Re: ACS 3.3 Integration To RAS5300

anuar.daim · ‎09-20-2005

Hi, I am looking for urgent help to solve my customer's ACS - RAS implementation problem. The project was implemented at two diff sites per the following. Site 1 and Site 2 act as Primary and Secondary for the RAS. ( The sites have different firewall )

1) Site 1, RAS 3845 (New), ACS 3.3 (New ), RSA Token (New), AD Integration, works fine - configured and works fine.

2) Site 2, RAS 5300 (Old)-Running IOS 12.0(7)T, ACS 3.3 (New), RSA Token (New ), AD integration, Checkpoint Firewall. - Able to Authenticate but not able to authorize. Having packet drop.

The configuration for site 2 as attached:

Any help is really appreciated.

Thanks

Anuar

Richard Burts · ‎09-21-2005

Anuar

I have looked at the configuration that you posted. I am surprised that you say that you can authenticate but not authorize. How have your confirmed this? Have you run debug aaa authentication and debug aaa authorization? If you have run these debugs it would be helpful to see the output. If you have not run these debugs I would suggest that you run them and post the output.

I remember that early releases did not support the concept of radius group in aaa configuration and current releases do. I do not remember at what point the group concept was added but was not sure that it was as early as 12.0. I believe your 3845 is running recent code which does support the group concept and suspect that your 5300 IOS does not support it. (This is what surprises me that you say you can authenticate but not authorize).

I suggest that you change the configuration of the aaa on the 5300 and remove the group concept from the configuration of aaa.

If that does not fix the problem then the debugs that I suggested would be quite helpful.

HTH

Rick

HTH

Rick