wdrootz Tue, 10/16/2007 - 06:55

Before you configure SSG, you have to verify the following:

SSD, SSG, and Authentication, Authorization, and Accounting (AAA) are all running, and all network entities can ping one another.

The remote user can ping any host in the default network (SSG, SSD, AAA) before logging on to the SSD server.

The remote client cannot ping the remote service destination network.

After all the SSG commands are configured, you must verify that the next hop table for the user's services has been successfully downloaded. Issue the show ssg binding command.

show ssg binding

show ssg next-hop

show ssg direction

ranilgamage Fri, 12/14/2007 - 05:28

Hi Stephan,

Were you able to get any updates on this?

I'm also in need of some information about the SSG functionality on a c2811 with c2800nm-adventerprisek9-mz.124-3f.bin.

Thanks,

Ranil

stephan.ochs Fri, 12/14/2007 - 06:06

Hi Ranil

Yes, meanwhile it works. I found it out myself. The main problem is, that I configured too much.

Radius Proxy is a very small configuration. If you configure one SSG option too much, it doesn't work any more.

The second problem I stepped in was that I tried to work with "aaa group server" for the Radius servers. SSG Radius Proxy can't work with it. I don't know why, but you have to configure them as global Radius proxies on the Router.

Here are my configuration snippets:

=============================

=== global configurations ===

=============================

aaa new-model

ip cef

ssg enable

ip radius source-interface FastEthernet0/1

radius-server host 172.20.10.10 auth-port 1812 acct-port 1813 key xyz

=============================

=== radius clients that send requests to the SSG, one "client-address..." entry for each ===

=============================

ssg radius-proxy

server-port auth 1812 acct 1813

client-address 10.10.10.10

key abcdefg

session-identifier username

no host-route insert

!

client-address 10.10.10.11

key abcdefg

session-identifier username

no host-route insert

!

client-address 10.10.10.12

key abcdefg

session-identifier username

no host-route insert

.

.

.

=============================

=== interface configuration(s) ===

=============================

interface FastEthernet0/0

no ip address

shutdown

duplex full

speed 100

!

interface FastEthernet0/1

description *** Radius-Proxy ***

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 100

ssg direction downlink

Greetings

Stephan

Actions

This Discussion