresses from the pool named addr-pool. |
no cdp enable | Disables the Cisco discovery protocol. |
no ip directed-broadcast | Prevents IP directed broadcasts. |
group-range 1/2/00 1/10/143 | Specifies the range of asynchronous interfaces to include in the group, which is usually equal to the number of modems you have in the NAS. (The session may pause for several seconds when you issue this command.) |
Enable remote PPP users to dial in, bypass the EXEC facility, and automatically start PPP on the line.
!line 1/2/00 1/10/143 autoselect during-login autoselect ppp!
These two autoselect commands:
|
Note The autoselect during-login command displays the username:password prompt after modems connect. |
Before you troubleshoot PPP negotiation or AAA authentication, you need to understand what a successful PPP and AAA debug sequence looks like. In this way, you can save time and effort when comparing a successful debug session against a faulty completed debug sequence.
The following steps describe how to initiate a PPP test call and interpret a successful debug sequence.
5800-NAS#debug ppp authentication PPP authentication debugging is on 5800-NAS#debug aaa authentication AAA Authentication debugging is on 5800-NAS#show debug General OS: AAA Authentication debugging is on PPP: PPP authentication debugging is on
Step 2 Make sure that your EXEC session receives logging and debug output:
5800-NAS#terminal monitor
Step 3 From the client, send a test call into the NAS by using Dial-Up Networking. Figure 5-2 shows an example Windows Dial-Up Networking display.
Step 4 Go to the NAS terminal screen to observe and interpret the debug output messages. As the call enters the NAS, debug output is created.
When examining PPP between two remote peers:
a. First check to see if DSR came up.
b. Verify that both sides get through LCP negotiation. If they do, move on to check authentication.
c. After authentication succeeds, check IPCP negotiation.
d. If no debug output appears, troubleshoot ISDN Q.931. Use the debug isdn q931 command.
Given the debug commands entered in Step 1, the following debug output should be generated by the call:
*Sep 24 13:05:49.052: AAA: parse name=tty1/2/09 idb type=10 tty=441*Sep 24 13:05:49.052: AAA: name=tty1/2/09 flags=0x1D type=4 shelf=0 slot=1 adapter=2 port=9 channel=0*Sep 24 13:05:49.052: AAA: parse name=Serial1/0/0:4:21 idb type=12 tty=-1 *Sep 24 13:05:49.052: AAA: name=Serial1/0/0:4:21 flags=0x5D type=1 shelf=0 slot=1 adapter=0 port=4 channel=21
In this example, the call enters the NAS on channel 1/0/0:4:21. This channel maps to the 21st DS0 channel of the 4th PRI line of a CT3 card. Eventually the call terminates on modem 441.
*Sep 24 13:05:49.052: AAA/MEMORY: create_user (0x63E8FB70) user='' ruser='' port ='tty1/2/09' rem_addr='4089548211/51121' authen_type=ASCII service=LOGIN priv=1*Sep 24 13:05:49.052: AAA/AUTHEN/START (1586904428): port='tty1/2/09' list='' ac tion=LOGIN service=LOGIN*Sep 24 13:05:49.052: AAA/AUTHEN/START (1586904428): using "default" list*Sep 24 13:05:49.052: AAA/AUTHEN/START (1586904428):Method=LOCAL*Sep 24 13:05:49.052: AAA/AUTHEN (1586904428):status = GETUSER*Sep 24 13:05:49.072: AAA/AUTHEN/ABORT: (1586904428) because Autoselected.*Sep 24 13:05:49.072: AAA/MEMORY: free_user (0x63E8FB70) user='' ruser='' port='
An authentication start packet is sent by AAA, and it searches the local username database as the default authentication method.
tty1/2/09' rem_addr='4089548211/51121' authen_type=ASCII service=LOGIN priv=1*Sep 24 13:05:51.076: As1/2/09 PPP: Treating connection as a dedicated line*Sep 24 13:05:55.272: As1/2/09PPP: Phase is AUTHENTICATING,by this end*Sep 24 13:05:55.404: As1/2/09PAP: I AUTH-REQ id 1 len 20 from "dude"*Sep 24 13:05:55.404: As1/2/09 PAP:Authenticating peer dude
PPP is allowed to start on the interface. The client sends an authentication request called dude. PAP authentication is used.
*Sep 24 13:05:55.404: AAA: parse name=Async1/2/09 idb type=10 tty=441*Sep 24 13:05:55.404: AAA: name=Async1/2/09 flags=0x1D type=4 shelf=0 slot=1 adapter=2 port=9 channel=0*Sep 24 13:05:55.404: AAA: parse name=Serial1/0/0:4:21 idb type=12 tty=-1*Sep 24 13:05:55.404: AAA: name=Serial1/0/0:4:21 flags=0x5D type=1 shelf=0 slot=1 adapter=0 port=4 channel=21*Sep 24 13:05:55.404: AAA/MEMORY: create_user (0x63E8FB70) user='dude' ruser=''port='Async1/2/09' rem_addr='4089548211/51121' authen_type=PAP service=PPP priv=1*Sep 24 13:05:55.404: AAA/AUTHEN/START (693233173): port='Async1/2/09' list='' action=LOGIN service=PPP*Sep 24 13:05:55.404: AAA/AUTHEN/START (693233173): using "default" list*Sep 24 13:05:55.404: AAA/AUTHEN (693233173): status = UNKNOWN*Sep 24 13:05:55.404: AAA/AUTHEN/START (693233173): Method=LOCAL *Sep 24 13:05:55.404: AAA/AUTHEN (693233173): status = PASS*Sep 24 13:05:55.404: As1/2/09 PAP: O AUTH-ACK id 1 len 5
The example above shows that local authentication was successful.
Failed authentication is a common occurrence. Misconfigured or mismatched usernames and passwords create error messages in debug output.
The following example shows that the username maddog does not have permission to dial into the NAS. The NAS does not have a local username configured for this user. To fix the problem, use the username name password password command to add the username to the local AAA database in the NAS:
*Sep 24 13:11:28.964: AAA/MEMORY: create_user (0x63E43558) user='maddog' ruser=' ' port='Async1/2/10' rem_addr='4089548211/51121' authen_type=PAP service=PPP priv=1 *Sep 24 13:11:28.964: AAA/AUTHEN/START (3281080218): port='Async1/2/10' list='' action=LOGIN service=PPP *Sep 24 13:11:28.964: AAA/AUTHEN/START (3281080218): using "default" list *Sep 24 13:11:28.964: AAA/AUTHEN (3281080218): status = UNKNOWN *Sep 24 13:11:28.964: AAA/AUTHEN/START (3281080218): Method=LOCAL *Sep 24 13:11:28.964: AAA/AUTHEN (3281080218): User not found, end of method list *Sep 24 13:11:28.964: AAA/AUTHEN (3281080218): status = FAIL *Sep 24 13:11:28.964: As1/2/10 PAP: O AUTH-NAK id 1 len 32 msg is "Password validation failure" *Sep 24 13:11:28.964: AAA/MEMORY: free_user (0x63E43558) user='maddog' ruser='' port='Async1/2/10' rem_addr='4089548211/51121' authen_type=PAP service=PPP priv=1
The following example shows an invalid password. Notice that the same error messages are used for username failure---"Password validation failure."
*Sep 24 13:13:59.032: AAA/MEMORY: create_user (0x63E9846C) user='dude' ruser='' port='Async1/2/11' rem_addr='4089548211/51121' authen_type=PAP service=PPP priv= 1 *Sep 24 13:13:59.032: AAA/AUTHEN/START (3032205297): port='Async1/2/11' list='' action=LOGIN service=PPP *Sep 24 13:13:59.032: AAA/AUTHEN/START (3032205297): using "default" list *Sep 24 13:13:59.032: AAA/AUTHEN (3032205297): status = UNKNOWN *Sep 24 13:13:59.032: AAA/AUTHEN/START (3032205297): Method=LOCAL *Sep 24 13:13:59.032: AAA/AUTHEN (3032205297): status = FAIL *Sep 24 13:13:59.032: As1/2/11 PAP: O AUTH-NAK id 1 len 32 msg is "Password vali dation failure" *Sep 24 13:13:59.036: AAA/MEMORY: free_user (0x63E9846C) user='dude' ruser='' po rt='Async1/2/11' rem_addr='4089548211/51121' authen_type=PAP service=PPP priv=1
|
Note |
Figure 5-3 provides a flowchart for troubleshooting the following three PPP layers:
LCP negotiation is a series of LCP packets exchanged between PPP peers to negotiate a set of options and option values when sending data. The LCP negotiation is actually two separate dialogs between two PPP peers (Peer1 and Peer 2):
Peer 1 and Peer 2 do not have to use the same set of LCP options. When a PPP peer sends its initial Configure-Request, the response is any of the following:
When a PPP peer receives a Configure-Nack or Configure-Reject in response to its Configure-Request, it sends a new Configure-Request with modified options or option values. When a Configure-Ack is received, the PPP peer is ready to send data.
