(RADIATOR) Re: Fwd: Re: [Oz-ISP] AS5200's and IOS12.1

Robert Blayzor rblayzor at inoc.net
Wed Mar 6 07:51:13 CST 2002 

We use the AS5300's almost exclusively here, we run IOS 12.1(x).

The config info doesn't mean much below.  The problem is that if you're
using IOS and not using "virtual profiles" I believe the 5300's listen
to what's hard set in the config as an idle-time on any dialer our
group-async interface.  If you don't specify the idle timeout, then I
believe the default is some crazy value of 2 minutes (120 seconds).

The best solution we've found is to use virtual profiles on the 5300,
and max out the idle-timeout on any dialer or group-async interface.
When doing that, the 5300's will always honor the RADIUS attributes for
idle-timeout, etc.  We've never had a problem with the 5300's just
disconnecting people for idle-timeout if they were using it or not, and
the access-list in the config below just denies any ICMP requests to or
from any async device (modem).  I surely don't see how that fixes the
problem.

Tips for the AS5300's and RADIUS:

Enable virtual profiles:

virtual-profile virtual-template 1
virtual-profile aaa


Max out the idle-timeout of any interface.

If you are running any routing protocols on the box, make sure you make
dialer and group-async interfaces PASSIVE, or try not to include the
scope in your OSPF range, etc.  Otherwise you'll be sending routing
messages to all your dialin users:

router ospf 101
 log-adjacency-changes
 area 0 authentication
 redistribute connected subnets route-map connected_filter
 redistribute static subnets
 passive-interface Dialer1
 passive-interface Group-Async1
 passive-interface Virtual-Template1


--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net

My opinion is neither copyrighted nor trademarked, and it's price
competitive. If you like, I'll trade for one of yours.

> -----Original Message-----
> From: owner-radiator at open.com.au
> [mailto:owner-radiator at open.com.au] On Behalf Of Hugh Irvine
> Sent: Tuesday, March 05, 2002 11:42 PM
> To: radiator at open.com.au
> Subject: (RADIATOR) Re: Fwd: Re: [Oz-ISP] AS5200's and IOS12.1
>
>
>
> Hello Everyone -
>
> Here is a note regarding a Cisco IOS radius problem.
>
> regards
>
> Hugh
>
> > ----------  Forwarded Message  ----------
> >
> > Subject: Re: [Oz-ISP] AS5200's and IOS12.1
> > Date: Wed, 6 Mar 2002 13:14:27 +1100 (EST)
> > From: auix at netlink.com.au
> > To: heath at cci.net.au (Heath Jones)
> > Cc: aussie-isp at aussie.net
> >
> > This sounds very much like a problem we had when upgrading an AS5300
> > recently (it was actually from 12.0something to 12.2something)...
> > Until we found the solution all dialup users were being disconnected
> > according to their radius idle-timeout sessions, regardless of
> > activity...
> >
> > The solution was that we had to actually specify an access-list for
> > idle-timeouts (even if it was just 'let everything thru')
>
> as follows:
> > Config Extract:
> > !
> > interface Group-Async1
> >  ip unnumbered FastEthernet0
> >  encapsulation ppp
> >  no ip mroute-cache
> >  no logging event link-status
> >  dialer in-band
> >  dialer idle-timeout 2147483
> >  dialer-group 1
> >  async default routing
> >  async dynamic address
> >  async mode interactive
> >  peer default ip address pool default
> >  no fair-queue
> >  ppp authentication pap chap ms-chap
> >  ppp multilink
> >  group-range 1 240
> > !
> > access-list 101 deny   icmp any any
> > access-list 101 permit ip any any
> > dialer-list 1 protocol ip list 101
> > !
> >
> > This fixed it (and certainly wasn't necessary with the earlier IOS).
> >
> > hth, Peter Vaskess
> > Netlink Connect
> >
> > > HAs anyone upgraded their 5200's to IOS 12.1 IP Plus?
> > >
> > > We're having a problem with the NAS's disconnecting
>
> user's for supposed
>
> > > "Idle-Timeout"s. The problem is that it doesn't matter
>
> whether the user
>
> > > is inactive or not they still get disconnected.
> > >
> > > I have spoken to a couple of people who have had this
>
> problem but as yet
>
> > > noone seems to know a viable solution. I'd be interested in any
> > > recommendations people have.
> >
> > ----
> > email "unsubscribe aussie-isp" to majordomo at aussie.net to
>
> be removed.
>
> > -------------------------------------------------------
>
> --
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl,
> Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
> Phone +61 3 9598-0985                       Fax   +61 3 9598-0955
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
> on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-------------------------------------------------------

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc 
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list