01-04-2002 03:23 AM - edited 02-21-2020 09:58 AM
Hi,
I'm trying to get remote access solution working with RSA Security OTP (tokens). One option I've tried is specifying 'ppp authen chap pap dialin one-time' on dialer / group asyn interfaces (where dialin is method list name and methods specified are radius local). The one-time option allows use of standard windows dialup networking username/pwd fields to be used with OTP (username*PIN password=tokencode) and the router will pass these on to RADIUS / TACACS server who inturn passess to token server.
Problem I found is that RADIUS Debug shows error 'only RADIUS and TACACS are valid OTP'. I think this is due to fact that there is now 'group' specified by defaulyt in AAA method lists and it is a bug. I'm running 12.1.5T9 IP only, any comments/circumventions/known working releases greatly appreciated.
01-10-2002 11:09 AM
Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, its often difficult to do so for this type of issue.
To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
01-11-2002 01:48 AM
I have resolved my issue. The 'decrypt fail' debug message was due to the RADIUS server / ACE Server not supporting CHAP authentication. WHen I changed my config on all lines to 'ppp authen pap chap dialin' I was able to authenticate to my ACE/RADIUS Server. Note I think this is a specific limitation of the RSA ACE/Server.
I believe the OTP debug issue above is a bug but am unable to raise a TAC Case at this time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide