AAA authentication woes

Discussion in 'Cisco' started by bob@bfisk.demon.co.uk, Apr 27, 2006.

  1. Guest

    Hi all,

    I have a sticky problem with AAA authentication and I'm either reading
    the docs on CCO incorrectly or I'm missing something.
    What I have is a number of Aysnc users and a few 64K ISDN users coming
    in on a PRI. The Aysnc users work fine and authenticate via tacacs no
    problem. What I want is the 64K users only to authenticate locally.

    Using the 'list' command 'router' in chap, this should ignore the 'aaa
    ppp authentication default' and go direct to the local username list.
    Well you've guessed it, it doesn't. The authentication is picked up as
    default and fails.

    The reason this fails is the debugs show that the incoming interface is
    one of the serials which there is no 'list' configured. The binding to
    the dialer interface D3 only takes place after sucessful authentication
    so it never gets to act on the list.
    I can get round this by placing the list command on the D channnel but
    I suspect that will affect the async users too? Also this limits me to
    only one list!

    Apart from configuring the 64K users in tacacs as well is there any
    other way around this or am I reading the docs wrong.

    Cheers
    Bob

    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication login no_tacacs local
    aaa authentication ppp default group tacacs+ local
    aaa authentication ppp router local
    aaa authorization exec default local group tacacs+
    aaa authorization network default group tacacs+ local
    aaa authorization network ISDN group tacacs+ local
    aaa authorization reverse-access default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    !
    snip
    !
    interface Serial1/0:15
    no ip address
    encapsulation ppp
    dialer pool-member 1
    isdn switch-type primary-net5
    isdn incoming-voice modem
    isdn sending-complete
    no fair-queue
    no cdp enable
    ppp authentication ms-chap chap pap
    !
    interface Group-Async1
    ip unnumbered Ethernet0/0
    encapsulation ppp
    dialer in-band
    dialer idle-timeout 600
    dialer-group 1
    async mode interactive
    ipx ppp-client Loopback0
    peer default ip address pool dialin_pool
    ppp authentication chap
    group-range 65 76
    !
    interface Dialer1
    ip unnumbered Ethernet0/0
    encapsulation ppp
    dialer pool 1
    dialer remote-name pnuthall
    dialer idle-timeout 600
    dialer load-threshold 1 either
    dialer-group 1
    peer default ip address pool router_pool
    no cdp enable
    ppp authentication chap callin router
    ppp multilink
    !
    interface Dialer2
    ip unnumbered Ethernet0/0
    encapsulation ppp
    dialer pool 1
    dialer remote-name xxxxx
    dialer idle-timeout 900
    dialer-group 1
    peer default ip address pool dialin_pool
    no cdp enable
    ppp authentication ms-chap chap pap
    !
    interface Dialer3
    ip unnumbered Ethernet0/0
    encapsulation ppp
    dialer pool 1
    dialer remote-name glamb
    dialer idle-timeout 900
    dialer load-threshold 1 either
    dialer-group 1
    peer default ip address pool dialin_pool
    no cdp enable
    ppp authentication ms-chap chap pap callin router
    ppp multilink

    AAA Authentication debugging is on
    *Mar 19 20:55:56: %LINK-3-UPDOWN: Interface Serial1/0:18, changed state
    to up
    *Mar 19 20:55:57: AAA: parse name=Serial1/0:18 idb type=13 tty=-1
    *Mar 19 20:55:57: AAA: name=Serial1/0:18 flags=0x55 type=1 shelf=0
    slot=1 adapter=0 port=0 channel=18
    *Mar 19 20:55:57: AAA: parse name=<no string> idb type=-1 tty=-1
    *Mar 19 20:55:57: AAA/MEMORY: create_user (0x616721D4) user='glamb'
    ruser='NULL' ds0=16777234 port='Serial1/0:18' rem_addr='/469230'
    authen_type=MSCHAP service=PPP priv=1 initial_task_id='0'
    *Mar 19 20:55:57: AAA/AUTHEN/START (3807844204):port='Serial1/0:18'
    list='' action=LOGIN service=PPP
    *Mar 19 20:55:57: AAA/AUTHEN/START (3807844204): using "default" list
    *Mar 19 20:55:57: AAA/AUTHEN/START (3807844204): Method=tacacs+
    (tacacs+)
    *Mar 19 20:55:57: TAC+: send AUTHEN/START packet ver=193 id=3807844204
    *Mar 19 20:55:57: TAC+: ver=193 id=3807844204 received AUTHEN status =
    FAIL
    *Mar 19 20:55:57: AAA/AUTHEN (3807844204): status = FAIL
    *Mar 19 20:55:57: AAA/MEMORY: free_user (0x616721D4) user='glamb'
    ruser='NULL' p
     
    , Apr 27, 2006
    #1
    1. Advertising

  2. thrill5 Guest

    No, the async users will always use the config under "Group Async1" The
    config under the Serial interface for the D channel will only be used for
    ISDN users. If your async and ISDN users use different dialin numbers than
    you can also use aaa groups and dnis maps to specify the authentication
    methods.

    Scott
    <> wrote in message
    news:...
    > Hi all,
    >
    > I have a sticky problem with AAA authentication and I'm either reading
    > the docs on CCO incorrectly or I'm missing something.
    > What I have is a number of Aysnc users and a few 64K ISDN users coming
    > in on a PRI. The Aysnc users work fine and authenticate via tacacs no
    > problem. What I want is the 64K users only to authenticate locally.
    >
    > Using the 'list' command 'router' in chap, this should ignore the 'aaa
    > ppp authentication default' and go direct to the local username list.
    > Well you've guessed it, it doesn't. The authentication is picked up as
    > default and fails.
    >
    > The reason this fails is the debugs show that the incoming interface is
    > one of the serials which there is no 'list' configured. The binding to
    > the dialer interface D3 only takes place after sucessful authentication
    > so it never gets to act on the list.
    > I can get round this by placing the list command on the D channnel but
    > I suspect that will affect the async users too? Also this limits me to
    > only one list!
    >
    > Apart from configuring the 64K users in tacacs as well is there any
    > other way around this or am I reading the docs wrong.
    >
    > Cheers
    > Bob
    >
    > aaa new-model
    > aaa authentication login default group tacacs+ local
    > aaa authentication login no_tacacs local
    > aaa authentication ppp default group tacacs+ local
    > aaa authentication ppp router local
    > aaa authorization exec default local group tacacs+
    > aaa authorization network default group tacacs+ local
    > aaa authorization network ISDN group tacacs+ local
    > aaa authorization reverse-access default group tacacs+ local
    > aaa accounting exec default start-stop group tacacs+
    > aaa accounting network default start-stop group tacacs+
    > !
    > snip
    > !
    > interface Serial1/0:15
    > no ip address
    > encapsulation ppp
    > dialer pool-member 1
    > isdn switch-type primary-net5
    > isdn incoming-voice modem
    > isdn sending-complete
    > no fair-queue
    > no cdp enable
    > ppp authentication ms-chap chap pap
    > !
    > interface Group-Async1
    > ip unnumbered Ethernet0/0
    > encapsulation ppp
    > dialer in-band
    > dialer idle-timeout 600
    > dialer-group 1
    > async mode interactive
    > ipx ppp-client Loopback0
    > peer default ip address pool dialin_pool
    > ppp authentication chap
    > group-range 65 76
    > !
    > interface Dialer1
    > ip unnumbered Ethernet0/0
    > encapsulation ppp
    > dialer pool 1
    > dialer remote-name pnuthall
    > dialer idle-timeout 600
    > dialer load-threshold 1 either
    > dialer-group 1
    > peer default ip address pool router_pool
    > no cdp enable
    > ppp authentication chap callin router
    > ppp multilink
    > !
    > interface Dialer2
    > ip unnumbered Ethernet0/0
    > encapsulation ppp
    > dialer pool 1
    > dialer remote-name xxxxx
    > dialer idle-timeout 900
    > dialer-group 1
    > peer default ip address pool dialin_pool
    > no cdp enable
    > ppp authentication ms-chap chap pap
    > !
    > interface Dialer3
    > ip unnumbered Ethernet0/0
    > encapsulation ppp
    > dialer pool 1
    > dialer remote-name glamb
    > dialer idle-timeout 900
    > dialer load-threshold 1 either
    > dialer-group 1
    > peer default ip address pool dialin_pool
    > no cdp enable
    > ppp authentication ms-chap chap pap callin router
    > ppp multilink
    >
    > AAA Authentication debugging is on
    > *Mar 19 20:55:56: %LINK-3-UPDOWN: Interface Serial1/0:18, changed state
    > to up
    > *Mar 19 20:55:57: AAA: parse name=Serial1/0:18 idb type=13 tty=-1
    > *Mar 19 20:55:57: AAA: name=Serial1/0:18 flags=0x55 type=1 shelf=0
    > slot=1 adapter=0 port=0 channel=18
    > *Mar 19 20:55:57: AAA: parse name=<no string> idb type=-1 tty=-1
    > *Mar 19 20:55:57: AAA/MEMORY: create_user (0x616721D4) user='glamb'
    > ruser='NULL' ds0=16777234 port='Serial1/0:18' rem_addr='/469230'
    > authen_type=MSCHAP service=PPP priv=1 initial_task_id='0'
    > *Mar 19 20:55:57: AAA/AUTHEN/START (3807844204):port='Serial1/0:18'
    > list='' action=LOGIN service=PPP
    > *Mar 19 20:55:57: AAA/AUTHEN/START (3807844204): using "default" list
    > *Mar 19 20:55:57: AAA/AUTHEN/START (3807844204): Method=tacacs+
    > (tacacs+)
    > *Mar 19 20:55:57: TAC+: send AUTHEN/START packet ver=193 id=3807844204
    > *Mar 19 20:55:57: TAC+: ver=193 id=3807844204 received AUTHEN status =
    > FAIL
    > *Mar 19 20:55:57: AAA/AUTHEN (3807844204): status = FAIL
    > *Mar 19 20:55:57: AAA/MEMORY: free_user (0x616721D4) user='glamb'
    > ruser='NULL' p
    >
     
    thrill5, May 1, 2006
    #2
    1. Advertising

  3. Guest

    Thanks for that Scott. I just had this nagging doubt that it may have
    affected the async and as I couldn't lab it I was reluctant to test it
    on a live network.

    Cheers
    Bob
     
    , May 3, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mikester

    FWSM, SSH and AAA authentication

    mikester, Dec 5, 2003, in forum: Cisco
    Replies:
    4
    Views:
    8,241
    shadow54682
    Jun 8, 2009
  2. sharqi

    aaa authentication via http

    sharqi, Dec 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    639
    sharqi
    Dec 15, 2003
  3. Rick
    Replies:
    0
    Views:
    2,311
  4. mikester
    Replies:
    2
    Views:
    3,667
    mikester
    May 28, 2004
  5. Chris_D
    Replies:
    4
    Views:
    3,432
    Chris_D
    Aug 1, 2005
Loading...

Share This Page