Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2494
Views
0
Helpful
4
Replies

Using ACS 3.2 to authorise a PPP WAN connection

aacole
Level 5
Level 5

‎06-15-2005 04:04 AM

Im trying to use ACS3.2 to allow a PPP WAN link to establish, but I'm not having much success.

The calling router (R10) configuration is:

int s1/5

ip addr 10.1.1.10 255.255.255.0

encap ppp

ppp authentication chap callin

ppp chap hostname ROUTER10

ppp chap password cisco

The router r2 that is connected to the ACS and is called by r10

host r2

username ROUTER10 password cisco

aaa new-model

aaa authentication ppp default group tacacs+ local

aaa authorization network default group tacacs+

int f0/1

ip addr 192.168.1.254 255.255.255.0

int s0/1

ip addr 10.1.1.2 255.255.255.0

encap ppp

ppp authentication chap

tacacs-server host 192.168.1.64 key cisco

On the ACS under the Network configuration I defined the AAA client as r2 with IP addr 192.168.1.254 and selected authenticate using tacacs+

Again under network configuration I defined the aaa server as 192.168.1.64, key of cisco, selected tacacs and the traffic type of inbound/outbound.

I added a user, ROUTER10 password cisco and defined the static IP address for that user with 10.1.1.10.

The problem appears to be that the PPP LCP establishes, starts the chap authentication, contacts the tacacs server, which states `Received authen response status PASS' I think so far so good.

But the next message is from debug ppp auth, S0/1 CHAP: I FAILURE ..... Authentication failed.

I'm not sure if this down to tacacs or my CHAP authentication statments, as I'm trying to get this working in one direction only.

Where am I going wrong?

Labels:
0 Helpful
4 Replies 4

mchin345
Level 6
Level 6

‎06-21-2005 08:31 AM

The message that you are getting clearly indicates that there is a authentication failure happening. Try using simple CHAP authentication instead of doing a PPP authentication through AAA. For this you will have to define a CHAP password on the serial interface on both routers. You could optinally use the username on the interface as in your case or let the router use the hostname of the router as the username for CHAP authentication. Try this , it should work.

0 Helpful

aacole
Level 5
Level 5
In response to mchin345

‎06-22-2005 02:01 AM

I tested this using simple CHAP, with the paramters on the serial interface, but I had to add the username and password statement onto the core router. What I wanted to do was use the CHAP hostname and password on the serial interface of the calling router, have that authenticated by the ACS.

Originally I thought the way this would work was that the calling router submits its username and password, these details are passed on to the ACS by the called router. However it seems that I have to use the called router for authentication first. So can I do this, just have the called router forward the CHAP onto the ACS?

0 Helpful

mfreeman451
Level 1
Level 1

‎06-21-2005 01:47 PM

You also may try searching CCO for information on kicking acs into debug mode (It involves shutting down the service, and then starting it manually on the cmd line with a certain -flag, and you will see all AAA auth attempts and failure notices, etc)

0 Helpful

aacole
Level 5
Level 5
In response to mfreeman451

‎06-22-2005 02:03 AM

That's something I wanted to do, but didnt know if it was possible. Checking the ACS logs didnt really give me enough information, I wanted a debug mode.

Thanks for that I'll have a look, will be spending more time on this tomorrow.

0 Helpful
Customers Also Viewed These Support Documents