Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
6
Replies

Remote Access using RSA ACE

imran.bhatti
Level 1
Level 1

‎12-19-2007 03:31 AM

Please can anyone help me regarding getting a windows dialup user to get access to internal resourced once authentication to RSA ACE server has been successful.

I have setup AAA authentication & authorization.

I can get the user to authentication to the RSA ACE server but after authentication i cannot get authorization to work but it has been configured in the list.see below

aaa authentication login default group tacacs+ local

aaa authentication login ACE group radius local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp ACE if-needed

aaa authorization network ACE if-authenticated none

aaa accounting commands 15 default start-stop group tacacs+

interface Group-Async1

description ** modem lines **

ip unnumbered GigabitEthernet0/0

encapsulation ppp

ip route-cache policy

dialer in-band

dialer idle-timeout 600

dialer-group 1

autodetect encapsulation ppp

async mode interactive

peer default ip address pool DIALIN

ppp authentication pap ms-chap ms-chap-v2 ACE

ppp authorization ACE

group-range 1/0 1/7

line 1/0 1/7

login authentication ACE

modem InOut

transport input all

autoselect during-login

autoselect ppp

flowcontrol hardware

the debug message i get is as follows

AAA/AUTHOR (000000A3): Method list id=0 not configured. Skip author

The username/password window on the client PC just sits there and then times out...

Any help is welcome

Labels:
0 Helpful
6 Replies 6

lgijssel
Level 9
Level 9

‎12-19-2007 03:47 AM

Under the group Async you have:

interface Group-Async1

ppp authorization ACE

This line is normally not needed and I presume it is the cause of your trouble because there is no corresponding line in the aaa-section. This sample is from a working configuration:

interface Group-Async1

bandwidth 56

ip unnumbered Loopback1

encapsulation ppp

ip tcp header-compression passive

dialer in-band

dialer idle-timeout 300

dialer enable-timeout 8

dialer-group 1

async mode interactive

peer default ip address pool ippool

no keepalive

ppp authentication chap pap

group-range 65 76

regards,

Leo

0 Helpful

imran.bhatti
Level 1
Level 1
In response to lgijssel

‎12-19-2007 03:52 AM

leo

Thanks for your reply

I have removed this line but i still continue to get the debug message as posted earlier.

0 Helpful

lgijssel
Level 9
Level 9
In response to imran.bhatti

‎12-19-2007 04:27 AM

You can also try this:

aaa authentication ppp ACE group radius local

Otherwise, please post the output of 'debug ppp neg'

regards,

Leo

0 Helpful

imran.bhatti
Level 1
Level 1
In response to lgijssel

‎12-19-2007 06:04 AM

tried this but no output for deb ppp neg

once login is authenticated i want to give me users full access, so hence ppp is setup as if-needed.

the raduis server is an ACE box and it checks the AD credentials if they exist then it returns an accept message back to the client.

but i have now noticed that PPP is doing anything which is a concern...

0 Helpful

lgijssel
Level 9
Level 9
In response to imran.bhatti

‎12-19-2007 06:22 AM

ppp is required here to make a connection so there must be debug output. Did you enable logging to your vty session using: term mon?

You will not get any debug info without it.

regards,

Leo

0 Helpful

imran.bhatti
Level 1
Level 1
In response to lgijssel

‎12-19-2007 07:01 AM

all my debug information is logged to the internal buffer, so no need to enable term mon..as this just gets messy

any other suggestions welcome

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents