I probably should have outlined the reason for this type of configuration.
The problem I am trying to solve is this - I want to use a remote tacacs
server for telnet authentication, but I want to use the local database for
ppp authentication (it would be a pain to add all the router names into the
tacacs server database). I have removed the tacacs server configuration
because I wanted to make the configuration as simple as possible, and just
use the local database.
The URL that I posted below shows how you would do this for a user->router,
but not for router->router. It should be very simple - and I am sure that I
am missing something obvious.
I have experienced the same problem when routerA has been a 1603 and a 2600
with different IOS versions. The next step is to change RouterB and see what
happens.
Thanks for your help, keep it coming!
> -----Original Message-----
> From: Tony van Ree [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday 28 March 2001 23:56
> To: Radford Dion; [EMAIL PROTECTED]
> Subject: Re: Tacacs and dialup authentication
>
> Hi,
>
> Where is the TACACS configured.
>
> I would have thought you would need a reference to TACACS in your AAA
> statements and a refernce to the TACACS server address.
>
> aaa new-model
> aaa authentication login default tacacs+ local
> aaa authentication login console tacacs+ enable
> aaa authentication ppp default if-needed tacacs+ local
> aaa authentication ppp routers if-needed local
> aaa authorization exec default tacacs+ if-authenticated local
> aaa authorization network default tacacs+ local if-authenticated
>
> !
> OTHER ROUTER STUFF
> !
>
> tacacs-server host 192.168.0.1
> tacacs-server timeout 10
> tacacs-server key akeyword
>
>
>
> Just a thought. It seems you don't say to use TACACS in your AAA
> statements.
>
> Teunis
> Hobart, Tasmania
> Australia
>
>
>
>
> On Wednesday, March 28, 2001 at 11:27:08 AM, Radford Dion wrote:
>
> > Hi Everyone.
> >
> > I am having trouble trying to work out why I cannot get a router to
> connect
> > via ISDN to another router when tacacs is configured. I want to use the
> > local Tacacs database and I have followed the instructions on the cisco
> web
> > site
> >
> http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/aaaisg/c262c2.ht
> m.
> > I would appreciate any feedback that anyone has.
> >
> > This is the scenario
> >
> > RouterA ---> dials into ----> RouterB
> >
> > When I remove the aaa configuration parameters from router A it works
> fine.
> >
> > Router A config:
> > username RouterB password xxxxxxxxx
> >
> > aaa new-model
> > aaa authentication enable default enable
> > aaa authentication ppp default local
> >
> > int bri 0/0
> > no ip address
> > no ip redirects
> > no ip directed-broadcast
> > encapsulation ppp
> > dialer pool-member 1
> > isdn switch-type basic-net3
> > no fair-queue
> > ppp authentication chap
> > !
> > interface Dialer1
> > ip address 192.168.0.186 255.255.255.252
> > no ip redirects
> > no ip directed-broadcast
> > encapsulation ppp
> > dialer remote-name RouterB
> > dialer pool 1
> > dialer idle-timeout 60
> > dialer string 5555555
> > dialer hold-queue 10
> > dialer-group 1
> > no fair-queue
> > ppp authentication chap
> >
> >
> > Router B config:
> > username RouterA password xxxxxxxxx
> >
> > aaa new-model
> > aaa authentication enable default enable
> > aaa authentication ppp default local
> >
> > int bri 3/1
> > ip address 192.168.0.186 255.255.255.252
> > encapsulation ppp
> > dialer idle-timeout 60
> > dialer map ip 192.168.0.186 name RouterA 5554324
> > dialer-group 2
> > ppp authentication chap
> >
> > This is the debug output - I tried using debug aaa authentication but
> there
> > was no output from either router.
> >
> > Debug ppp authentication on Router A:
> > *Mar 21 23:30:17: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> up
> > *Mar 21 23:30:17: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
> > *Mar 21 23:30:17: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected
> to
> > 5555555 .
> > *Mar 21 23:30:17: BR0/0:1 PPP: Treating connection as a callout
> > *Mar 21 23:30:17: BR0/0:1 CHAP: O CHALLENGE id 142 len 31 from "RouterA"
> > *Mar 21 23:30:17: BR0/0:1 CHAP: I CHALLENGE id 227 len 31 from "RouterB"
> > *Mar 21 23:30:17: BR0/0:1 CHAP: Unable to authenticate for peer
> > *Mar 21 23:30:17: BR0/0:1 PPP: Treating connection as a callout
> > *Mar 21 23:30:17: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from
> profile
> > Di1
> > *Mar 21 23:30:18: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> down
> > *Mar 21 23:30:19: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to
> up
> > *Mar 21 23:30:19: %DIALER-6-BIND: Interface BR0/0:2 bound to profile
> Di1.
> > *Mar 21 23:30:19: BR0/0:2 PPP: Treating connection as a callout
> > *Mar 21 23:30:19: BR0/0:2 CHAP: O CHALLENGE id 66 len 31 from "RouterA"
> > *Mar 21 23:30:19: BR0/0:2 CHAP: I CHALLENGE id 228 len 31 from "RouterB"
> > *Mar 21 23:30:19: BR0/0:2 CHAP: Unable to authenticate for peer
> > *Mar 21 23:30:19: BR0/0:2 PPP: Treating connection as a callout
> > *Mar 21 23:30:19: %DIALER-6-UNBIND: Interface BR0/0:2 unbound from
> profile
> > Di1
> > *Mar 21 23:30:20: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to
> down
> > *Mar 21 23:30:21: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> up
> > *Mar 21 23:30:21: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
> > *Mar 21 23:30:21: BR0/0:1 PPP: Treating connection as a callout
> > *Mar 21 23:30:21: BR0/0:1 CHAP: O CHALLENGE id 143 len 31 from "RouterA"
> > *Mar 21 23:30:21: BR0/0:1 CHAP: I CHALLENGE id 229 len 31 from "RouterB"
> > ..*Mar 21 23:30:21: BR0/0:1 CHAP: Unable to authenticate for peer
> >
> >
> > Debug ppp authentication on Router B:
> > *May 14 07:46:25: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to
> up
> > *May 14 07:46:25: BR3/1:1 PPP: Treating connection as a callin
> > *May 14 07:46:26: BR3/1:1 PPP: Phase is AUTHENTICATING, by both
> > *May 14 07:46:26: BR3/1:1 CHAP: O CHALLENGE id 217 len 31 from "RouterB"
> > *May 14 07:46:26: BR3/1:1 CHAP: I CHALLENGE id 136 len 31 from "RouterA"
> > *May 14 07:46:26: BR3/1:1 CHAP: Waiting for peer to authenticate first
> > *May 14 07:46:26: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to
> down
> > *May 14 07:46:27: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to
> up
> > *May 14 07:46:27: BR3/1:1 PPP: Treating connection as a callin
> > *May 14 07:46:28: BR3/1:1 PPP: Phase is AUTHENTICATING, by both
> > *May 14 07:46:28: BR3/1:1 CHAP: O CHALLENGE id 218 len 31 from "RouterB"
> > *May 14 07:46:28: BR3/1:1 CHAP: I CHALLENGE id 62 len 31 from "RouterA"
> > *May 14 07:46:28: BR3/1:1 CHAP: Waiting for peer to authenticate first
> > *May 14 07:46:28: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to
> down
> > *May 14 07:46:29: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to
> up
> > *May 14 07:46:29: BR3/1:1 PPP: Treating connection as a callin
> > *May 14 07:46:30: BR3/1:1 PPP: Phase is AUTHENTICATING, by both
> > *May 14 07:46:30: BR3/1:1 CHAP: O CHALLENGE id 219 len 31 from "RouterB"
> > *May 14 07:46:30: BR3/1:1 CHAP: I CHALLENGE id 137 len 31 from "RouterA"
>
> >
> >
> >
> > *****************************************************************
> > DISCLAIMER: The information contained in this e-mail may be
> confidential
> > and is intended solely for the use of the named addressee. Access,
> copying
> > or re-use of the e-mail or any information contained therein by any
> other
> > person is not authorized. If you are not the intended recipient please
> > notify us immediately by returning the e-mail to the originator.
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> >
>
>
> --
> www.tasmail.com
>
*****************************************************************
DISCLAIMER: The information contained in this e-mail may be confidential
and is intended solely for the use of the named addressee. Access, copying
or re-use of the e-mail or any information contained therein by any other
person is not authorized. If you are not the intended recipient please
notify us immediately by returning the e-mail to the originator.
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]