05-20-2008 11:39 AM
I just installed an AS5400 and want to configure it so remote users can dial in. For authenticaiton, we need to use a RADIUS server for the dialin users and TACACS to administer the device. However, when i configured the device, it would only accept the TACACS for authenticaiton no matter how I got into it. Is there someway to configure it so that anyone who dials in on an ASYNC line is authenticated with RADIUS and to use TACACS to administer the device?
Solved! Go to Solution.
05-29-2008 08:51 AM
Harry
We are currently running c5350-ik9s-mz.124-10b.bin. It has run on a couple of releases earlier than this.
Here are the pertinent parts of my config (a few things disguised to protect my customer). I hope it is helpful. If you want to ask questions I will be glad to talk about my experience with it. If it does not show you what you need then perhaps you could post your config.
!
aaa group server tacacs+ admin_TAC
server 172.16.24.20
!
aaa group server radius user_radius
server 172.16.157.10 auth-port 1645 acct-port 1646
!
aaa authentication login default group user_radius local
aaa authentication login admin group admin_TAC line
aaa authentication enable default group admin_TAC enable
aaa authentication ppp default if-needed group user_radius local
!
interface Dialer1
encapsulation ppp
ppp authentication pap
!
interface Group-Async0
encapsulation ppp
ppp authentication pap
!
ip tacacs source-interface Loopback0
ip radius source-interface Loopback0
!
tacacs-server host 172.16.24.20 key [snip]
tacacs-server timeout 15
tacacs-server directed-request
!
radius-server host 172.16.157.10 auth-port 1645 acct-port 1646 key [snip]
!
line con 0
login authentication admin
line vty 0 4
login authentication admin
!
Probably the thing least expected was catching some ppp users with aaa authentication login default and catching other ppp users with aaa authentication ppp.
HTH
Rick
05-26-2008 04:18 PM
You can use "aaa dnis map" feature & map the number that require authentication to a radius server.
aaa authen ppp authen group require_auth
aaa group server radius require_auth
server x.x.x.x
aaa dnis map 1234 authen ppp group require_auth
radius-server host x.x.x.x key cisco
int group-async 0
ppp authen pap chap require_auth
int group-async 1
Dont specify any ppp authentication
This will authenticate all the users dialing 1234 using radius, rest of them will land on an interface that has no ppp authentication.
For this to work you have identify that D channel is associated with the DNIS for which authentication is required & the one for which no authen is needed.
05-26-2008 06:38 PM
Harry
My understanding of your requirements is apparently different from Amrit. It is my understanding that you want any user who dials into the router to authenticate via Radius and that you want any user who connects via telnet or SSH to authenticate with TACACS.
I configured a router to do pretty much what you are describing. I configured aaa authenticate login default and aaa authenticate ppp to authenticate via Radius with the Radius server(s) that were configured. Then I configured an authentication method called admin. I configured the console and the vty lines with:
login authentication admin
and I configured:
aaa authentication login admin group tacacs+
to authenticate with the configured TACACS server(s). It works well for me and if you try it I believe that it will work well for you (assuming that I have a correct understanding of your requirements).
HTH
Rick
05-29-2008 05:43 AM
That is correct. All dial in users should authenticate to the RADIUS and all admins to the TACACS server. We opened a case and someone found out that there is an issue with PPP not being recognized properly and thus the reason that no one is authenitcating properly. So it looks like I don;t really have an authenticaion issue, just a dial in issue.
05-29-2008 07:45 AM
Harry
Do they think that it is a version issue or something else? I have it working (and working well) authenticating dial in users via Radius and administrative users via TACACS. So it can be done.
HTH
Rick
05-29-2008 08:04 AM
What version of code are you running? We are running c5400-jk9s-mz.124-19.bin. Can you post your config by any chance?
05-29-2008 08:51 AM
Harry
We are currently running c5350-ik9s-mz.124-10b.bin. It has run on a couple of releases earlier than this.
Here are the pertinent parts of my config (a few things disguised to protect my customer). I hope it is helpful. If you want to ask questions I will be glad to talk about my experience with it. If it does not show you what you need then perhaps you could post your config.
!
aaa group server tacacs+ admin_TAC
server 172.16.24.20
!
aaa group server radius user_radius
server 172.16.157.10 auth-port 1645 acct-port 1646
!
aaa authentication login default group user_radius local
aaa authentication login admin group admin_TAC line
aaa authentication enable default group admin_TAC enable
aaa authentication ppp default if-needed group user_radius local
!
interface Dialer1
encapsulation ppp
ppp authentication pap
!
interface Group-Async0
encapsulation ppp
ppp authentication pap
!
ip tacacs source-interface Loopback0
ip radius source-interface Loopback0
!
tacacs-server host 172.16.24.20 key [snip]
tacacs-server timeout 15
tacacs-server directed-request
!
radius-server host 172.16.157.10 auth-port 1645 acct-port 1646 key [snip]
!
line con 0
login authentication admin
line vty 0 4
login authentication admin
!
Probably the thing least expected was catching some ppp users with aaa authentication login default and catching other ppp users with aaa authentication ppp.
HTH
Rick
06-02-2008 10:55 AM
This seemed to do the trick. We can now dial up and authenticate with radius and telnet to the server with tacacs.
06-02-2008 11:12 AM
Harry
I am glad that my suggestions were able to help you get your problem resolved. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read a problem and can know that there was a response which resolved the problem.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide