Configuring Cisco Secure UNIX for Large Scale Dialout Using RADIUS

Document ID: 4185

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Cisco Secure UNIX RADIUS Configuration
      Route Download Profile
      Dialout Profile
      Callee Authentication Profile
Configure
      Network Diagram
      Configurations
Verify
Troubleshoot
      Troubleshooting Commands
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document provides step-by-step instructions for configuring Cisco Secure UNIX for Large Scale Dialout (LSDO) using the RADIUS protocol. The configuration described here assumes that the ISDN connection works prior to attempting LSDO.

In this example, Bacteria is a router that acts as the caller, and Ohio is a router that acts as the receiver (or "callee"). Bacteria downloads information from Cisco Secure UNIX on the routes to remote sites (this includes Ohio) so that traffic hitting Bacteria with an Ohio network destination is properly routed. In addition, Bacteria dynamically composes the dialer-map to Ohio and authenticates Ohio through Cisco Secure UNIX.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

Cisco Secure UNIX Version 2.3.5.2
Cisco IOS® Software Release 12.1(6)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Cisco Secure UNIX RADIUS Configuration

Route Download Profile

This downloads routes from Cisco Secure UNIX to Bacteria (the caller) and indicates routes to Ohio (the callee).

Note: The password must be cisco.

root@kilimanjaro(/opt/csecure/CLI)./ViewProfile -p 9900 -u bacteria-1
User Profile Information
user = bacteria-1{
profile_id = 232
set server current-failed-logins = 0
profile_cycle = 45
radius=Cisco {
check_items= {
2=cisco
}
reply_attributes= {
9,1="ip:route=2.2.2.2 255.255.255.255 Dialer1 200 name ohio"
9,1="ip:route=10.8.8.5 255.255.255.255 2.2.2.2"
}
}

}

Dialout Profile

When there is traffic for Ohio, Bacteria fetches the "Ohio-out" profile from Cisco Secure UNIX in order to compose the dialer map dynamically. The password for this profile is hardcoded as cisco until Cisco IOS Software Release 12.1.5T, when the password is configurable with the dialer aaa command.

These are the required parameters:

User service type is outbound user.
Dial number is required.
"send-secret" is sent to Ohio when it sends a Challenge Handshake Authentication Protocol (CHAP) request.
"send-auth=2" represents CHAP.

root@kilimanjaro(/opt/csecure/CLI)./ViewProfile -p 9900 -u ohio-out
User Profile Information
user = ohio-out{
profile_id = 36
profile_cycle = 5
radius=Cisco {
check_items= {
2=cisco
}
reply_attributes= {
6=5
9,1="outbound:send-auth=2"
9,1="outbound:dial-number=244"
9,1="outbound:send-secret=cisco1"
}
}

}
;

Callee Authentication Profile

This profile should also contain the authentication, authorization, and accounting (AAA) parameters in case AAA authorization is configured. The only parameters required are:

Framed-Protocol=PPP
User-Service-Type (Framed user)

root@kilimanjaro(/opt/csecure/CLI)./ViewProfile -p 9900 -u ohio
User Profile Information
user = ohio{
profile_id = 47
profile_cycle = 3
password = chap "********"
radius=Cisco {
reply_attributes= {
6=2
7=1
}
}

}

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .

Network Diagram

This document uses the network setup shown in this diagram.

Configurations

This document uses the configurations shown here.

Bacteria Router
Ohio Router

Bacteria Router

bacteria#show run
Building configuration...

Current configuration : 1358 bytes
!
version 12.1 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname bacteria 
! 
aaa new-model
aaa authentication login default none 
aaa authentication ppp default group radius 
aaa authentication ppp pppauthen group radius 
aaa authorization network pppauthor group radius 
aaa authorization configuration default group radius 
aaa route download 15
enable password ww 
! 
ip subnet-zero 
ip wccp web-cache 
no ip finger 
! 
isdn switch-type basic-net3 
! 
interface Loopback1 
no ip address 
! 
interface Ethernet0 
ip address 172.17.241.2 255.255.255.0 
! 
interface Ethernet1 
no ip address 
shutdown 
! 
interface BRI0 
no ip address 
encapsulation ppp 
dialer rotary-group 1 
isdn switch-type basic-net3 
no cdp enable 
! 
interface Dialer1 
ip unnumbered Ethernet0 
encapsulation ppp 
load-interval 30 
dialer in-band 
dialer aaa 
dialer-group 1 
no cdp enable 
ppp authentication chap pppauthen 
ppp authorization pppauthor
! 
ip classless 
no ip http server 
! 
dialer-list 1 protocol ip permit 
radius-server host 172.17.241.20 auth-port 1645 acct-port 1646 
radius-server retransmit 3 
radius-server key cisco
! 
line con 0 
exec-timeout 0 0 
transport input none 
line vty 0 4 
exec-timeout 0 0 
! 
end

Ohio Router

ohio#show run
Building configuration...