Figure 5-4 shows an example LCP negotiation process for Peer 1 using the fictional options W, X, Y, Z. Additionally, Figure 5-4 shows Peer 1 sending data to Peer 2 only. Separate LCP negotiation must be configured so that Peer 2 can send data back to Peer 1. Very often, the LCP packets for both Peer 1 and Peer 2 are intermixed during the connection process (that is, Peer 1 is configuring the way it sends data at the same time as Peer 2.).
Figure 5-4 shows that:
1. Peer 1 sends a Configure-Request requesting option W, option X set to 100, option Y set to 0, and option Z. (Options W and Z are flag options.)
2. Peer 2 does not understand option Z so it sends a Configure-Reject containing option Z.
3. Peer 1 sends a new Configure-Request packet requesting option W, option X set to 100, and option Y set to 0.
4. Peer 2 prefers that option X be set to 200 so it sends a Configure-Nack containing option X and its preferred value.
5. Peer 1 sends a new Configure-Request packet requesting option W, option X set to 200, and option Y set to 0.
6. Peer 2 sends a Configure-Ack.
Each time Peer 1 sends a new Configure-Request, it changes the Identifier value in the LCP header so that Configure-Requests can be matched with their responses.
After a basic PPP modem call comes into the NAS, you should use some show commands to inspect several active call statistics. If you try to use the client's web browser after the modems connect, you will test DNS, IP, and other functions. If your test fails, try pinging the DNS server from the device that dialed in.
The show caller command is used to:
The show caller command has many options:
5800-NAS#show caller ?
full Provide expanded caller information
interface Provide information on one interface
ip Display IP information
line Provide information on one line
timeouts Display session and idle limits and disconnect time
user Display information for a particular user
| Output modifiers
<cr>
5800-NAS#show caller
Active Idle
Line User Service Time Time
vty 0 admin VTY 00:54:39 00:00:00
tty 441 dude Async 00:00:15 00:00:00
As1/2/09 dude PPP 00:00:08 00:00:00
5800-NAS#show caller user dude
User: dude, line tty 441, service Async
Active time 00:01:24, Idle time 00:01:05
Timeouts: Absolute Idle Idle
Session Exec
Limits: - - 00:10:00
Disconnect in: - - -
TTY: Line 1/2/09, running PPP on As1/2/09
Location: PPP: 192.168.10.4
DS0: (slot/unit/channel)=0/4/21
Status: Ready, Active, No Exit Banner, Async Interface Active
HW PPP Support Active, Modem Detected
Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out
Modem Callout, Modem RI is CD,
Line usable as async interface, Modem Autoconfigure
Modem State: Ready, Modem Configured
User: dude, line As1/2/09, service PPP
Active time 00:01:17, Idle time 00:01:05
Timeouts: Absolute Idle
Limits: - -
Disconnect in: - -
PPP: LCP Open, PAP (<- AAA), IPCP
IP: Local 172.22.66.23, remote 172.22.90.2
Counts: 30 packets input, 1640 bytes, 0 no buffer
1 input errors, 1 CRC, 0 frame, 0 overrun
14 packets output, 290 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
In the previous example, notice that one call uses the following system resources:
|
Note Different data is presented at each layer of the connection. Understanding the roles of the layers is very useful for troubleshooting purposes. The show caller user dude detailed command displays detailed LCP negotiated parameters. |
Table 5-2 describes some of the significant display output fields of the show caller user command:
| Field | Description |
|---|---|
User: dude, line tty 441, service Async | Active user on line TTY 441. The output fields are very similar to the show line command. |
DS0: (slot/unit/channel)=0/4/21 | The DS0 channel used by the call. |
User: admin, line As1/2/09, service PPP | Active user on asynchronous interface 1/2/09. The timeouts working on the PPP layer are displayed, which are different from the TTY line timeouts. |
PPP: LCP Open, CHAP (<- AAA), IPCP | Superficial information about what is open in PPP. The field "(<- AAA)" is somewhat misleading. Local authentication is also from AAA. For more detailed IPCP information, enter the show caller user dude detail command. |
IP: Local 172.22.66.23, remote 172.22.90.2 | The IP addresses on each end of the link. These values are only displayed on the output for the asynchronous interface. |
Counts: | Counters from the show interface async 1/2/09 command output. |
Inspect fast-switching and route-caching performance statistics for the call. Incoming asynchronous calls can be fast switched. However, some features disable fast switching.
