I have a 7206 that has 4 - l2f Tunnels to Southwestern bells VPOPDas. I need to change the Radius-Server but when I do I loose my Tunnel Connection and nobody can connect. I don't even see calls radius request coming into the new radius server.
The existing radius-server host entry is using port 1812 and 1813. I switched the IP and the ports to 1645 and 1646.
IP address of the router does not change. Nothing on the router changes except the radius-server host line.
The New Radius server does sit behind a Pix 515 firewall. Is it possible that I need to open up any other port other than the 1645 and 1646 on this firewall?
Keep in mind that I have other NAS's behind and routing through the 7206 that I am authenticating users with no problem. These NAS Boxes are not on the VPOPDas network. They are MAX 4048's. Some which are connected via a FRATM as a pvc on the 7206.
The new Radius server is NOT on the same network. Its in another city, Another network 200 miles away.
I have cut up the config and paisted only what I thought was pertinent. IP's and Passwords have been changed to protect the stupid.
-------------------------------------------------------
version 12.1
service timestamps debug datetime msec
service timestamps log datetime show-timezone
service password-encryption
!
hostname 7206-cisco
!
logging buffered 4096 debugging
no logging console
logging trap debugging
logging facility local1
logging 10.1.1.1
aaa new-model
aaa authentication login default group radius local
aaa authentication login none none
aaa authentication ppp default if-needed local group radius
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
!
username SWBVPOP password 7 apassword
!
ip subnet-zero
ip rcmd source-interface Loopback0
ip cef
ip domain-list mydomain.com
ip domain-name mydomain.com
ip name-server 10.1.1.1
ip name-server 10.1.1.2
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol l2f
virtual-template 1
terminate-from hostname SWBVPOP
local name SWBVPOP
!
bridge irb
!
interface ATM2/0.13 multipoint
description Shared interface for VPOP customers
ip address 192.168.1.1 255.255.255.224
no ip proxy-arp
map-group vpop
atm pvc 2081 4 33 aal5snap 1544 1544
atm pvc 2082 4 34 aal5snap 1544 1544
atm pvc 2083 4 35 aal5snap 1544 1544
atm pvc 2084 4 36 aal5snap 1544 1544
!
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no keepalive
peer default ip address pool default
ppp authentication pap chap
ppp multilink
!
!
map-list vpop
ip 192.168.50.194 atm-vc 2081
ip 192.168.50.195 atm-vc 2082
ip 192.168.50.196 atm-vc 2083
ip 192.168.50.197 atm-vc 2084
radius-server host 192.168.20.20 auth-port 1645 acct-port 1646
radius-server host 192.168.30.30 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key RADIUSKEY
end
Does anyone have any idea why this would stop answering calls and loose the tunnel connection when I change the Radius-Server entries?
Is it possible that the tunnel is trying to authenticate via radius and can not and therefore prevents the tunnels from being created?
Any idea why I don't see any Radius Requests come into the radius server?
Any help anyone can give will be much appreciated.
Tony
The existing radius-server host entry is using port 1812 and 1813. I switched the IP and the ports to 1645 and 1646.
IP address of the router does not change. Nothing on the router changes except the radius-server host line.
The New Radius server does sit behind a Pix 515 firewall. Is it possible that I need to open up any other port other than the 1645 and 1646 on this firewall?
Keep in mind that I have other NAS's behind and routing through the 7206 that I am authenticating users with no problem. These NAS Boxes are not on the VPOPDas network. They are MAX 4048's. Some which are connected via a FRATM as a pvc on the 7206.
The new Radius server is NOT on the same network. Its in another city, Another network 200 miles away.
I have cut up the config and paisted only what I thought was pertinent. IP's and Passwords have been changed to protect the stupid.
-------------------------------------------------------
version 12.1
service timestamps debug datetime msec
service timestamps log datetime show-timezone
service password-encryption
!
hostname 7206-cisco
!
logging buffered 4096 debugging
no logging console
logging trap debugging
logging facility local1
logging 10.1.1.1
aaa new-model
aaa authentication login default group radius local
aaa authentication login none none
aaa authentication ppp default if-needed local group radius
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
!
username SWBVPOP password 7 apassword
!
ip subnet-zero
ip rcmd source-interface Loopback0
ip cef
ip domain-list mydomain.com
ip domain-name mydomain.com
ip name-server 10.1.1.1
ip name-server 10.1.1.2
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol l2f
virtual-template 1
terminate-from hostname SWBVPOP
local name SWBVPOP
!
bridge irb
!
interface ATM2/0.13 multipoint
description Shared interface for VPOP customers
ip address 192.168.1.1 255.255.255.224
no ip proxy-arp
map-group vpop
atm pvc 2081 4 33 aal5snap 1544 1544
atm pvc 2082 4 34 aal5snap 1544 1544
atm pvc 2083 4 35 aal5snap 1544 1544
atm pvc 2084 4 36 aal5snap 1544 1544
!
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no keepalive
peer default ip address pool default
ppp authentication pap chap
ppp multilink
!
!
map-list vpop
ip 192.168.50.194 atm-vc 2081
ip 192.168.50.195 atm-vc 2082
ip 192.168.50.196 atm-vc 2083
ip 192.168.50.197 atm-vc 2084
radius-server host 192.168.20.20 auth-port 1645 acct-port 1646
radius-server host 192.168.30.30 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key RADIUSKEY
end
Does anyone have any idea why this would stop answering calls and loose the tunnel connection when I change the Radius-Server entries?
Is it possible that the tunnel is trying to authenticate via radius and can not and therefore prevents the tunnels from being created?
Any idea why I don't see any Radius Requests come into the radius server?
Any help anyone can give will be much appreciated.
Tony