Current configuration : 1172 bytes 
! 
! Last configuration change at 11:15:05 UTC Tue Mar 20 2001 
! 
version 12.1 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname ohio 
! 
aaa new-model
aaa authentication login default none 
aaa authentication ppp default local
enable password ww 
! 
username bacteria password 0 cisco1
! 
ip subnet-zero 
no ip finger 
! 
isdn switch-type basic-net3 
! 
interface Loopback0 
ip address 10.8.8.5 255.255.255.255 
! 
interface Ethernet0 
! 
interface Ethernet1 
no ip address 
shutdown 
! 
interface BRI0 
no ip address 
encapsulation ppp 
dialer pool-member 1 
isdn switch-type basic-net3 
! 
interface Dialer1 
ip address 2.2.2.2 255.255.255.0 
encapsulation ppp 
dialer pool 1 
dialer remote-name bacteria 
dialer string 245 
dialer-group 1 
no peer default ip address 
pulse-time 0 
no cdp enable 
ppp authentication chap callin 
ppp chap hostname ohio
! 
ip classless 
no ip http server 
! 
dialer-list 1 protocol ip permit 
! 
line con 0 
exec-timeout 0 0 
transport input none 
line vty 0 4 
! 
end

ohio#

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands.

debug aaa authentication—Displays information on AAA authentication.
debug aaa authorization—Displays information on AAA authorization.
debug radius—Displays information associated with the RADIUS protocol.
debug ppp authentication—Displays authentication protocol messages, including CHAP packet exchanges and Password Authentication Protocol (PAP) exchanges.
debug ppp negotiation—Displays PPP packets transmitted during PPP startup, where PPP options are negotiated.

Note: Some of this "good" debug output has been wrapped to multiple lines because of spacing considerations.

Bacteria Debug

bacteria#show debug
General OS:
 AAA Authentication debugging is on
 AAA Authorization debugging is on
PPP:
 PPP authentication debugging is on
 PPP protocol negotiation debugging is on
Radius protocol debugging is on
bacteria#debug dial
Dial on demand events debugging is on

!--- Clear and download routes manually.

