Hi, I am looking for urgent help to solve my customer's ACS - RAS implementation problem. The project was implemented at two diff sites per the following. Site 1 and Site 2 act as Primary and Secondary for the RAS. ( The sites have different firewall )
1) Site 1, RAS 3845 (New), ACS 3.3 (New ), RSA Token (New), AD Integration, works fine - configured and works fine.
2) Site 2, RAS 5300 (Old)-Running IOS 12.0(7)T, ACS 3.3 (New), RSA Token (New ), AD integration, Checkpoint Firewall. - Able to Authenticate but not able to authorize. Having packet drop.
I have looked at the configuration that you posted. I am surprised that you say that you can authenticate but not authorize. How have your confirmed this? Have you run debug aaa authentication and debug aaa authorization? If you have run these debugs it would be helpful to see the output. If you have not run these debugs I would suggest that you run them and post the output.
I remember that early releases did not support the concept of radius group in aaa configuration and current releases do. I do not remember at what point the group concept was added but was not sure that it was as early as 12.0. I believe your 3845 is running recent code which does support the group concept and suspect that your 5300 IOS does not support it. (This is what surprises me that you say you can authenticate but not authorize).
I suggest that you change the configuration of the aaa on the 5300 and remove the group concept from the configuration of aaa.
If that does not fix the problem then the debugs that I suggested would be quite helpful.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...