Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISDN Authorization with RADIUS using ISE 1.1.2


I am trying to move my ISDN dialup branches authentication/authorization from old ACS 4.1 to ISE appliance. Before it was through ACS 4.2 with TACACS protocol but now since we are moving to ISE we are moving them to ISE with radius.

Problem is that isdn client gets authenticated and authorized but calls get dropped and they dont able to communicate with HO. IP address is assigned by Head End router to all remote isdn dialing branches..

I have used default "PermitAccess" in authorization policy and authentication policy is also default. I dont understand where I am going wrong as authentication and authorization is sucessful.

aaa authentication ppp default group radius local

aaa authentication network default group radius

aaa accounting network default start-stop group radius

radius-server host

radius-server key *****

below is the router configuration for AAA

can any one help in this

Rising star

I'm guessing you need an aaa authorization command for ppp as well ? it's been quite a long time since i did any dialup so i am a bit rusty.

Thanks for your reply Nielsen.... I have already put that command but it does not help.. below is the command which i have configured

aaa authorization network default group radius

I was actually thinking there might be a command like :

aaa authorization ppp default group radius

Actually I think there is no command like this...if you want to authorize ppp/slip/ARAP then authorization network command is used....

any other thing ? I dont know where to look for this ISE or Router ?? ISE logs showing authorization is successful but calls connect for 20 seconds and then disconnects.... no traffic flows....


any body who can help me on this..??

Do you have the CoA  configuration on your NAD?

aaa server radius dynamic-author

client server-key

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

CoA is not needed, nor supported for ISDN aaa, i used ACS 3.3 for this a long time ago. I think you should do some debugging if ise does not give you any errors.

try doing some debug aaa / debug radius & deb ppp nego  if your calls are authenticated and ip is assigned to the calling router, you should see some disconnect reason in the debug.

Okay.  What you are seeing in the authentication detail report of the passed authentication: Authenticaiton Results section.  Does it contain the attributes you are expecting to be sent to the NAD?  How does it compare with what ACS 3.3 was sending?

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James
Content for Community-Ad