bacteria#clear ip route download reload
Mar 20 12:14:06.030: AAA: parse name=<no string idb type=-1 tty=-1
Mar 20 12:14:06.030: AAA/MEMORY: create_user (0x2F71D94) user='' ruser=''
   port='' rem_addr='' authen_type=NONE service=LOGIN priv=0
Mar 20 12:14:06.038: unknown AAA/AUTHOR/CONFIG (4084759268): Port=''
   list='default' service=unknown 
Mar 20 12:14:06.042: AAA/AUTHOR/CONFIG: unknown (4084759268) user='bacteria- 1'
Mar 20 12:14:06.042: unknown AAA/AUTHOR/CONFIG (4084759268): send AV service=ppp
Mar 20 12:14:06.046: unknown AAA/AUTHOR/CONFIG (4084759268): send AV protocol=ip
Mar 20 12:14:06.046: unknown AAA/AUTHOR/CONFIG (4084759268): found list "default"
Mar 20 12:14:06.050: unknown AAA/AUTHOR/CONFIG (4084759268): Method=radius (radius)
Mar 20 12:14:06.050: RADIUS: authenticating to get author data
Mar 20 12:14:06.054: RADIUS: ustruct sharecount=2
Mar 20 12:14:06.058: RADIUS: Initial Transmit id 154 172.17.241.20:164 5,
   Access-Request, len 68
Mar 20 12:14:06.062: Attribute 4 6 AC11F102
Mar 20 12:14:06.062: Attribute 61 6 00000000
Mar 20 12:14:06.062: Attribute 1 12 62616374
Mar 20 12:14:06.066: Attribute 2 18 D1F7B4AC
Mar 20 12:14:06.066: Attribute 6 6 00000005
Mar 20 12:14:06.189: RADIUS: Received from id 154 172.17.241.20:1645,
   Access-Accept, len 131
Mar 20 12:14:06.189: Attribute 26 62 0000000901386970
Mar 20 12:14:06.193: Attribute 26 49 00000009012B6970
Mar 20 12:14:06.197: RADIUS: saved authorization data for
   user 2F71D94 at 2F77564
Mar 20 12:14:06.201: RADIUS: cisco AVPair 
   "ip:route=2.2.2.2 255.255.255.255 Dialer1 200 name ohio"
Mar 20 12:14:06.205: RADIUS: cisco AVPair 
   "ip:route=10.8.8.5 255.255.255.255 2.2.2.2"
Mar 20 12:14:06.209: AAA/AUTHOR (4084759268): Post authorization
   status = PASS_REPL
Mar 20 12:14:06.209: AAA/AUTHOR/CONFIG: Processing AV route=2.2.2.2 255.255.255.255
   Dialer1 200 name ohio
Mar 20 12:14:06.213: AAA/AUTHOR/CONFIG: Parse 'ip route 2.2.2.2 255.255.255. 255 
   Dialer1 200 name ohio'
Mar 20 12:14:06.364: AAA/AUTHOR/CONFIG: Parse returned ok (0)
Mar 20 12:14:06.364: AAA/AUTHOR/CONFIG: Processing
   AV route=10.8.8.5 255.255.255.255 2.2.2.2
Mar 20 12:14:06.368: AAA/AUTHOR/CONFIG: Parse 
   'ip route 10.8.8.5 255.255.255 .255 2.2.2.2'
Mar 20 12:14:06.395: AAA/AUTHOR/CONFIG: Parse returned ok (0)
Mar 20 12:14:06.395: unknown AAA/AUTHOR/CONFIG (1200529675): 
   Port='' list='default' service=unknown
Mar 20 12:14:06.399: AAA/AUTHOR/CONFIG: unknown (1200529675) user='bacteria- 2'
Mar 20 12:14:06.399: unknown AAA/AUTHOR/CONFIG (1200529675): send AV service=ppp
Mar 20 12:14:06.403: unknown AAA/AUTHOR/CONFIG (1200529675): send AV protocol=ip
Mar 20 12:14:06.403: AAA/AUTHOR/CONFIG: unknown (1200529675) 
   Processing AV route=2.2.2.2 255.255.255.255 Dialer1 200 name ohio
Mar 20 12:14:06.407: AAA/AUTHOR/CONFIG: unknown (1200529675)
   Processing AV route=10.8.8.5 255.255.255.255 2.2.2.2
Mar 20 12:14:06.411: unknown AAA/AUTHOR/CONFIG (1200529675): found list "default"
Mar 20 12:14:06.411: unknown AAA/AUTHOR/CONFIG (1200529675): Method=radius (radius)
Mar 20 12:14:06.415: RADIUS: authenticating to get author data
Mar 20 12:14:06.415: RADIUS: ustruct sharecount=2
Mar 20 12:14:06.419: RADIUS: Initial Transmit id 155 172.17.241.20:164 5,
   Access-Request, len 68
Mar 20 12:14:06.423: Attribute 4 6 AC11F102
Mar 20 12:14:06.423: Attribute 61 6 00000000
Mar 20 12:14:06.427: Attribute 1 12 62616374
Mar 20 12:14:06.427: Attribute 2 18 B7819303
Mar 20 12:14:06.427: Attribute 6 6 00000005
Mar 20 12:14:07.490: RADIUS: Received from id 155 172.17.241.20:1645,
   Access-Reject, len 20
Mar 20 12:14:07.506: RADIUS: saved authorization data for user 2F71D94 at 0 
Mar 20 12:14:07.506: RADIUS: failed to get authorization data: authen status = 2
Mar 20 12:14:07.506: AAA/AUTHOR (1200529675): Post authorization status = ERROR
Mar 20 12:14:07.510: unknown AAA/AUTHOR/CONFIG (1200529675): Method=NOT_SET
Mar 20 12:14:07.510: unknown AAA/AUTHOR/CONFIG (1200529675): no methods left to try
Mar 20 12:14:07.514: AAA/AUTHOR (1200529675): Post authorization status = ERROR
Mar 20 12:14:07.514: AAA/AUTHOR/CONFIG: route downloading completed
Mar 20 12:14:07.518: AAA/MEMORY: free_user (0x2F71D94) user='bacteria-2' ruser=''
   port='' rem_addr='' authen_type=NONE service=LOGIN priv=0

!--- Show the downloaded route to the remote network.
!--- If everything goes well up to this step, you see the following.

bacteria#show ip route static download
Connectivity: A - Active, I - Inactive
2.2.2.2 255.255.255.255 Dialer1 200 name ohio
10.8.8.5 255.255.255.255 2.2.2.2

