Mobile host authentication using TACACS+ Server

brandee · ‎01-23-2002

Instead of Home Agent(Router 7507),

I tried to use AAA Server and the instruction is as follow;

user = 20.0.0.1 {

service = mobileip {

set spi#0 = ¡°spi 100 key hex 12345678123456781234567812345678¡±

¡±

}

I don't know how to configure above the format on my ACS 3.0.

Please help me out.

vijkrish · ‎01-24-2002

1. you need to define a new service in ACS3 which is called mobile ip. For this, first ensure that there is a TACACS+ NAS defined in network configuration.

2. Go to interface configuration->TACACS+ Cisco IOS,

Under new services, tick the first check box,

type mobileip in service textbox, in protocol type ip

now submit. IF there is not even a single tac+

NAS in the config, you will NOT see the TACACS+ CIsco IOS option in interface configuration !!!!

3. Go to group properties now and under tacacs+, at the end of the list, you will find the new service you defined, select the box, select custom attributes and then define

set spi#0 ....

Hope this helps. Pls. let the forum know if this solved your issue.

brandee · ‎01-28-2002

Thank you very much for your appreciation.

But I am afraid that I still have a problem.

During authentication with Cisco Router, I got a debug message as follows;

MobileIP: HA 107 received registration for MN 172.31.3.235 on FastEthernet0/0/0

using COA 172.31.107.17 HA 172.31.107.70 lifetime 7200 options sbdmgVt

MobileIP: HA 107 get SA for MN 172.31.3.235

MobileIP: MN 172.31.3.235 SA is not available from AAA server

MobileIP: MN 172.31.3.235 SA is not configured, request ignored

%IPMOBILE-6-SECURE: Security violation on HA from MN 172.31.3.235 - errcode MN f

ailed authentication (131), reason No mobility security association (1)

I checked the 'spi', 'key' values in MN and had no problem.

What would be the real problem ?