https://community.cisco.com/t5/network-access-control/remote-access-aaa-and-one-time-passwords/m-p/30100#M1286 <HTML><HEAD></HEAD><BODY><P>I have resolved my issue. The 'decrypt fail' debug message was due to the RADIUS server / ACE Server not supporting CHAP authentication. WHen I changed my config on all lines to 'ppp authen pap chap dialin' I was able to authenticate to my ACE/RADIUS Server. Note I think this is a specific limitation of the RSA ACE/Server. </P><P> I believe the OTP debug issue above is a bug but am unable to raise a TAC Case at this time.</P><P></P></BODY></HTML> Fri, 11 Jan 2002 09:48:27 GMT p.fligman 2002-01-11T09:48:27Z https://community.cisco.com/t5/network-access-control/remote-access-aaa-and-one-time-passwords/m-p/30098#M1284 <P>Hi,</P><P> I'm trying to get remote access solution working with RSA Security OTP (tokens). One option I've tried is specifying 'ppp authen chap pap dialin one-time' on dialer / group asyn interfaces (where dialin is method list name and methods specified are radius local). The one-time option allows use of standard windows dialup networking username/pwd fields to be used with OTP (username*PIN password=tokencode) and the router will pass these on to RADIUS / TACACS server who inturn passess to token server.</P><P> Problem I found is that RADIUS Debug shows error 'only RADIUS and TACACS are valid OTP'. I think this is due to fact that there is now 'group' specified by defaulyt in AAA method lists and it is a bug. I'm running 12.1.5T9 IP only, any comments/circumventions/known working releases greatly appreciated. </P> Fri, 21 Feb 2020 17:58:36 GMT https://community.cisco.com/t5/network-access-control/remote-access-aaa-and-one-time-passwords/m-p/30098#M1284 p.fligman 2020-02-21T17:58:36Z https://community.cisco.com/t5/network-access-control/remote-access-aaa-and-one-time-passwords/m-p/30099#M1285 <HTML><HEAD></HEAD><BODY><P>Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it&#146;s often difficult to do so for this type of issue. </P><P></P><P>To utilize the resources at our Technical Assistance Center, please visit <A class="jive-link-custom" href="http://www.cisco.com/tac" target="_blank">http://www.cisco.com/tac</A> and to open a case with one of our TAC engineers, visit <A class="jive-link-custom" href="http://www.cisco.com/tac/caseopen" target="_blank">http://www.cisco.com/tac/caseopen</A></P><P></P><P>If anyone else in the forum has some advice, please reply to this thread.</P><P> </P><P>Thank you for posting.</P><P></P></BODY></HTML> Thu, 10 Jan 2002 19:09:16 GMT https://community.cisco.com/t5/network-access-control/remote-access-aaa-and-one-time-passwords/m-p/30099#M1285 ciscomoderator 2002-01-10T19:09:16Z https://community.cisco.com/t5/network-access-control/remote-access-aaa-and-one-time-passwords/m-p/30100#M1286 <HTML><HEAD></HEAD><BODY><P>I have resolved my issue. The 'decrypt fail' debug message was due to the RADIUS server / ACE Server not supporting CHAP authentication. WHen I changed my config on all lines to 'ppp authen pap chap dialin' I was able to authenticate to my ACE/RADIUS Server. Note I think this is a specific limitation of the RSA ACE/Server. </P><P> I believe the OTP debug issue above is a bug but am unable to raise a TAC Case at this time.</P><P></P></BODY></HTML> Fri, 11 Jan 2002 09:48:27 GMT https://community.cisco.com/t5/network-access-control/remote-access-aaa-and-one-time-passwords/m-p/30100#M1286 p.fligman 2002-01-11T09:48:27Z