!--- Initiate traffic from the caller router to the
!--- callee router's loopback to bring up the link.

bacteria#ping 10.8.8.5

!--- Bacteria initiates call to Ohio.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.8.5, timeout is 2 seconds:
Mar 20 12:00:24.015: 6018: Same state, 0
Mar 20 12:00:24.015: DSES 6018: Session create
Mar 20 12:00:24.019: DSES 0x6018: Building dialer map
Mar 20 12:00:24.023: DSES 0x6018: Next hop name is ohio
Mar 20 12:00:24.023: AAA: parse name=Dialer1 idb type=-1 tty=-1
Mar 20 12:00:24.027: AAA: name=Dialer1 flags=0x11 type=6 shelf=0 slot=0
   adapter=0 port=1 channel=0
Mar 20 12:00:24.027: AAA: parse name=<no string idb type=-1 tty=-1
Mar 20 12:00:24.031: AAA/MEMORY: create_user (0x2F6ED60) user='ohio-out' ruser=''
   port='Dialer1' rem_addr='Dial out' authen_type=NONE service=LOGIN priv=0
Mar 20 12:00:24.035: Di1 AAA/AUTHOR/DIALOUT (324326219): Port='Dialer1'
   list='default' service=unknown
Mar 20 12:00:24.039: AAA/AUTHOR/DIALOUT: Di1 (324326219) user='ohio-out'
Mar 20 12:00:24.039: Di1 AAA/AUTHOR/DIALOUT (324326219): send AV service=out bound
Mar 20 12:00:24.039: Di1 AAA/AUTHOR/DIALOUT (324326219): send AV protocol=ip 
Mar 20 12:00:24.043: Di1 AAA/AUTHOR/DIALOUT (324326219): found list "default"
Mar 20 12:00:24.043: Di1 AAA/AUTHOR/DIALOUT (324326219): Method=radius (radius)
Mar 20 12:00:24.047: RADIUS: authenticating to get author data
Mar 20 12:00:24.047: RADIUS: ustruct sharecount=2
Mar 20 12:00:24.055: RADIUS: Initial Transmit Dialer1 id 150 172.17.241.20:1 645,
   Access-Request, len 76
Mar 20 12:00:24.055: Attribute 4 6 AC11F102
Mar 20 12:00:24.059: Attribute 61 6 00000000
Mar 20 12:00:24.059: Attribute 1 10 6F68696F
Mar 20 12:00:24.059: Attribute 31 10 4469616C
Mar 20 12:00:24.063: Attribute 2 18 B8255AF6
Mar 20 12:00:24.063: Attribute 6 6 00000005
Mar 20 12:00:24.123: RADIUS: Received from id 150 172.17.241.20:1645,
   Access-Accept, len 121
Mar 20 12:00:24.127: Attribute 6 6 00000005
Mar 20 12:00:24.127: Attribute 26 28 0000000901166F75
Mar 20 12:00:24.130: Attribute 26 32 00000009011A6F75
Mar 20 12:00:24.130: Attribute 26 35 00000009011D6F75
Mar 20 12:00:24.134: RADIUS: saved authorization data for user 
   2F6ED60 at 2F79CBC
Mar 20 12:00:24.138: RADIUS: cisco AVPair "outbound:send-auth=2"
Mar 20 12:00:24.142: RADIUS: cisco AVPair "outbound:dial-number=244"
Mar 20 12:00:24.142: RADIUS: cisco AVPair "outbound:send-secret=cisco1"
Mar 20 12:00:24.146: Di1 AAA/AUTHOR (324326219): Post authorization 
   status = PASS_REPL
Mar 20 12:00:24.146: Di1 AAA/AUTHOR/DIALOUT: Processing AV send-auth=2
Mar 20 12:00:24.150: Di1 AAA/AUTHOR/DIALOUT: Processing AV dial-number=244
Mar 20 12:00:24.150: Di1 AAA/AUTHOR/DIALOUT: Processing AV send-secret=cisco 1
Mar 20 12:00:24.154: Di1 AAA/AUTHOR/DIALOUT: Authorization succeeded
Mar 20 12:00:24.158: Di1 AAA/AU.THOR/DIALOUT: truncating '-out' suffix,
