Remote Access using RSA ACE

Unanswered Question

Please can anyone help me regarding getting a windows dialup user to get access to internal resourced once authentication to RSA ACE server has been successful.

I have setup AAA authentication & authorization.

I can get the user to authentication to the RSA ACE server but after authentication i cannot get authorization to work but it has been configured in the list.see below

aaa authentication login default group tacacs+ local

aaa authentication login ACE group radius local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp ACE if-needed

aaa authorization network ACE if-authenticated none

aaa accounting commands 15 default start-stop group tacacs+

interface Group-Async1

description ** modem lines **

ip unnumbered GigabitEthernet0/0

encapsulation ppp

ip route-cache policy

dialer in-band

dialer idle-timeout 600

dialer-group 1

autodetect encapsulation ppp

async mode interactive

peer default ip address pool DIALIN

ppp authentication pap ms-chap ms-chap-v2 ACE

ppp authorization ACE

group-range 1/0 1/7

line 1/0 1/7

login authentication ACE

modem InOut

transport input all

autoselect during-login

autoselect ppp

flowcontrol hardware

the debug message i get is as follows

AAA/AUTHOR (000000A3): Method list id=0 not configured. Skip author

The username/password window on the client PC just sits there and then times out...

Any help is welcome

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lgijssel Wed, 12/19/2007 - 03:47
User Badges:
  • Red, 2250 points or more

Under the group Async you have:

interface Group-Async1

ppp authorization ACE

This line is normally not needed and I presume it is the cause of your trouble because there is no corresponding line in the aaa-section. This sample is from a working configuration:

interface Group-Async1

bandwidth 56

ip unnumbered Loopback1

encapsulation ppp

ip tcp header-compression passive

dialer in-band

dialer idle-timeout 300

dialer enable-timeout 8

dialer-group 1

async mode interactive

peer default ip address pool ippool

no keepalive

ppp authentication chap pap

group-range 65 76



lgijssel Wed, 12/19/2007 - 04:27
User Badges:
  • Red, 2250 points or more

You can also try this:

aaa authentication ppp ACE group radius local

Otherwise, please post the output of 'debug ppp neg'



tried this but no output for deb ppp neg

once login is authenticated i want to give me users full access, so hence ppp is setup as if-needed.

the raduis server is an ACE box and it checks the AD credentials if they exist then it returns an accept message back to the client.

but i have now noticed that PPP is doing anything which is a concern...

lgijssel Wed, 12/19/2007 - 06:22
User Badges:
  • Red, 2250 points or more

ppp is required here to make a connection so there must be debug output. Did you enable logging to your vty session using: term mon?

You will not get any debug info without it.




This Discussion