(RADIATOR) Re: Fwd: Re: [Oz-ISP] AS5200's and IOS12.1
Ronan Eckelberry
radiator at gowebco.com
Wed Mar 6 17:01:57 CST 2002
If you don't use the "dialer in-band" directive in the config
(Which makes the dialer a DDR interface), you do not need to set an idle
timeout, and it does not default to 2 mins. It will only default to 2
mins if you specify "dialer in-band" and do not set a "dialer
idle-timeout".
-Ronan
-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Mike McCauley
Sent: Wednesday, 06 March, 2002 16:39
To: radiator at open.com.au
Subject: RE: (RADIATOR) Re: Fwd: Re: [Oz-ISP] AS5200's and IOS12.1
---------- Forwarded Message ----------
Subject: BOUNCE radiator at open.com.au: Non-member submission from
["Robert
Blayzor" <rblayzor at inoc.net>]
Date: Wed, 6 Mar 2002 06:19:20 -0600
From: owner-radiator at open.com.au
To: radiator-approval at open.com.au
>From mikem at server1.open.com.au Wed Mar 6 06:19:20 2002
Received: from mx0.inoc.net (mx0.inoc.net [64.246.130.30])
by server1.open.com.au (8.11.0/8.11.0) with ESMTP id
g26CJK319179
for <radiator at open.com.au>; Wed, 6 Mar 2002 06:19:20 -0600
Received: from nimbus (unverified [10.0.0.111]) by mx0.inoc.net
(Vircom SMTPRS 5.2.204) with ESMTP id <B0000792766 at mx0.inoc.net> for
<radiator at open.com.au>; Wed, 6 Mar 2002 08:51:14 -0500
Reply-To: <rblayzor at inoc.net>
From: "Robert Blayzor" <rblayzor at inoc.net>
To: <radiator at open.com.au>
Subject: RE: (RADIATOR) Re: Fwd: Re: [Oz-ISP] AS5200's and IOS12.1
Date: Wed, 6 Mar 2002 08:51:13 -0500
Organization: INOC, LLC
Message-ID: <00e601c1c515$fafe4f00$6f00000a at z0.inoc.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
In-Reply-To: <20020306045040.2E86CDDE7E at entoo.connect.com.au>
We use the AS5300's almost exclusively here, we run IOS 12.1(x).
The config info doesn't mean much below. The problem is that if you're
using IOS and not using "virtual profiles" I believe the 5300's listen
to what's hard set in the config as an idle-time on any dialer our
group-async interface. If you don't specify the idle timeout, then I
believe the default is some crazy value of 2 minutes (120 seconds).
The best solution we've found is to use virtual profiles on the 5300,
and max out the idle-timeout on any dialer or group-async interface.
When doing that, the 5300's will always honor the RADIUS attributes for
idle-timeout, etc. We've never had a problem with the 5300's just
disconnecting people for idle-timeout if they were using it or not, and
the access-list in the config below just denies any ICMP requests to or
from any async device (modem). I surely don't see how that fixes the
problem.
Tips for the AS5300's and RADIUS:
Enable virtual profiles:
virtual-profile virtual-template 1
virtual-profile aaa
Max out the idle-timeout of any interface.
If you are running any routing protocols on the box, make sure you make
dialer and group-async interfaces PASSIVE, or try not to include the
scope in your OSPF range, etc. Otherwise you'll be sending routing
messages to all your dialin users:
router ospf 101
log-adjacency-changes
area 0 authentication
redistribute connected subnets route-map connected_filter
redistribute static subnets
passive-interface Dialer1
passive-interface Group-Async1
passive-interface Virtual-Template1
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
My opinion is neither copyrighted nor trademarked, and it's price
competitive. If you like, I'll trade for one of yours.
> -----Original Message-----
> From: owner-radiator at open.com.au
> [mailto:owner-radiator at open.com.au] On Behalf Of Hugh Irvine
> Sent: Tuesday, March 05, 2002 11:42 PM
> To: radiator at open.com.au
> Subject: (RADIATOR) Re: Fwd: Re: [Oz-ISP] AS5200's and IOS12.1
>
>
>
> Hello Everyone -
>
> Here is a note regarding a Cisco IOS radius problem.
>
> regards
>
> Hugh
>
> > ---------- Forwarded Message ----------
> >
> > Subject: Re: [Oz-ISP] AS5200's and IOS12.1
> > Date: Wed, 6 Mar 2002 13:14:27 +1100 (EST)
> > From: auix at netlink.com.au
> > To: heath at cci.net.au (Heath Jones)
> > Cc: aussie-isp at aussie.net
> >
> > This sounds very much like a problem we had when upgrading an AS5300
> > recently (it was actually from 12.0something to 12.2something)...
> > Until we found the solution all dialup users were being disconnected
> > according to their radius idle-timeout sessions, regardless of
> > activity...
> >
> > The solution was that we had to actually specify an access-list for
> > idle-timeouts (even if it was just 'let everything thru')
>
> as follows:
> > Config Extract:
> > !
> > interface Group-Async1
> > ip unnumbered FastEthernet0
> > encapsulation ppp
> > no ip mroute-cache
> > no logging event link-status
> > dialer in-band
> > dialer idle-timeout 2147483
> > dialer-group 1
> > async default routing
> > async dynamic address
> > async mode interactive
> > peer default ip address pool default
> > no fair-queue
> > ppp authentication pap chap ms-chap
> > ppp multilink
> > group-range 1 240
> > !
> > access-list 101 deny icmp any any
> > access-list 101 permit ip any any
> > dialer-list 1 protocol ip list 101
> > !
> >
> > This fixed it (and certainly wasn't necessary with the earlier IOS).
> >
> > hth, Peter Vaskess
> > Netlink Connect
> >
> > > HAs anyone upgraded their 5200's to IOS 12.1 IP Plus?
> > >
> > > We're having a problem with the NAS's disconnecting
>
> user's for supposed
>
> > > "Idle-Timeout"s. The problem is that it doesn't matter
>
> whether the user
>
> > > is inactive or not they still get disconnected.
> > >
> > > I have spoken to a couple of people who have had this
>
> problem but as yet
>
> > > noone seems to know a viable solution. I'd be interested in any
> > > recommendations people have.
> >
> > ----
> > email "unsubscribe aussie-isp" to majordomo at aussie.net to
>
> be removed.
>
> > -------------------------------------------------------
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl,
> Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
> Phone +61 3 9598-0985 Fax +61 3 9598-0955
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
> on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
-------------------------------------------------------
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list