   user now is 'ohio'
Mar 20 12:00:24.158: %LSDialout: temporary debug to verify the data integrity
Mar 20 12:00:24.158: dial number = 244
Mar 20 12:00:24.162: dialnum_count = 1
Mar 20 12:00:24.162: force_56 = 0
Mar 20 12:00:24.162: routing = 0
Mar 20 12:00:24.166: data_svc = -1
Mar 20 12:00:24.166: port_type = -1
Mar 20 12:00:24.166: map_class =
Mar 20 12:00:24.166: ip_address = 0.0.0.0
Mar 20 12:00:24.170: send_secret = cisco1
Mar 20 12:00:24.170: send_auth = 2
Mar 20 12:00:24.174: BR0 DDR: rotor dialout [priority]
Mar 20 12:00:24.174: BR0 DDR: Dialing cause dialer session 0x6018
Mar 20 12:00:24.178: BR0 DDR: Attempting to dial 244
Mar 20 12:00:24.210: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0,
   TEI 66 changed to up
Mar 20 12:00:25.785: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 
Mar 20 12:00:25.805: BR0:1 PPP: Treating connection as a callout 
Mar 20 12:00:25.809: BR0:1 PPP: Phase is ESTABLISHING, Active Open 
Mar 20 12:00:25.813: BR0:1 AAA/AUTHOR/FSM: (0): LCP succeeds trivially 
Mar 20 12:00:25.813: BR0:1 LCP: O CONFREQ [Closed] id 101 len 15 
Mar 20 12:00:25.817: BR0:1 LCP: AuthProto CHAP (0x0305C223 05) 
Mar 20 12:00:25.817: BR0:1 LCP: MagicNumber 0x258B27C2 (0x0506258B27C2) 
Mar 20 12:00:25.861: BR0:1 LCP: I CONFREQ [REQsent] id 102 len 15 
Mar 20 12:00:25.861: BR0:1 LCP: AuthProto CHAP (0x0305C223 05) 
Mar 20 12:00:25.865: BR0:1 LCP: MagicNumber 0x488AD858 (0x0506488AD858) 
Mar 20 12:00:25.868: BR0:1 LCP: O CONFACK [REQsent] id 102 len 15 
Mar 20 12:00:25.868: BR0:1 LCP: AuthProto CHAP (0x0305C223 05) 
Mar 20 12:00:25.872: BR0:1 LCP: MagicNumber 0x488AD858 (0x0506488AD858) 
Mar 20 12:00:25.876: BR0:1 LCP: I CONFACK [ACKsent] id 101 len 15 
Mar 20 12:00:25.876: BR0:1 LCP: AuthProto CHAP (0x0305C223 05) 
Mar 20 12:00:25.880: BR0:1 LCP: MagicNumber 0x258B27C2 (0x0506258B27C2) 
Mar 20 12:00:25.884: BR0:1 LCP: State is Open 
Mar 20 12:00:25.884: BR0:1 PPP: Phase is AUTHENTICATING, by both 
Mar 20 12:00:25.888: BR0:1 CHAP: O CHALLENGE id 73 len 29 from "bacteria" 
Mar 20 12:00:25.904: BR0:1 CHAP: I CHALLENGE id 66 len 25 from "ohio" 
Mar 20 12:00:25.908: AAA: parse name=BRI0:1 idb type=14 tty=-1
Mar 20 12:00:25.912: AAA: name=BRI0:1 flags=0x51 type=2 shelf=0 slot=0
   adapter=0 port=0 channel=1
Mar 20 12:00:25.912: AAA: parse name=<no string idb type=-1 tty=-1
Mar 20 12:00:25.916: AAA/MEMORY: create_user (0x2F7C4AC) user='ohio' ruser='' 
   port='BRI0:1' rem_addr='244' authen_type=CHAP service=PPP priv=1
Mar 20 12:00:25.916: AAA/AUTHEN/START (2058338926): port='BRI0:1'
   list='pppa uthen' action=SENDAUTH service=PPP
Mar 20 12:00:25.920: AAA/AUTHEN/START (2058338926): found list pppauthen
.!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 36/36/36 ms
bacteria#
Mar 20 12:00:25.920: AAA/AUTHEN/START (2058338926): Method=radius (radius)

!--- Bacteria uses the send-secret from the ohio-out profile, 
!--- which was cached in response to the CHAP challenge from Ohio.

Mar 20 12:00:25.924: AAA/AUTHEN/SENDAUTH (2058338926): found cached secret for ohio
Mar 20 12:00:25.928: AAA/AUTHEN (2058338926): status = PASS
Mar 20 12:00:25.928: AAA/MEMORY: free_user (0x2F7C4AC) user='ohio' ruser=''
   port='BRI0:1' rem_addr='244' authen_type=CHAP service=PPP priv=1
Mar 20 12:00:25.932: BR0:1 CHAP: O RESPONSE id 66 len 29 from "bacteria"
Mar 20 12:00:25.956: BR0:1 CHAP: I SUCCESS id 66 len 4

!--- The above shows a successful authentication to Ohio.
!--- Now it is Ohio's turn to authenticate Bacteria.
!--- Bacteria receives the CHAP response from Ohio now.

Mar 20 12:00:25.972: BR0:1 CHAP: I RESPONSE id 73 len 25 from "ohio"
Mar 20 12:00:25.976: AAA: parse name=BRI0:1 idb type=14 tty=-1
Mar 20 12:00:25.980: AAA: name=BRI0:1 flags=0x51 type=2 shelf=0 slot=0
   adapter=0 port=0 channel=1
Mar 20 12:00:25.980: AAA: parse name=<no string idb type=-1 tty=-1
Mar 20 12:00:25.984: AAA/MEMORY: create_user (0x2F7C4AC) user='ohio' ruser=''
   port='BRI0:1' rem_addr='244' authen_type=CHAP service=PPP priv=1
Mar 20 12:00:25.984: AAA/AUTHEN/START (2332678419): port='BRI0:1'
   list='pppa uthen' action=LOGIN service=PPP
Mar 20 12:00:25.988: AAA/AUTHEN/START (2332678419): found list pppauthen
Mar 20 12:00:25.988: AAA/AUTHEN/START (2332678419): Method=radius (radius)
Mar 20 12:00:25.991: RADIUS: ustruct sharecount=1
Mar 20 12:00:25.999: RADIUS: Initial Transmit BRI0:1 id 151 172.17.241.20:16 45,
   Access-Request, len 80
Mar 20 12:00:25.999: Attribute 4 6 AC11F102
Mar 20 12:00:26.003: Attribute 5 6 00007531
Mar 20 12:00:26.003: Attribute 61 6 00000002
Mar 20 12:00:26.003: Attribute 1 6 6F68696F
Mar 20 12:00:26.007: Attribute 31 5 32343403
Mar 20 12:00:26.007: Attribute 3 19 495D0BB6

!--- Bacteria computes whether the expected CHAP response from Ohio matches
!--- Bacteria's password. Bacteria looks for this password in the AAA server and verify
!--- that Ohio passes CHAP authentication.

