Re: AS5300 login problems with AAA

vvvmell · ‎11-15-2001

I have gotten my dialup to work, however I am confused on my AAA configuration. I am using the following:

aaa authentication login SECURE group radius local

aaa authentication login NO_AUTHEN none

aaa authentication login LOCAL line

aaa authentication ppp default if-needed group radius local

aaa authentication ppp SECURE if-needed group radius local

aaa authorization network default group radius local

aaa authorization network SECURE group radius local

The SECURE is what is applied to my lines.

Radius passes off to a Cisco Secure ACS database, and hands off to SDI token card server.

The problem is when I dial in and passthrough the authentication to radius it leaves me at the router prompt. At which poing I need to enter PPP and close my dialup terminal to be authenticated to the network. I'd like to avoid that final process and after passing authentication have the terminal initiate the ppp automatically.

I have tried changes like removing the login, it's my understanding that if access to the EXEC prompt isn't neccesary the login option isn't needed. When removed however, all authentication fails.

What advice do you have?

vvvmell · ‎11-15-2001

Try using the autocommand on the lines.

line 1 96

autocommand ppp

Thanks anyways.

trenth · ‎02-14-2002

What configuration have you setup on your Group-Async interface. Have you included "async mode interactive" and also what is set up on the line configuration for ppp auth? I have include the a sample of what your configuration may include.

!

aaa new-model

aaa authentication login default group radius local

aaa authentication ppp default group radius local

aaa authorization exec default group radius local

aaa authorization network default group radius local

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

!

interface Virtual-Template1

ip unnumbered Loopback0

no ip route-cache

keepalive 20

timeout absolute 35790 0

ppp authentication chap

ppp multilink

ppp timeout idle 0

!

interface Group-Async1

ip unnumbered Loopback0

encapsulation ppp

no ip mroute-cache

timeout absolute 35790 0

dialer in-band

dialer idle-timeout 0

async dynamic address

async mode interactive

no peer default ip address

no fair-queue

no cdp enable

ppp authentication chap

ppp multilink

group-range 1 120

!

line 1 120

session-timeout 35791

exec-timeout 0 0

login authentication dialin_exec

modem InOut

transport input all

autoselect during-login

autoselect ppp

!

tepatel · ‎02-14-2002

"autocommand ppp nego" OR "autocommand ppp" will prevent the router to display the router prompt. That will make the router start the ppp right-a-way after successful authentication..Tejal

michelle.andersen · ‎02-15-2002

Is there a way to make the post terminal window go away automatically after ppp is negotiated successfully?

tepatel · ‎02-15-2002

Nope..There is no automatic way to make the terminal window go away. With terminal window, control is given back to user..And user has to "click" to move forward. Now you can write some special "software script" which can automate that...Thx..Tejal