5800-NAS#show interface async 1/2/02
Async1/2/02 is up, line protocol is up
modem=1/2/02, vdev_state(0x00000000)=CSM_OC_STATE, bchan_num=(T1 1/0/0:4:6)
vdev_status(0x00000001): VDEV_STATUS_ACTIVE_CALL.
Hardware is Async Serial
Interface is unnumbered. Using address of FastEthernet0/1/0 (172.22.66.23)
MTU 1500 bytes, BW 9 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set, keepalive not set
DTR is pulsed for 5 seconds on reset
LCP Open
Open: IPCP
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/10, 0 drops; input queue 1/10, 0 drops
5 minute input rate 0 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 1 packets/sec
1683 packets input, 112764 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
1 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1626 packets output, 108235 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
5800-NAS#show ip int async 1/2/02 Async1/2/02 is up, line protocol is up Interface is unnumbered. Using address of FastEthernet0/1/0 (172.22.66.23) Broadcast address is 255.255.255.255 Peer address is 172.22.90.2 MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is disabled IP fast switching on the same interface is disabled IP multicast fast switching is enabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is enabled and compressing RTP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled 5800-NAS#
5800-NAS#show ip cache
IP routing cache 3 entries, 560 bytes
109 adds, 106 invalidates, 3 refcounts
Minimum invalidation interval 2 seconds, maximum interval 5 seconds,
quiet interval 3 seconds, threshold 0 requests
Invalidation rate 0 in last second, 0 in last 3 seconds
Last full cache invalidation occurred 22:17:01 ago
Prefix/Length Age Interface Next Hop
172.61.0.0/16 15:13:22 FastEthernet0/1 172.22.66.1
172.22.67.67/32 00:06:10 FastEthernet0/1 172.22.67.2
172.22.68.67/32 00:06:09 FastEthernet0/1 172.22.68.3
5800-NAS#show interface async 1/2/02 stat
Async1/2/02
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 909 57050 1022 67918
Route cache 155 14260 0 0
Total 1064 71310 1022 6791
|
Note For more information, refer to the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/ switch_r/xrswcmd.htm#xtocid872762 |
After completing the tasks in this section, the Cisco AS5800's final running configuration looks like the following example:
5800-NAS#show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 5800-NAS ! aaa new-model aaa authentication login default local aaa authentication ppp default if-needed local enable secret 5 $1$LKgL$tgi19XvWn7fld7JGt55p01 ! username dude password 7 045802150C2E username admin password 7 044E1F050024 ! ! ! ! ! ! shelf-id 0 router-shelf shelf-id 1 dial-shelf ! ! ! resource-pool disable ! modem-pool Default pool-range 1/2/0-1/10/143 ! ! spe 1/2/0 1/10/11 firmware ios-bundled default modem recovery action none ip subnet-zero no ip source-route ip host guessme 172.22.100.9 ip domain-name the.net ip name-server 172.22.11.10 ip name-server 172.22.12.11 ! async-bootp dns-server 172.30.10.1 172.30.10.2 isdn switch-type primary-ni isdn voice-call-failure 0 ! ! controller T3 1/0/0 framing m23 cablelength 0 t1 4 controller ! controller T1 1/0/0:4 framing esf pri-group timeslots 1-24 ! ! voice-port 1/0/0:4:D ! ! process-max-time 200 ! interface Loopback0 ip address 172.22.99.1 255.255.255.255 no ip directed-broadcast ! interface Loopback1 ip address 172.22.90.1 255.255.255.0 no ip directed-broadcast ! interface FastEthernet0/1/0 ip address 172.22.66.23 255.255.255.0 no ip directed-broadcast ! interface Serial1/0/0:4:23 no ip address no ip directed-broadcast isdn switch-type primary-ni isdn incoming-voice modem no cdp enable ! interface Group-Async0 ip unnumbered FastEthernet0/1/0 no ip directed-broadcast encapsulation ppp async mode interactive peer default ip address pool addr-pool no cdp enable ppp authentication chap pap group-range 1/2/00 1/10/143 ! ip local pool addr-pool 172.22.90.2 172.22.90.254 ip classless ip route 0.0.0.0 0.0.0.0 172.22.66.1 no ip http server ! ! banner login ^C AS5800 Austin THEnet Dial Access Server ^C ! line con 0 transport input none line aux 0 transport input telnet line vty 0 4 line 1/2/00 1/10/143 autoselect during-login autoselect ppp modem InOut no modem log rs232 ! end
Perform the tasks in the section "Modem Management Operations."
Posted: Mon May 22 13:03:58 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.