cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1645
Views
3
Helpful
4
Replies

help£¡

zhang-hao
Level 1
Level 1

i need add some branch routers as clients to the acs server. so when choosing the ip addresses of these routers, which interface's ip address should i choose?

if i use these routers' loopback interface ip address, should i add any other command beside the basic aaa configurations? I mean to specify the loop back address as the source to send related aaa info to the acs server?

Thanks in advance!

4 Replies 4

ywadhavk
Cisco Employee
Cisco Employee

Hi,

You should try using that interface address that is closest to the ACS server's segment. But you could source the Radius/Tacacs from other interfaces such as the loopback as well.

The command to use is

ip radius source-interface

or in case of tacacs,

ip tacacs source-interface

Thanks,

yatin

Hi! Thanks a lot for your help! And could you tell me any links to learn these commands?

And more help is needed, if each branch router has a isdn backup for the main ddn circuit to the center router, in order to authenticate the user of isdn in case the failure of main circuit, how can i add users in the acs server? I mean if it is same as i do when i add users for telnet and enable authentication.

The following command for isdn authentication I configured on the center router:

aaa new-model

aa authentication ppp default group tacacs+

tacacs-server host x.x.x.x key xxxxxxx

And users for isdn have been defined in the branch routers.

So will the above configuration enough for the isdn authentication to take effect?

Thanks in advance!

Hi,

Here's the link for the command details;

ip radius source

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fssprocr/srfrad.htm#1039140

ip tacacs source

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fssprocr/srftacs.htm#1017796

For any command lookup, please use the Command Lookup Tool at

http://www.cisco.com/cgi-bin/Support/Cmdlookup/home.pl

You have be logged into CCO to be able to use this tool.

As for the users for ISDN, the above config is correct for authentication i.e. these users will use the service ppp.

If the users are also going to use enable or telnet to the router, then you will need to have " aaa authentication login ......." command

Please refer to the url below for more info;

RADIUS Configuration Examples

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt2/scdrad.htm#1001308

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/nasconra.htm

Configuring TACACS+

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt2/scdtplus.htm

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/nasconfg.htm

Hope this helps,

Yatin

Hi, thanks for the quick response. It's of much help. Thanks again.