Mar 20 12:00:26.011: Attribute 6 6 00000002 
Mar 20 12:00:26.011: Attribute 7 6 00000001
Mar 20 12:00:26.118: RADIUS: Received from id 151 172.17.241.20:1645,
   Access-Accept, len 32 
Mar 20 12:00:26.118: Attribute 6 6 00000002 
Mar 20 12:00:26.122: Attribute 7 6 00000001 
Mar 20 12:00:26.126: AAA/AUTHEN (2332678419): status = PASS 
Mar 20 12:00:26.126: BR0:1 AAA/AUTHOR/LCP: Authorize LCP 
Mar 20 12:00:26.130: BR0:1 AAA/AUTHOR/LCP (2058167235): Port='BRI0:1'
   list='pppauthor' service=NET 
Mar 20 12:00:26.130: AAA/AUTHOR/LCP: BR0:1 (2058167235) user='ohio' 
Mar 20 12:00:26.134: BR0:1 AAA/AUTHOR/LCP (2058167235): send AV service=ppp 
Mar 20 12:00:26.134: BR0:1 AAA/AUTHOR/LCP (2058167235): send AV protocol=lcp 
Mar 20 12:00:26.138: BR0:1 AAA/AUTHOR/LCP (2058167235): found list "pppauthor" 
Mar 20 12:00:26.138: BR0:1 AAA/AUTHOR/LCP (2058167235): Method=radius (radius) 
Mar 20 12:00:26.142: BR0:1 AAA/AUTHOR (2058167235):
   Post authorization status = PASS_REPL 
Mar 20 12:00:26.142: BR0:1 AAA/AUTHOR/LCP: Processing AV service=ppp 
Mar 20 12:00:26.146: BR0:1 CHAP: O SUCCESS id 73 len 4 
Mar 20 12:00:26.150: BR0:1 PPP: Phase is UP 
Mar 20 12:00:26.154: BR0:1 AAA/AUTHOR/FSM: (0): Can we start IPCP? 
Mar 20 12:00:26.158: BR0:1 AAA/AUTHOR/FSM (3151880806): Port='BRI0:1'
   list='pppauthor' service=NET 
Mar 20 12:00:26.158: AAA/AUTHOR/FSM: BR0:1 (3151880806) user='ohio' 
Mar 20 12:00:26.162: BR0:1 AAA/AUTHOR/FSM (3151880806): send AV service=ppp 
Mar 20 12:00:26.162: BR0:1 AAA/AUTHOR/FSM (3151880806): send AV protocol=ip 
Mar 20 12:00:26.166: BR0:1 AAA/AUTHOR/FSM (3151880806): found list "pppauthor" 
Mar 20 12:00:26.166: BR0:1 AAA/AUTHOR/FSM (3151880806): Method=radius (radius) 
Mar 20 12:00:26.170: BR0:1 AAA/AUTHOR (3151880806):
   Post authorization status = PASS_REPL 
Mar 20 12:00:26.170: BR0:1 AAA/AUTHOR/FSM: We can start IPCP 
Mar 20 12:00:26.174: BR0:1 IPCP: O CONFREQ [Closed] id 23 len 10 
Mar 20 12:00:26.178: BR0:1 IPCP: Address 172.17.241.2 (0x0306AC11F102) 
Mar 20 12:00:26.182: BR0:1 IPCP: I CONFREQ [REQsent] id 27 len 10 
Mar 20 12:00:26.186: BR0:1 IPCP: Address 2.2.2.2 (0x030602020202) 
Mar 20 12:00:26.190: BR0:1 AAA/AUTHOR/IPCP: Start. Her address 2.2.2.2,
   we want 2.2.2.2 
Mar 20 12:00:26.194: BR0:1 AAA/AUTHOR/IPCP (2349819948): Port='BRI0:1'
   list='pppauthor' service=NET 
Mar 20 12:00:26.194: AAA/AUTHOR/IPCP: BR0:1 (2349819948) user='ohio' 
Mar 20 12:00:26.198: BR0:1 AAA/AUTHOR/IPCP (2349819948): send AV service=ppp 
Mar 20 12:00:26.198: BR0:1 AAA/AUTHOR/IPCP (2349819948): send AV protocol=ip 
Mar 20 12:00:26.202: BR0:1 AAA/AUTHOR/IPCP (2349819948): send AV addr*2.2.2. 2 
Mar 20 12:00:26.202: BR0:1 AAA/AUTHOR/IPCP (2349819948): found list "pppauthor" 
Mar 20 12:00:26.206: BR0:1 AAA/AUTHOR/IPCP (2349819948): Method=radius (radius) 
Mar 20 12:00:26.210: BR0:1 AAA/AUTHOR (2349819948): Post authorization
   status = PASS_REPL 
Mar 20 12:00:26.210: BR0:1 AAA/AUTHOR/IPCP: Reject 2.2.2.2, using 2.2.2.2 
Mar 20 12:00:26.214: BR0:1 AAA/AUTHOR/IPCP: Processing AV service=ppp 
Mar 20 12:00:26.218: BR0:1 AAA/AUTHOR/IPCP: Processing AV addr*2.2.2.2 
Mar 20 12:00:26.218: BR0:1 AAA/AUTHOR/IPCP: Authorization succeeded 
Mar 20 12:00:26.222: BR0:1 AAA/AUTHOR/IPCP: Done. Her address 2.2.2.2,
   we want 2.2.2.2 
Mar 20 12:00:26.226: BR0:1 IPCP: O CONFACK [REQsent] id 27 len 10 
Mar 20 12:00:26.226: BR0:1 IPCP: Address 2.2.2.2 (0x030602020202) 
Mar 20 12:00:26.230: BR0:1 IPCP: I CONFACK [ACKsent] id 23 len 10 
Mar 20 12:00:26.234: BR0:1 IPCP: Address 172.17.241.2 (0x0306AC11F102) 
Mar 20 12:00:26.234: BR0:1 IPCP: State is Open 
Mar 20 12:00:26.241: BR0:1 DDR: dialer protocol up 
Mar 20 12:00:26.245: BR0:1: Call connected, 1 packets unqueued,
   0 transmitte d, 1 discarded 
Mar 20 12:00:26.249: Di1 IPCP: Install route to 2.2.2.2 
Mar 20 12:00:27.662: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1,
   changed state to up

