Remote Access, AAA and One Time Passwords

p.fligman · ‎01-04-2002

Hi,

I'm trying to get remote access solution working with RSA Security OTP (tokens). One option I've tried is specifying 'ppp authen chap pap dialin one-time' on dialer / group asyn interfaces (where dialin is method list name and methods specified are radius local). The one-time option allows use of standard windows dialup networking username/pwd fields to be used with OTP (username*PIN password=tokencode) and the router will pass these on to RADIUS / TACACS server who inturn passess to token server.

Problem I found is that RADIUS Debug shows error 'only RADIUS and TACACS are valid OTP'. I think this is due to fact that there is now 'group' specified by defaulyt in AAA method lists and it is a bug. I'm running 12.1.5T9 IP only, any comments/circumventions/known working releases greatly appreciated.

ciscomoderator · ‎01-10-2002

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

p.fligman · ‎01-11-2002

I have resolved my issue. The 'decrypt fail' debug message was due to the RADIUS server / ACE Server not supporting CHAP authentication. WHen I changed my config on all lines to 'ppp authen pap chap dialin' I was able to authenticate to my ACE/RADIUS Server. Note I think this is a specific limitation of the RSA ACE/Server.

I believe the OTP debug issue above is a bug but am unable to raise a TAC Case at this time.