03-20-2003 12:49 AM - edited 03-02-2019 06:00 AM
I have a 3640 router with one BRI 4-B/T card, one digital modems card and one FE interface. All my user are ANALOGICAL users.
1 - For some users (about 5) i have created a dialer in order to allocate their own @ip pool (with only one @ip) with username login/passwd local on router : it works .
2 - For some users (about 5) i have created on ACS server their profile in order to have an AAA authentication. It is the ACS which gives the @ip. I create a dialer profite for each of these users, too : it works, too.
I configured 1- then 2- separately and they work.
3 - Now, i wish to do both in the time , i mean some users have a local authentication and get their @ip from their (own) @ip pool (on 3640 router) and some users have an AAA authentication on ACS.... and it doesn't work.
I do not know how to configure the "ppp authentication chap" in each dialer profile and in the Group_Async1. I thought to create 2 AAA authentication as below :
aaa authentication ppp default group tacacs+
aaa authentication ppp AUTH_local local
default method for ACS server via tacacs+ and AUTH_local method for local authentication. I did so many tests and i did no many config, but never i tried to work both in same time. Someone have already do this config, maybe ??? Please, help me !!!
Thanks a lot in advance.
Nico.
Below, my config :
for example :
- user NDE has local authentication. it uses dialer 10. It has their own pool of 1 @ on the 3640
- user DWA has an AAA authentication. it is use dialer 20. Their @ip is provide by ACS.
Both of the users are analogical user and in this way, they use the interface Group-Async1
username NDE password 0 cisco
interface Group-Async1
description Connexion pour les 18 modems analogiques.
ip unnumbered FastEthernet0/0
encapsulation ppp
dialer in-band
dialer pool-member 1
async mode dedicated
group-range 65 76
interface Dialer10
description DIALER POUR USER NDE
ip unnumbered FastEthernet0/0
encapsulation ppp
dialer pool 1
dialer remote-name NDE
dialer-group 1
peer default ip address pool NDE
ppp authentication chap AUTH_local
interface Dialer20
description DIALER POUR USER DWA
ip unnumbered FastEthernet0/0
encapsulation ppp
dialer pool 1
dialer remote-name DWA
dialer-group 1
no peer default ip address
ppp authentication chap
ip local pool NDE 172.18.1.201
Solved! Go to Solution.
03-20-2003 12:44 PM
The user who is supposed to authenticate/ authorize locally is failing, we need to have the following commands for AAA:
aaa authentication ppp default local group tacacs+
aaa authorization network default local group tacacs+
Thanks, Mak.
03-20-2003 07:49 AM
First of all you ned to configure "ppp authentication chap" under "interface group-async 1" so that the call will be binded to dialer interface depending on the username received during ppp authentication phase.
Once you have that, config looks fine and it should work as expected.
Now if it still dosen't wotk, need to see the following debug
debug dialer
debug ppp nego
debug modem csm
debug ppp authentication
03-20-2003 07:55 AM
Try "aaa authentication ppp default local group tacacs+" For local users we will get authenicated locally, for AAA users if the username/passowrd is not seen locally it will go to tacacs.
Thanks, Mak.
03-20-2003 12:07 PM
ok, thanks a lot for your response. I agree with you :
as say Mak, i did put "aaa authentication ppp default local group tacacs+"
and as say Tepatel, I did put "ppp authentication chap" under "interface group-async 1" and under all dialer profiles (i deleted "aaa authentication ppp AUTH_local local" )
yestarday, i did already tried this config.
I added your debug.
I recorded the debug with one user (DWA) with AAA authentication (this user works with pb) and with one user (NDE) with local authentication (this user doesn't work ). then I compared the 2 debugs. the 1st different and erros is :
1d06h: As74 DDR: Remote name for NDE
1d06h: %DIALER-6-BIND: Interface As74 bound to profile Di10
1d06h: As74 PPP: Sent LCP AUTHOR Request to AAA
1d06h: As74 PPP: Sent IPCP AUTHOR Request to AAA
1d06h: As74 LCP: Received AAA AUTHOR Response = FAIL
1d06h: As73 DDR: Remote name for DWA
1d06h: %DIALER-6-BIND: Interface As73 bound to profile Di20
1d06h: As73 PPP: Sent LCP AUTHOR Request to AAA
1d06h: As73 PPP: Sent IPCP AUTHOR Request to AAA
1d06h: As73 LCP: Received AAA AUTHOR Response = PASS
1d06h: As73 IPCP: Received AAA AUTHOR Response = PASS
It seems to me that for NDE user, the error "AAA AUTHOR Response = FAIL" comes because the authentication is not local but is done on the ACS. If i look on my ACS "reports and activity" / "Failed Attempts" i seen a record of the NDE's connection :
03/20/2003 17:30:12 Author failed nde Group 3 admin 0320191841/1840 .. Service denied service=ppp protocol=ip Async75*BRI1/0:2 172.18.1.32
On my mind, if the authentication is local, the ACS should not see anything ?
Do you have an idea of problem ? It seems to me that something is wrong in my configuration for local authentication.
Thanks a lot in advance.
Nicos.
NOTE : I have a router 3640A. Since yesterday, i run under 12.2(8).T5. Today, i did, also, these tests with this ios then 12.2(13a)
03-20-2003 12:44 PM
The user who is supposed to authenticate/ authorize locally is failing, we need to have the following commands for AAA:
aaa authentication ppp default local group tacacs+
aaa authorization network default local group tacacs+
Thanks, Mak.
03-21-2003 07:52 AM
YES, it is perfect. I just put this line "aaa authorization network default local group tacacs+" and it works immediately. Thank a lot !!!
Thanks to everybody for you help !
:- )
Nicos.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide