06-05-2008 10:27 AM - edited 03-05-2019 11:27 PM
hi every body
recently we replace old cisco router model 2522 with model 3845 to apply IPsec configuration . it was as the following
crypto isakamp policy X
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxx@adress x.y.z.w
after applying the previous configuration , we discover that login to the router through ACS gives failed authentication .
my question is , how ipsec configuration affected logging through ACS server?
i appreciate your prompt response to solve this problem.
omy
06-05-2008 10:46 AM
Do you see any reason in the failed authentication attempts in the ACS
can you post the AAA config as well as the interresting traffic that is used for the encryption?
Narayan
06-05-2008 11:48 AM
omy
I wonder if the authentication request is perhaps matching the access list used to identify traffic for IPSec encryption and that is causing it to fail at ACS.
If that is the case I suspect that there will not be anything useful in the logs of ACS (since ACS would not have known that it was an authentication request) but Narayan's suggestion to check the logs is a good place to start. His request for configuration details would also be helpful.
HTH
Rick
06-07-2008 11:20 PM
Hi Narayan
Actually we have peer to peer routers one of then model 2811 and the other is 3845
the aaa configuration on 3845 router is
aaa authentication login default group acs local
aaa authentication ppp default group tacacs+
aaa authorization exec default group acs local
aaa authorizathion network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
tacacs-server host x.y.z.w
tacacs-server host s.d.f.g
tacacs-server key -----------
wait your reply
omy
06-08-2008 03:25 AM
1- does AAA traffics go through the IPSec tunnel?
2- if it does, you may have to source AAA traffic
from one of the interfaces that will also be part
of the IPSec interesting traffics,
3- if #2 is correct, you also need to change
the AAA setting on the ACS to reflect the
IP address that will be coming from the Cisco 3845.
06-08-2008 02:49 PM
hi every body
could you please give me more details about
ACS interesting traffic configuration .
about your recommendation :also you need to change the AAA setting on the ACS to reflect the IP address that will be coming from the Cisco 3845
do you mean that add new entry to ACS server by using IP address of ipsec tunnel ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: