Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Troubleshooting Cisco Access Servers and Digital Modems with Cisco expert Tejal Patel. Tejal is a customer support engineer at the Technical Assistance Center (TAC). His areas of expertise are Telco Signaling, Configuration and Troubleshooting of Access Servers and AAA. Remember to use the rating system to let Tejal know if you have received an adequate response.

Tejal might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 12. Visit this forum often to view responses to your questions and the questions of other community members.

22 REPLIES
Community Member

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

Hi Tejal

This is Raj,,.Good talking to you on the phone. Our company provides Security Camera installation service, Most of my customers are now requesting internet access to their webcam as a service. So I install the IP camera and have them access the internet through there internet service providors. However some do not have decated line DSL line with static IP address. I am looking into possiblity of selling them the DSL line with internal Static IP address using MC3810, Sonicwall, and 3Com AccessBuilder 4000.

Is the best way to offer this solution ?? I appreciate your input on that. The MC3810V has one

MFT-T1 and one DVM T1 port on it. It is MC3810-AC-SYS

I believe since it has MFT T1 that works with ATM

Regards

Rajendra Jagad

CGN

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

You can sell the dsl service to customers and have them a public ip address. Once they are on the internet, you can have them do VPN tunnel to the vpn concentrator. Once they have vpn tunnel, they can view the webcam accessing the privet IP address of it. Thay way you can also authorize the users to view webcam over the internet only assigned to them.

So to access the webcam, customers need to do vpn. For regular web surfing over dsl, they don't need vpn.

For DSL terminations, you do need dsl modem (cisco 825, SOHO 77 etc) with DSLAM (6260, 6015 etc) MC3810 for core routing may not be enough based on the number of dsl terminations..Let me know for more..Thanks..Tejal

Community Member

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

hi,

when I have configured 2 radius-server on my IOS. If the first one doesn't respond it tries the second one. What happens if the first comes back? The IOS still sends aaa requests to second one (like the way in PIX) or does it always chechk first one,than second one?

thanks..

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

IOS will always try the radius server in top-down order. If the "radius-server deadtime x" is configured, the radius server which are not responding will be skipped for x mins.

If "radius-server deadtime x" is not there in the config, ios will always try the 1st and 2nd radius server and so on for each radius requests. So if primary (1st server) come back on, it will be tried always.

You can visit following url for that command.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_p1g.htm#1077839

Community Member

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

it always chechk first one

Community Member

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

Hi Tejal,

I have the following problem.We use CISCO 3640 router

as a NAS device for the remote access to our network.

As AAA device we use CSACS for Windows,Vers 2.4.

For strong authentication we use 2 types of token cards with following servers (CryptoAdmin 5.0 and

RSA Ace-Server v5.1 for Windows).

CISCO 3640 is with MICA modems.IOS version c3640-ik9s-mz.122-17a,encryption not used so far.There is also the mica-modem software in the flash.We want

to use encryption with VPN client 3.x,so we have up-

graded to IOS C3640-ik9s-mz.122-15.T9.Nothing has been changed in the configuration of NAS or CSACS.

But after the upgrade are the users with CryptoCards

rejected with LOGIN Failed message in the CISCO log.

The RSA Ace cards are working fine,as well as access

without token cards.So we had again to downgrade to

the original IOS version.What can be the reason?I asked already in the forum,but unfortunately no reaction till now.Could you help me?

Thanks

Zdenek

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

Actually we need to troubleshoot this issue with the debugs on 3640 during authentication using CryptoCards. There could be a problem in the IOS itself.

I do need to see the debug for following during authentication using CryptoCards.

debug aaa authentication

debug radius

debug aaa authorization

Community Member

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

Hi Tejal,

I thank you for your answer.I would like to add

some information to the problem.

