11-21-2001 01:39 AM - edited 03-04-2019 02:42 AM
Hi,
My customer wants to implement a redundant ACS system for authentication,which uses a redundant RSA ACE server for strong authentication of remote ISDN and
PSTN dial users. I do have a number of questions whit this senario.
# I have been trying to emulate the remote access scenario using a Cisco 2600 router (12.0.10) with an ISDN Basic Rate Interface and the ACE 5 server.I
have attached a config and it seems to work for local access onto the Aux port or Dial in using the windows dial up client without a post dial terminal window (i.e. I enter the PIN and tokencode in the password box of the dial client. However, when I implement the post dial terminal window (so that I can use next token mode and new pin mode) the client connects to the router but I do not get any meaningful text in the post dial window (I would expect a username/ passcode prompt) I just get ascii garbage. Do you know if this works with next token code and new pin mode (ala post dial terminal window) terminating on an ISDN BRI interface and if so why is it not working? I have tried this on Win 2K and 95.
#How can I support redundant multilink ISDN in this senario? Do I need to implement Token chaching and if so is this supported in ACS 2.6 for windows?
#Can I support redundant ACE servers if I am integrating the authentication with Cisco Secure Access Control Server (i.e. The authentication goes
first to ACS which passes it on to ACE server) and how is this handled within ACS?
My router config is given below the IOS is 12.0.10 and the platform is a 2600.
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NAS
!
aaa new-model
aaa authentication login radius-login radius local
aaa authentication login no-tacacs none
aaa authentication ppp radius-ppp radius local
enable secret 5 xxxxxxxxxxxxxxxxx
!
username admin password 7 xxxxxxxxxxx
ip subnet-zero
isdn switch-type basic-net3
!
!
!
interface Ethernet0/0
ip address 10.x.x.x 255.255.255.0
no ip directed-broadcast
!
interface Serial0/0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no fair-queue
!
interface TokenRing0/0
no ip address
no ip directed-broadcast
shutdown
ring-speed 16
!
interface BRI0/0
ip unnumbered Ethernet0/0
no ip directed-broadcast
encapsulation ppp
dialer idle-timeout 300
dialer-group 1
isdn switch-type basic-net3
peer default ip address pool MyDialPool
ppp authentication pap radius-ppp
!
interface Serial0/1
no ip address
no ip directed-broadcast
shutdown
!
ip local pool MyDialPool 10.1.22.250 10.1.22.250
ip classless
!
dialer-list 1 Protocol IP permit
radius-server host 10.1.22.49 auth-port 1645 acct-port 1646
radius-server key xxxxxxxxx
!
line con 0
login authentication no-tacacs
transport input none
line aux 0
login authentication radius-login
line vty 0 4
password xxxxx
!
end
Thanks for your help,
Best regards,
Spencer Kennedy
11-29-2001 12:44 PM
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide