Solved: AAA or local authentication according to the name of the users.

delahais · ‎03-20-2003

I have a 3640 router with one BRI 4-B/T card, one digital modems card and one FE interface. All my user are ANALOGICAL users.

1 - For some users (about 5) i have created a dialer in order to allocate their own @ip pool (with only one @ip) with username login/passwd local on router : it works .

2 - For some users (about 5) i have created on ACS server their profile in order to have an AAA authentication. It is the ACS which gives the @ip. I create a dialer profite for each of these users, too : it works, too.

I configured 1- then 2- separately and they work.

3 - Now, i wish to do both in the time , i mean some users have a local authentication and get their @ip from their (own) @ip pool (on 3640 router) and some users have an AAA authentication on ACS.... and it doesn't work.

I do not know how to configure the "ppp authentication chap" in each dialer profile and in the Group_Async1. I thought to create 2 AAA authentication as below :

aaa authentication ppp default group tacacs+

aaa authentication ppp AUTH_local local

default method for ACS server via tacacs+ and AUTH_local method for local authentication. I did so many tests and i did no many config, but never i tried to work both in same time. Someone have already do this config, maybe ??? Please, help me !!!

Thanks a lot in advance.

Nico.

Below, my config :

for example :

- user NDE has local authentication. it uses dialer 10. It has their own pool of 1 @ on the 3640

- user DWA has an AAA authentication. it is use dialer 20. Their @ip is provide by ACS.

Both of the users are analogical user and in this way, they use the interface Group-Async1

username NDE password 0 cisco

interface Group-Async1

description Connexion pour les 18 modems analogiques.

ip unnumbered FastEthernet0/0

encapsulation ppp

dialer in-band

dialer pool-member 1

async mode dedicated

group-range 65 76

interface Dialer10

description DIALER POUR USER NDE

ip unnumbered FastEthernet0/0

encapsulation ppp

dialer pool 1

dialer remote-name NDE

dialer-group 1

peer default ip address pool NDE

ppp authentication chap AUTH_local

interface Dialer20

description DIALER POUR USER DWA

ip unnumbered FastEthernet0/0

encapsulation ppp

dialer pool 1

dialer remote-name DWA

dialer-group 1

no peer default ip address

ppp authentication chap

ip local pool NDE 172.18.1.201

makchitale · ‎03-20-2003

The user who is supposed to authenticate/ authorize locally is failing, we need to have the following commands for AAA:

aaa authentication ppp default local group tacacs+

aaa authorization network default local group tacacs+

Thanks, Mak.

View solution in original post

tepatel · ‎03-20-2003

First of all you ned to configure "ppp authentication chap" under "interface group-async 1" so that the call will be binded to dialer interface depending on the username received during ppp authentication phase.

Once you have that, config looks fine and it should work as expected.

Now if it still dosen't wotk, need to see the following debug

debug dialer

debug ppp nego

debug modem csm

debug ppp authentication

makchitale · ‎03-20-2003

Try "aaa authentication ppp default local group tacacs+" For local users we will get authenicated locally, for AAA users if the username/passowrd is not seen locally it will go to tacacs.

Thanks, Mak.

delahais · ‎03-20-2003

ok, thanks a lot for your response. I agree with you :

as say Mak, i did put "aaa authentication ppp default local group tacacs+"

and as say Tepatel, I did put "ppp authentication chap" under "interface group-async 1" and under all dialer profiles (i deleted "aaa authentication ppp AUTH_local local" )

yestarday, i did already tried this config.

I added your debug.

I recorded the debug with one user (DWA) with AAA authentication (this user works with pb) and with one user (NDE) with local authentication (this user doesn't work ). then I compared the 2 debugs. the 1st different and erros is :

1d06h: As74 DDR: Remote name for NDE

1d06h: %DIALER-6-BIND: Interface As74 bound to profile Di10

1d06h: As74 PPP: Sent LCP AUTHOR Request to AAA

1d06h: As74 PPP: Sent IPCP AUTHOR Request to AAA

1d06h: As74 LCP: Received AAA AUTHOR Response = FAIL

1d06h: As73 DDR: Remote name for DWA

1d06h: %DIALER-6-BIND: Interface As73 bound to profile Di20

1d06h: As73 PPP: Sent LCP AUTHOR Request to AAA

1d06h: As73 PPP: Sent IPCP AUTHOR Request to AAA

1d06h: As73 LCP: Received AAA AUTHOR Response = PASS

1d06h: As73 IPCP: Received AAA AUTHOR Response = PASS

It seems to me that for NDE user, the error "AAA AUTHOR Response = FAIL" comes because the authentication is not local but is done on the ACS. If i look on my ACS "reports and activity" / "Failed Attempts" i seen a record of the NDE's connection :

03/20/2003 17:30:12 Author failed nde Group 3 admin 0320191841/1840 .. Service denied service=ppp protocol=ip Async75*BRI1/0:2 172.18.1.32

On my mind, if the authentication is local, the ACS should not see anything ?

Do you have an idea of problem ? It seems to me that something is wrong in my configuration for local authentication.

Thanks a lot in advance.

Nicos.

NOTE : I have a router 3640A. Since yesterday, i run under 12.2(8).T5. Today, i did, also, these tests with this ios then 12.2(13a)

makchitale · ‎03-20-2003

The user who is supposed to authenticate/ authorize locally is failing, we need to have the following commands for AAA:

aaa authentication ppp default local group tacacs+

aaa authorization network default local group tacacs+

Thanks, Mak.

delahais · ‎03-21-2003

YES, it is perfect. I just put this line "aaa authorization network default local group tacacs+" and it works immediately. Thank a lot !!!

Thanks to everybody for you help !

:- )

Nicos.