1.We use tacacs+ with CSACS

2.Here is an extract from the NAS log after the upgrade (deb aaa authent,deb ppp authent)

.ISDN-6-CONNECT :Interface Serial0/0:0 is now connected to XXXXXXXXX

AAA/AUTHENT/LOGIN :Pick method list "default"

As59 PPP:Using modem call direction

As59 PPP:Treating connection as a callin

As59 PPP:Authorization required

%LINK-3-UPDOWN:Interface Async59,changed state to up

As59 CHAP:O CHALLENGE id 1 len 31 from "router_ras"

As59 CHAP:I RESPONSE id 1 len 27 from "kelarj"

AAA/AUTHEN/PPP :Pick method list "default"

As59 PPP :Sent CHAP LOGIN Request

As59 PPP:Received LOGIN Response FAIL

As59 CHAP:O FAILURE id 1 len 25 msg is "Authentication failed"

%ISDN-6-DISCONNECT :Interface Serial0/0:0 disconnected from XXXXXXXXX,call lasted 35 seconds

As59 PPP:Authorization required

AAA/BIND :Bind i/f Async59

%LINK-5-CHANGED:Interface Async59,changed state to reset

%LINK-3-UPDOWN:Interface Async59,changed state to down

3.This is AAA configuration in the NAS

aaa new-model

aaa authentication login default group tacacs+

aaa authentication login no_tacacs enable

aaa authentication login roth local

aaa authentication ppp default if-needed group tacacs+

aaa authorization exec default group tacacs+

aaa authorization exec roth local

aaa authorization commands 15 default group tacacs+

aaa authorization commands 15 roth local

aaa authorization network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

enable secret 5 $1$QyYF$9U0QR4iKX9xgLyM8jFnI4.

Perhaps it helps a little.

Thank you

Zdenek

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

Config looks fine. I belive TACACS is doing a proxy for crypto card server. Try to see the logs from Tacacs and from the server authenticating the crypto cards. Authentication Reject came in from tacscs ( from crypto server).

Now if downgrading the ios fix the isuee, that sounds like a problem to me in that ios 122-15.T9. I would recommend you to stick with 12.3 Mainline versions rather then .T versions. So upgrade the router and stick with 12.3 mainline version.

Community Member

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

Hi Tejal,

I am very sorry for asking off topic question to you. We have 3640/3620 cisco routers and I'd like to implement Diff-Serv aware MPLS TE. I am wondering is it possible? If yes, could you pl. let me know the IOS version.

Thanks,

Bala

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

I don't think that 3640/20 will support Diff-Serv aware MPLS TE. That feature is supported on 7200 and 10000 platform as per the following link.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1612/products_feature_guide09186a008008086f.html

Youcanalso run a Feature Nevigator localted at following link

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

to see that features are supported on which platform and ios information.

Community Member

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

Can you run a script or executable from an Cisco Secure ACS server ? We have the need to get some registry and other information from our dialup users. They dial into the AS5300 and authenticate against the Cisco Secure V3.0 NT TACACS database. Is there a way to execute a kix script or something during the authentication per user/group to pull our remote users information?

Thanks - Mike

Cisco Employee

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

I don't think that you can run any scripts or executable from ACS server during authentication.

Community Member

Re: ASK THE EXPERT- TROUBLESHOOTING CISCO ACCESS SERVERS

Hi Tejal,

I have to use per vrf aaa feature. the scenario is like this: I have a 7200 router (ggsn) with one interface to the internet.We have several customers. They are connected to our 7200 router with ipsec tunnels through the internet. The customers have radius servers on their own sites. And in my 7200 router there is a vrf table for each customer. I configured per vrf aaa, but it doesn't work. as I see from debugs and logs ; the aaa request goes to customers radius (through the customers ipsec tunnel), radius authenticates it and sends reply back, 7200 gets the reply but it drops. I think problem is that I can't write ip vrf forwardind under the 7200s internet interface. Because i have only one interface to internet and many customers. So I can't write that command. Do you have any suggestion?

thanks in advance.

69
Views
10
Helpful
22
Replies
CreatePlease to create content