This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am trying to move my ISDN dialup branches authentication/authorization from old ACS 4.1 to ISE appliance. Before it was through ACS 4.2 with TACACS protocol but now since we are moving to ISE we are moving them to ISE with radius.
Problem is that isdn client gets authenticated and authorized but calls get dropped and they dont able to communicate with HO. IP address is assigned by Head End router to all remote isdn dialing branches..
I have used default "PermitAccess" in authorization policy and authentication policy is also default. I dont understand where I am going wrong as authentication and authorization is sucessful.
aaa authentication ppp default group radius local
aaa authentication network default group radius
aaa accounting network default start-stop group radius
radius-server host 184.108.40.206
radius-server key *****
below is the router configuration for AAA
can any one help in this
Thanks for your reply Nielsen.... I have already put that command but it does not help.. below is the command which i have configured
aaa authorization network default group radius
Actually I think there is no command like this...if you want to authorize ppp/slip/ARAP then authorization network command is used....
any other thing ? I dont know where to look for this ISE or Router ?? ISE logs showing authorization is successful but calls connect for 20 seconds and then disconnects.... no traffic flows....
Do you have the CoA configuration on your NAD?
aaa server radius dynamic-author
CoA is not needed, nor supported for ISDN aaa, i used ACS 3.3 for this a long time ago. I think you should do some debugging if ise does not give you any errors.
try doing some debug aaa / debug radius & deb ppp nego if your calls are authenticated and ip is assigned to the calling router, you should see some disconnect reason in the debug.
Okay. What you are seeing in the authentication detail report of the passed authentication: Authenticaiton Results section. Does it contain the attributes you are expecting to be sent to the NAD? How does it compare with what ACS 3.3 was sending?