cisco 2621 RAS configuration problem

[eliboy]

Good day!

I configured my cisco 2621 router with 16 AM module for dialin purposes only. My boos want me activate the RAS features so that they can still use the company's internet in their home. I just want you, all good guys there, to check my configuration. I try to connect but after verifying user name and password, unable to stablish conection message came. What's wrong with my configuration.

This is my configuration:

version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco2621
!
aaa new-model
aaa authentication login default local
enable secret 5 $1$mjZE$t6E08M1V2BnkVc4UK8tJY.
enable password <deleted>
!
username eli password 0 <deleted>
!
!
!
!
ip subnet-zero
ip name-server 61.9.6.243
ip name-server 10.2.1.1
!
async-bootp dns-server 202.47.132.6 202.47.132.9
!
!
!
interface FastEthernet0/0
ip address 61.9.6.251 255.255.255.240
speed auto
half-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 10.2.1.2 255.0.0.0
ip nat inside
speed auto
half-duplex
!
interface Group-Async1
ip unnumbered FastEthernet0/0
encapsulation ppp
ip tcp header-compression passive
no ip mroute-cache
dialer in-band
dialer idle-timeout 600
dialer-group 1
async mode interactive
peer default ip address pool dialin
ppp authentication chap
group-range 33 48
!
ip local pool dialin 10.2.1.71 10.2.1.80
ip classless
ip route 0.0.0.0 0.0.0.0 61.9.8.209
ip http server
!
dialer-list 1 protocol ip permit
!
line con 0
password <deleted>
transport input none
line 33 48
autoselect during-login
modem Dialin
transport input all
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
!
end

Is my configuration right? do I need or add something?

eliboy76

 

[jimmyzz]

eliboy,

Add the line:
> aaa authentication ppp default local

Also you want your dial-in users to obtain an IP from your dial-in pool, so under your Group-Async1 config, change the ip address to:
> ip address negotiated

The rest of the config looks okay. Let us know how you go.

JimmyZ

 

[jimmyzz]

eliboy,
You may also want to add the following lines so your clients get the correct gw, subnet mask.

async-bootp subnet-mask <mask for DHCP pool>
async-bootp gateway <your default gw>

JimmyZ

 

[eliboy]

JimmyZ,

Do i need to set up a WINS server? One of my supplier told me that i need to set-up WINS and DNS. We used linux for proxy. You said that there's no problem in my configuration, I'm not an expert in configuring a router, if i add a username and password is that mean that the name i add can login in my router? if not then where can I add a name of my remote client? I already add your suggestion but still i cannot login.

 

[jimmyzz]

eliboy,

If you want to add a WINS definition for your DHCP clients, then add the line:

async-bootp nbns-server <WINS server IP>

If you're not using a radius/tacacs server to authenticate your remote users, then you can simply manage a local user accounts on the router itself. You already have a user eli which you can use as the logon account.

The other thing you need to get correct is your remote-dialin client config. I assume your using Microsoft dial-up networking client right? You need to make sure your client options are correct, ie.. using chap for authentication. Also you may need to run a dial-script (under your Security options) so that the user name and passwords are passed correctly. There are some scripts that come default with your MS DUN client. You'll have to work out which one suits your local login setup. If you enable the &quot;show terminal window&quot; option you may see what the client is doing. I run a modified script which prompts the user to enter their radius logon and secure-ID password.

JimmyZ

 

[jimmyzz]

Here is a script for your MS DUN client which should work for local login account. There should be one simlar already on your MS PC which you can modify or alternatively create a new script. The &quot;run script&quot; setting is under your DUN &quot;Security&quot; option.

JimmyZ

proc
main
waitfor &quot;Verification&quot;
waitfor &quot;name:&quot;
transmit $USERID, raw
transmit &quot;^M&quot;
waitfor &quot;word:&quot;
transmit $PASSWORD, raw
transmit &quot;^M&quot;
waitfor &quot;>&quot;
transmit &quot;PPP^M&quot;
endproc

 

[commsguy]

also, you need to make your pool addresses in a unique network. right now they are on the same net as the ethernet interface.

commsguy

http://www.convetech.com

 

[jimmyzz]

commsguy,
There should be no problem with the ip pool being in the same address range as his ethernet interface, as long as the IPs are free. What would the conflict be?

JimmyZ