Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS integration with ACE

Hi,

My customer wants to implement a redundant ACS system for authentication,which uses a redundant RSA ACE server for strong authentication of remote ISDN and

PSTN dial users. I do have a number of questions whit this senario.

# I have been trying to emulate the remote access scenario using a Cisco 2600 router (12.0.10) with an ISDN Basic Rate Interface and the ACE 5 server.I

have attached a config and it seems to work for local access onto the Aux port or Dial in using the windows dial up client without a post dial terminal window (i.e. I enter the PIN and tokencode in the password box of the dial client. However, when I implement the post dial terminal window (so that I can use next token mode and new pin mode) the client connects to the router but I do not get any meaningful text in the post dial window (I would expect a username/ passcode prompt) I just get ascii garbage. Do you know if this works with next token code and new pin mode (ala post dial terminal window) terminating on an ISDN BRI interface and if so why is it not working? I have tried this on Win 2K and 95.

#How can I support redundant multilink ISDN in this senario? Do I need to implement Token chaching and if so is this supported in ACS 2.6 for windows?

#Can I support redundant ACE servers if I am integrating the authentication with Cisco Secure Access Control Server (i.e. The authentication goes

first to ACS which passes it on to ACE server) and how is this handled within ACS?

My router config is given below the IOS is 12.0.10 and the platform is a 2600.

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname NAS

!

aaa new-model

aaa authentication login radius-login radius local

aaa authentication login no-tacacs none

aaa authentication ppp radius-ppp radius local

enable secret 5 xxxxxxxxxxxxxxxxx

!

username admin password 7 xxxxxxxxxxx

ip subnet-zero

isdn switch-type basic-net3

!

!

!

interface Ethernet0/0

ip address 10.x.x.x 255.255.255.0

no ip directed-broadcast

!

interface Serial0/0

no ip address

no ip directed-broadcast

no ip mroute-cache

shutdown

no fair-queue

!

interface TokenRing0/0

no ip address

no ip directed-broadcast

shutdown

ring-speed 16

!

interface BRI0/0

ip unnumbered Ethernet0/0

no ip directed-broadcast

encapsulation ppp

dialer idle-timeout 300

dialer-group 1

isdn switch-type basic-net3

peer default ip address pool MyDialPool

ppp authentication pap radius-ppp

!

interface Serial0/1

no ip address

no ip directed-broadcast

shutdown

!

ip local pool MyDialPool 10.1.22.250 10.1.22.250

ip classless

!

dialer-list 1 Protocol IP permit

radius-server host 10.1.22.49 auth-port 1645 acct-port 1646

radius-server key xxxxxxxxx

!

line con 0

login authentication no-tacacs

transport input none

line aux 0

login authentication radius-login

line vty 0 4

password xxxxx

!

end

Thanks for your help,

Best regards,

Spencer Kennedy

1 REPLY

Re: ACS integration with ACE

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

207
Views
0
Helpful
1
Replies
CreatePlease to create content