Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 3.3 Integration To RAS5300

Hi, I am looking for urgent help to solve my customer's ACS - RAS implementation problem. The project was implemented at two diff sites per the following. Site 1 and Site 2 act as Primary and Secondary for the RAS. ( The sites have different firewall )

1) Site 1, RAS 3845 (New), ACS 3.3 (New ), RSA Token (New), AD Integration, works fine - configured and works fine.

2) Site 2, RAS 5300 (Old)-Running IOS 12.0(7)T, ACS 3.3 (New), RSA Token (New ), AD integration, Checkpoint Firewall. - Able to Authenticate but not able to authorize. Having packet drop.

The configuration for site 2 as attached:

Any help is really appreciated.



Hall of Fame Super Silver

Re: ACS 3.3 Integration To RAS5300


I have looked at the configuration that you posted. I am surprised that you say that you can authenticate but not authorize. How have your confirmed this? Have you run debug aaa authentication and debug aaa authorization? If you have run these debugs it would be helpful to see the output. If you have not run these debugs I would suggest that you run them and post the output.

I remember that early releases did not support the concept of radius group in aaa configuration and current releases do. I do not remember at what point the group concept was added but was not sure that it was as early as 12.0. I believe your 3845 is running recent code which does support the group concept and suspect that your 5300 IOS does not support it. (This is what surprises me that you say you can authenticate but not authorize).

I suggest that you change the configuration of the aaa on the 5300 and remove the group concept from the configuration of aaa.

If that does not fix the problem then the debugs that I suggested would be quite helpful.