Logging for remote dialup users

Unanswered Question

We currently have a 3725 router that controls our remtoe dialup service. It is only used by a few remote users that do not have internet access. They currently authenticate via radius against our AD.

Is there a way on the router to look at all incoming calls that were made ?

Also is there a way to generate a syslog event for each dialup user that connects in ?

Any help would be appreciated.

Cheers

Dave

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 12/20/2007 - 06:05

Imran

I have configured routers to support remote dialup service and to authenticate users with RSA tokens. Part of the difficulty in this is that there is not a protocol that works for authentication directly from the Cisco router to the RSA ACE server. What I have done is to configure the Cisco router to do aaa authentication with either Radius or TACACS and to have the Radius or TACACS server then send the authentication request to RSA ACE. I have done it with both Radius and with TACACS and they both work fine.

HTH

Rick

HI

I can get the authentication part to work no problem from a cisco router to the RSA ACE server.

once i type in my AD username/passcode (pin+tokencode) i get authenticated by ACE but then the client dialup windows showing username/password justs sits there....router then drops the async connection.

I did however not that i get no PPP communication betweeen client and the router which does concern me...

I can show you my configuration just to compare what you have got to work. Maybe the only way to get this to work is to use another server in between router and ACE.

Regards

Imran

Richard Burts Fri, 12/21/2007 - 06:01

Imran

When you say that authentication works no problem, does that mean that you see logs on the RSA ACE server that show the authentication request and show that it was authenticated? Can you confirm successful authentication with the output of debug aaa authentication?

And do I understand correctly that you have this working correctly directly from the router to the RSA ACE server? I would be interested in seeing how you got this to work.

So posting your config might be helpful in seeing how you got the authentication to work and in seeing why the PPP communication is not successful.

HTH

Rick

Yes, the user can successfully be authenticated to the ACE server...

see below debug aaa authentication

017497: Dec 21 14:08:54.188: RADIUS/ENCODE: Best Local IP-Address 10.160.144.11 for Radius-Server 10.160.75.160

017498: Dec 21 14:08:54.188: RADIUS(000000C0): Send Access-Request to 10.160.75.160:1645 id 1645/82, len 100

017499: Dec 21 14:08:54.188: RADIUS: authenticator 33 61 55 2A 29 59 46 3D - 02 DF 28 D3 37 B0 B0 AA

017500: Dec 21 14:08:54.188: RADIUS: User-Name [1] 9 "bhattii"

017501: Dec 21 14:08:54.188: RADIUS: User-Password [2] 18 *

017502: Dec 21 14:08:54.188: RADIUS: NAS-Port [5] 6 66

017503: Dec 21 14:08:54.188: RADIUS: NAS-Port-Id [87] 8 "tty1/0"

017504: Dec 21 14:08:54.188: RADIUS: NAS-Port-Type [61] 6 Async [0]

017505: Dec 21 14:08:54.188: RADIUS: Calling-Station-Id [31] 7 "async"

017506: Dec 21 14:08:54.188: RADIUS: Connect-Info [77] 20 "33600 V34/V44/LAPM"

017507: Dec 21 14:08:54.188: RADIUS: NAS-IP-Address [4] 6 10.160.144.11

017508: Dec 21 14:09:04.208: RADIUS: Received from id 1645/82 10.160.75.160:1645, Access-Accept, len 50

017509: Dec 21 14:09:04.208: RADIUS: authenticator AC C7 DC A2 AB F1 69 AD - 69 BE 4B 7F 9F 3C A4 8C

017510: Dec 21 14:09:04.208: RADIUS: Reply-Message [18] 21

017511: Dec 21 14:09:04.208: RADIUS: 50 41 53 53 43 4F 44 45 20 41 63 63 65 70 74 65 [PASSCODE Accepte]

017512: Dec 21 14:09:04.208: RADIUS: 64 0D 0A [d??]

017513: Dec 21 14:09:04.208: RADIUS: User-Name [1] 9 "bhattii"

017514: Dec 21 14:09:04.208: RADIUS(000000C0): Received from id 1645/82

Richard Burts Fri, 12/21/2007 - 10:57

Imran

The debug output does show successful authentication using the Radius protocol.

If the PPP session does not establish perhaps you can post the appropriate parts of the config?

HTH

Rick

Actions

This Discussion