Remote Access using RSA ACE

Unanswered Question

Please can anyone help me regarding getting a windows dialup user to get access to internal resourced once authentication to RSA ACE server has been successful.

I have setup AAA authentication & authorization.

I can get the user to authentication to the RSA ACE server but after authentication i cannot get authorization to work but it has been configured in the list.see below

aaa authentication login default group tacacs+ local

aaa authentication login ACE group radius local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp ACE if-needed

aaa authorization network ACE if-authenticated none

aaa accounting commands 15 default start-stop group tacacs+

interface Group-Async1

description ** modem lines **

ip unnumbered GigabitEthernet0/0

encapsulation ppp

ip route-cache policy

dialer in-band

dialer idle-timeout 600

dialer-group 1

autodetect encapsulation ppp

async mode interactive

peer default ip address pool DIALIN

ppp authentication pap ms-chap ms-chap-v2 ACE

ppp authorization ACE

group-range 1/0 1/7

line 1/0 1/7

login authentication ACE

modem InOut

transport input all

autoselect during-login

autoselect ppp

flowcontrol hardware

the debug message i get is as follows

AAA/AUTHOR (000000A3): Method list id=0 not configured. Skip author

The username/password window on the client PC just sits there and then times out...

Any help is welcome

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Wed, 12/19/2007 - 03:47

Under the group Async you have:

interface Group-Async1

ppp authorization ACE

This line is normally not needed and I presume it is the cause of your trouble because there is no corresponding line in the aaa-section. This sample is from a working configuration:

interface Group-Async1

bandwidth 56

ip unnumbered Loopback1

encapsulation ppp

ip tcp header-compression passive

dialer in-band

dialer idle-timeout 300

dialer enable-timeout 8

dialer-group 1

async mode interactive

peer default ip address pool ippool

no keepalive

ppp authentication chap pap

group-range 65 76

regards,

Leo

lgijssel Wed, 12/19/2007 - 04:27

You can also try this:

aaa authentication ppp ACE group radius local

Otherwise, please post the output of 'debug ppp neg'

regards,

Leo

tried this but no output for deb ppp neg

once login is authenticated i want to give me users full access, so hence ppp is setup as if-needed.

the raduis server is an ACE box and it checks the AD credentials if they exist then it returns an accept message back to the client.

but i have now noticed that PPP is doing anything which is a concern...

lgijssel Wed, 12/19/2007 - 06:22

ppp is required here to make a connection so there must be debug output. Did you enable logging to your vty session using: term mon?

You will not get any debug info without it.

regards,

Leo

Actions

This Discussion