Ohio Debug

ohio#show debug
PPP: 
 PPP authentication debugging is on 
 PPP protocol negotiation debugging is on 
Mar 20 12:00:26.293: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1 
Mar 20 12:00:26.309: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 
Mar 20 12:00:26.329: BR0:1 PPP: Treating connection as a callin 
Mar 20 12:00:26.329: BR0:1 PPP: Phase is ESTABLISHING, Passive Open 
Mar 20 12:00:26.333: BR0:1 LCP: State is Listen 
Mar 20 12:00:26.337: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0,
   TEI 75 changed to up 
Mar 20 12:00:27.448: BR0:1 LCP: I CONFREQ [Listen] id 101 len 15 
Mar 20 12:00:27.452: BR0:1 LCP: AuthProto CHAP (0x0305C223 05) 
Mar 20 12:00:27.456: BR0:1 LCP: MagicNumber 0x258B27C2 (0x0506258B27C2) 
Mar 20 12:00:27.460: BR0:1 LCP: O CONFREQ [Listen] id 102 len 15 
Mar 20 12:00:27.460: BR0:1 LCP: AuthProto CHAP (0x0305C223 05) 
Mar 20 12:00:27.464: BR0:1 LCP: MagicNumber 0x488AD858 (0x0506488AD858) 
Mar 20 12:00:27.468: BR0:1 LCP: O CONFACK [Listen] id 101 len 15 
Mar 20 12:00:27.468: BR0:1 LCP: AuthProto CHAP (0x0305C223 05) 
Mar 20 12:00:27.472: BR0:1 LCP: MagicNumber 0x258B27C2 (0x0506258B27C2) 
Mar 20 12:00:27.495: BR0:1 LCP: I CONFACK [ACKsent] id 102 len 15 
Mar 20 12:00:27.495: BR0:1 LCP: AuthProto CHAP (0x0305C223 05) 
Mar 20 12:00:27.499: BR0:1 LCP: MagicNumber 0x488AD858 (0x0506488AD858) 
Mar 20 12:00:27.503: BR0:1 LCP: State is Open 
Mar 20 12:00:27.503: BR0:1 PPP: Phase is AUTHENTICATING, by both 
Mar 20 12:00:27.503: BR0:1 CHAP: Using alternate hostname ohio 
Mar 20 12:00:27.507: BR0:1 CHAP: O CHALLENGE id 66 len 25 from "ohio" 
Mar 20 12:00:27.511: BR0:1 CHAP: I CHALLENGE id 73 len 29 from "bacteria" 
Mar 20 12:00:27.515: BR0:1 CHAP: Waiting for peer to authenticate first 
Mar 20 12:00:27.555: BR0:1 CHAP: I RESPONSE id 66 len 29 from "bacteria" 
Mar 20 12:00:27.563: BR0:1 CHAP: O SUCCESS id 66 len 4 
Mar 20 12:00:27.567: BR0:1 CHAP: Processing saved Challenge, id 73 
Mar 20 12:00:27.571: BR0:1 CHAP: Using alternate hostname ohio 
Mar 20 12:00:27.575: BR0:1 CHAP: O RESPONSE id 73 len 25 from "ohio" 
Mar 20 12:00:27.777: BR0:1 CHAP: I SUCCESS id 73 len 4 
Mar 20 12:00:27.781: BR0:1 PPP: Phase is UP 
Mar 20 12:00:27.785: BR0:1 IPCP: O CONFREQ [Not negotiated] id 27 len 10 
Mar 20 12:00:27.789: BR0:1 IPCP: Address 2.2.2.2 (0x030602020202) 
Mar 20 12:00:27.801: BR0:1 IPCP: I CONFREQ [REQsent] id 23 len 10 
Mar 20 12:00:27.805: BR0:1 IPCP: Address 172.17.241.2 (0x0306AC11F102) 
Mar 20 12:00:27.805: BR0:1 IPCP: O CONFACK [REQsent] id 23 len 10 
Mar 20 12:00:27.809: BR0:1 IPCP: Address 172.17.241.2 (0x0306AC11F102) 
Mar 20 12:00:27.856: BR0:1 IPCP: I CONFACK [ACKsent] id 27 len 10 
Mar 20 12:00:27.860: BR0:1 IPCP: Address 2.2.2.2 (0x030602020202) 
Mar 20 12:00:27.864: BR0:1 IPCP: State is Open 
Mar 20 12:00:28.039: Di1 IPCP: Install route to 172.17.241.2 
Mar 20 12:00:28.777: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1,
   changed state to up 
ohio#

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.

NetPro Discussion Forums - Featured Conversations for Security

Security: Intrusion Detection [Systems]

Security: AAA

Security: General

Security: Firewalling

Related Information

Updated: Dec 07, 2004

Document ID: 4185

Hierarchical Navigation

Cisco Secure Access Control Server for Unix