Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
4
Helpful
8
Replies

Dual authentication on AS5400

Go to solution
harry.clauss
Level 1
Level 1

‎05-20-2008 11:39 AM

I just installed an AS5400 and want to configure it so remote users can dial in. For authenticaiton, we need to use a RADIUS server for the dialin users and TACACS to administer the device. However, when i configured the device, it would only accept the TACACS for authenticaiton no matter how I got into it. Is there someway to configure it so that anyone who dials in on an ASYNC line is authenticated with RADIUS and to use TACACS to administer the device?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to harry.clauss

‎05-29-2008 08:51 AM

Harry

We are currently running c5350-ik9s-mz.124-10b.bin. It has run on a couple of releases earlier than this.

Here are the pertinent parts of my config (a few things disguised to protect my customer). I hope it is helpful. If you want to ask questions I will be glad to talk about my experience with it. If it does not show you what you need then perhaps you could post your config.

!

aaa group server tacacs+ admin_TAC

server 172.16.24.20

!

aaa group server radius user_radius

server 172.16.157.10 auth-port 1645 acct-port 1646

!

aaa authentication login default group user_radius local

aaa authentication login admin group admin_TAC line

aaa authentication enable default group admin_TAC enable

aaa authentication ppp default if-needed group user_radius local

!

interface Dialer1

encapsulation ppp

ppp authentication pap

!

interface Group-Async0

encapsulation ppp

ppp authentication pap

!

ip tacacs source-interface Loopback0

ip radius source-interface Loopback0

!

tacacs-server host 172.16.24.20 key [snip]

tacacs-server timeout 15

tacacs-server directed-request

!

radius-server host 172.16.157.10 auth-port 1645 acct-port 1646 key [snip]

!

line con 0

login authentication admin

line vty 0 4

login authentication admin

!

Probably the thing least expected was catching some ppp users with aaa authentication login default and catching other ppp users with aaa authentication ppp.

HTH

Rick

HTH

Rick

View solution in original post

8 Replies 8

Go to solution
amritpatek
Level 6
Level 6

‎05-26-2008 04:18 PM

You can use "aaa dnis map" feature & map the number that require authentication to a radius server.

aaa authen ppp authen group require_auth

aaa group server radius require_auth

server x.x.x.x

aaa dnis map 1234 authen ppp group require_auth

radius-server host x.x.x.x key cisco

int group-async 0

ppp authen pap chap require_auth

int group-async 1

Dont specify any ppp authentication

This will authenticate all the users dialing 1234 using radius, rest of them will land on an interface that has no ppp authentication.

For this to work you have identify that D channel is associated with the DNIS for which authentication is required & the one for which no authen is needed.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to amritpatek

‎05-26-2008 06:38 PM

Harry

My understanding of your requirements is apparently different from Amrit. It is my understanding that you want any user who dials into the router to authenticate via Radius and that you want any user who connects via telnet or SSH to authenticate with TACACS.

I configured a router to do pretty much what you are describing. I configured aaa authenticate login default and aaa authenticate ppp to authenticate via Radius with the Radius server(s) that were configured. Then I configured an authentication method called admin. I configured the console and the vty lines with:

login authentication admin

and I configured:

aaa authentication login admin group tacacs+

to authenticate with the configured TACACS server(s). It works well for me and if you try it I believe that it will work well for you (assuming that I have a correct understanding of your requirements).

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
harry.clauss
Level 1
Level 1
In response to Richard Burts

‎05-29-2008 05:43 AM

That is correct. All dial in users should authenticate to the RADIUS and all admins to the TACACS server. We opened a case and someone found out that there is an issue with PPP not being recognized properly and thus the reason that no one is authenitcating properly. So it looks like I don;t really have an authenticaion issue, just a dial in issue.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to harry.clauss

‎05-29-2008 07:45 AM

Harry

Do they think that it is a version issue or something else? I have it working (and working well) authenticating dial in users via Radius and administrative users via TACACS. So it can be done.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
harry.clauss
Level 1
Level 1
In response to Richard Burts

‎05-29-2008 08:04 AM

What version of code are you running? We are running c5400-jk9s-mz.124-19.bin. Can you post your config by any chance?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to harry.clauss

‎05-29-2008 08:51 AM

Harry

We are currently running c5350-ik9s-mz.124-10b.bin. It has run on a couple of releases earlier than this.

Here are the pertinent parts of my config (a few things disguised to protect my customer). I hope it is helpful. If you want to ask questions I will be glad to talk about my experience with it. If it does not show you what you need then perhaps you could post your config.

!

aaa group server tacacs+ admin_TAC

server 172.16.24.20

!

aaa group server radius user_radius

server 172.16.157.10 auth-port 1645 acct-port 1646

!

aaa authentication login default group user_radius local

aaa authentication login admin group admin_TAC line

aaa authentication enable default group admin_TAC enable

aaa authentication ppp default if-needed group user_radius local

!

interface Dialer1

encapsulation ppp

ppp authentication pap

!

interface Group-Async0

encapsulation ppp

ppp authentication pap

!

ip tacacs source-interface Loopback0

ip radius source-interface Loopback0

!

tacacs-server host 172.16.24.20 key [snip]

tacacs-server timeout 15

tacacs-server directed-request

!

radius-server host 172.16.157.10 auth-port 1645 acct-port 1646 key [snip]

!

line con 0

login authentication admin

line vty 0 4

login authentication admin

!

Probably the thing least expected was catching some ppp users with aaa authentication login default and catching other ppp users with aaa authentication ppp.

HTH

Rick

HTH

Rick

Go to solution
harry.clauss
Level 1
Level 1
In response to Richard Burts

‎06-02-2008 10:55 AM

This seemed to do the trick. We can now dial up and authenticate with radius and telnet to the server with tacacs.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to harry.clauss

‎06-02-2008 11:12 AM

Harry

I am glad that my suggestions were able to help you get your problem resolved. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read a problem and can know that there was a response which resolved the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents