cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
869
Views
0
Helpful
9
Replies

Logging for remote dialup users

dclee
Level 1
Level 1

We currently have a 3725 router that controls our remtoe dialup service. It is only used by a few remote users that do not have internet access. They currently authenticate via radius against our AD.

Is there a way on the router to look at all incoming calls that were made ?

Also is there a way to generate a syslog event for each dialup user that connects in ?

Any help would be appreciated.

Cheers

Dave

9 Replies 9

kerek
Level 4
Level 4

Hello,

If you use Radius for authentication it can be wise to use the accounting of that too. SO you can see who and when connected to the router through ppp. Furthermore you can also log the amoutn of traffic generated by the particular user.

Hope it helps,

Krisztian

Well this is what I am asking. How can I configure the router to show me these kind of logs.

Cheers

Dave

Hello,

Add the followings:

aaa accounting network default start-stop group radius

aaa accounting resource default start-stop group radius

Hope it helps, rate if does

Krisztian

imran.bhatti
Level 1
Level 1

HI

You say you are using 3725 router for remote dialup service, please can you confirm what radius server you are using...as i am interested in setting this up for my users.

We want to use RSA ACE server then get users to login to AD to access internal resources.

Any configuration help would be good.

Imran

I have configured routers to support remote dialup service and to authenticate users with RSA tokens. Part of the difficulty in this is that there is not a protocol that works for authentication directly from the Cisco router to the RSA ACE server. What I have done is to configure the Cisco router to do aaa authentication with either Radius or TACACS and to have the Radius or TACACS server then send the authentication request to RSA ACE. I have done it with both Radius and with TACACS and they both work fine.

HTH

Rick

HTH

Rick

HI

I can get the authentication part to work no problem from a cisco router to the RSA ACE server.

once i type in my AD username/passcode (pin+tokencode) i get authenticated by ACE but then the client dialup windows showing username/password justs sits there....router then drops the async connection.

I did however not that i get no PPP communication betweeen client and the router which does concern me...

I can show you my configuration just to compare what you have got to work. Maybe the only way to get this to work is to use another server in between router and ACE.

Regards

Imran

Imran

When you say that authentication works no problem, does that mean that you see logs on the RSA ACE server that show the authentication request and show that it was authenticated? Can you confirm successful authentication with the output of debug aaa authentication?

And do I understand correctly that you have this working correctly directly from the router to the RSA ACE server? I would be interested in seeing how you got this to work.

So posting your config might be helpful in seeing how you got the authentication to work and in seeing why the PPP communication is not successful.

HTH

Rick

HTH

Rick

Yes, the user can successfully be authenticated to the ACE server...

see below debug aaa authentication

017497: Dec 21 14:08:54.188: RADIUS/ENCODE: Best Local IP-Address 10.160.144.11 for Radius-Server 10.160.75.160

017498: Dec 21 14:08:54.188: RADIUS(000000C0): Send Access-Request to 10.160.75.160:1645 id 1645/82, len 100

017499: Dec 21 14:08:54.188: RADIUS: authenticator 33 61 55 2A 29 59 46 3D - 02 DF 28 D3 37 B0 B0 AA

017500: Dec 21 14:08:54.188: RADIUS: User-Name [1] 9 "bhattii"

017501: Dec 21 14:08:54.188: RADIUS: User-Password [2] 18 *

017502: Dec 21 14:08:54.188: RADIUS: NAS-Port [5] 6 66

017503: Dec 21 14:08:54.188: RADIUS: NAS-Port-Id [87] 8 "tty1/0"

017504: Dec 21 14:08:54.188: RADIUS: NAS-Port-Type [61] 6 Async [0]

017505: Dec 21 14:08:54.188: RADIUS: Calling-Station-Id [31] 7 "async"

017506: Dec 21 14:08:54.188: RADIUS: Connect-Info [77] 20 "33600 V34/V44/LAPM"

017507: Dec 21 14:08:54.188: RADIUS: NAS-IP-Address [4] 6 10.160.144.11

017508: Dec 21 14:09:04.208: RADIUS: Received from id 1645/82 10.160.75.160:1645, Access-Accept, len 50

017509: Dec 21 14:09:04.208: RADIUS: authenticator AC C7 DC A2 AB F1 69 AD - 69 BE 4B 7F 9F 3C A4 8C

017510: Dec 21 14:09:04.208: RADIUS: Reply-Message [18] 21

017511: Dec 21 14:09:04.208: RADIUS: 50 41 53 53 43 4F 44 45 20 41 63 63 65 70 74 65 [PASSCODE Accepte]

017512: Dec 21 14:09:04.208: RADIUS: 64 0D 0A [d??]

017513: Dec 21 14:09:04.208: RADIUS: User-Name [1] 9 "bhattii"

017514: Dec 21 14:09:04.208: RADIUS(000000C0): Received from id 1645/82

Imran

The debug output does show successful authentication using the Radius protocol.

If the PPP session does not establish perhaps you can post the appropriate parts of the config?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: