Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
3
Replies

Upgrading from AS5200 to AS5350 problem.

bodders_uk
Level 1
Level 1

‎07-10-2003 03:36 AM - edited ‎03-02-2019 08:46 AM

Hi.

I have the following problem.

Users currently login via as5200, here we apply access restrictions depending on the group they belong to. They are verified using tacacs+ server running acs ver 2.1 on nt4.

We have got the replacement as5350 working with the above but the access restrictions aren't applied to the users as with the as5200. Is this a software compatibility issue.

On the as5200 IOS 12.0(5)t

On the as5350 IOS 12.2(11)t8

Ciscosecure ACS ver 2.1 on NT4.

Is this an AV pairs issue?

Any help would be appreciated.

Thanks Bod

Labels:
0 Helpful
3 Replies 3

tepatel
Cisco Employee
Cisco Employee

‎07-10-2003 08:09 AM

We need to see the debug, specially authorization debug, when the user with access restriction is trying to connect. That way we can verify that the access restrictions are applied or not.

So pl. turn on following debug

debug aaa authorization

debug aaa authetication

debug aaa per

debug ppp nego

Post it here for one call only.

0 Helpful

bodders_uk
Level 1
Level 1
In response to tepatel

‎07-11-2003 06:17 AM

This is the aaa config parts

aaa group server tacacs+ vish

server 194.XXX.XXX.XXX

server 194.XXX.XXX.XXX

!

aaa authentication login vty group vish group tacacs+

aaa authentication login console local enable

aaa authentication login dial group vish group tacacs+

aaa authentication ppp default group vish group tacacs+

aaa authorization config-commands

aaa session-id common

Debug log

*Jan 3 04:48:22.770: AAA/ACCT/DS0: channel=0, ds1=0, t3=0, slot=3, ds0=50331648

*Jan 3 04:48:22.770: AAA/ACCT/DS0: channel=0, ds1=0, t3=0, slot=3, ds0=50331648

*Jan 3 04:48:22.770: Se3/0:0 PPP: Treating connection as a callin

*Jan 3 04:48:22.770: Se3/0:0 PPP: Phase is ESTABLISHING, Passive Open

*Jan 3 04:48:22.770: Se3/0:0 LCP: State is Listen

*Jan 3 04:48:22.970: Se3/0:0 LCP: I CONFREQ [Listen] id 1 len 17

*Jan 3 04:48:22.970: Se3/0:0 LCP: MagicNumber 0x47D7D728 (0x050647D7D728)

*Jan 3 04:48:22.970: Se3/0:0 LCP: PFC (0x0702)

*Jan 3 04:48:22.970: Se3/0:0 LCP: ACFC (0x0802)

*Jan 3 04:48:22.970: Se3/0:0 LCP: Callback 6 (0x0D0306)

*Jan 3 04:48:22.970: AAA/AUTHOR (0000005C): Method list id=FFFFFFFF not configured. Skip author

*Jan 3 04:48:22.974: Se3/0:0 LCP: O CONFREQ [Listen] id 5 len 30

*Jan 3 04:48:22.974: Se3/0:0 LCP: AuthProto PAP (0x0304C023)

*Jan 3 04:48:22.974: Se3/0:0 LCP: MagicNumber 0x17854BBE (0x050617854BBE)

*Jan 3 04:48:22.974: Se3/0:0 LCP: MRRU 1524 (0x110405F4)

*Jan 3 04:48:22.974: Se3/0:0 LCP: EndpointDisc 1 AS5200-03 (0x130C0141533532

30302D3033)

*Jan 3 04:48:22.974: Se3/0:0 LCP: O CONFREJ [Listen] id 1 len 7

*Jan 3 04:48:22.974: Se3/0:0 LCP: Callback 6 (0x0D0306)

*Jan 3 04:48:23.002: Se3/0:0 LCP: I CONFREJ [REQsent] id 5 len 20

*Jan 3 04:48:23.002: Se3/0:0 LCP: MRRU 1524 (0x110405F4)

*Jan 3 04:48:23.002: Se3/0:0 LCP: EndpointDisc 1 AS5200-03 (0x130C0141533532

30302D3033)

*Jan 3 04:48:23.002: Se3/0:0 LCP: O CONFREQ [REQsent] id 6 len 14

*Jan 3 04:48:23.002: Se3/0:0 LCP: AuthProto PAP (0x0304C023)

*Jan 3 04:48:23.002: Se3/0:0 LCP: MagicNumber 0x17854BBE (0x050617854BBE)

*Jan 3 04:48:23.006: Se3/0:0 LCP: I CONFREQ [REQsent] id 2 len 14

*Jan 3 04:48:23.006: Se3/0:0 LCP: MagicNumber 0x47D7D728 (0x050647D7D728)

*Jan 3 04:48:23.006: Se3/0:0 LCP: PFC (0x0702)

*Jan 3 04:48:23.006: Se3/0:0 LCP: ACFC (0x0802)

*Jan 3 04:48:23.006: Se3/0:0 LCP: O CONFACK [REQsent] id 2 len 14

*Jan 3 04:48:23.006: Se3/0:0 LCP: MagicNumber 0x47D7D728 (0x050647D7D728)

*Jan 3 04:48:23.006: Se3/0:0 LCP: PFC (0x0702)

*Jan 3 04:48:23.006: Se3/0:0 LCP: ACFC (0x0802)

*Jan 3 04:48:23.026: Se3/0:0 LCP: I CONFACK [ACKsent] id 6 len 14

*Jan 3 04:48:23.026: Se3/0:0 LCP: AuthProto PAP (0x0304C023)

*Jan 3 04:48:23.026: Se3/0:0 LCP: MagicNumber 0x17854BBE (0x050617854BBE)

*Jan 3 04:48:23.026: Se3/0:0 LCP: State is Open

*Jan 3 04:48:23.026: Se3/0:0 PPP: Phase is AUTHENTICATING, by this end

*Jan 3 04:48:23.030: Se3/0:0 PAP: I AUTH-REQ id 1 len 22 from "testix"

*Jan 3 04:48:23.030: Se3/0:0 PAP: Authenticating peer testix

*Jan 3 04:48:23.030: Se3/0:0 PPP: Phase is FORWARDING, Attempting Forward

*Jan 3 04:48:23.030: Se3/0:0 PPP: Phase is AUTHENTICATING, Unauthenticated User

*Jan 3 04:48:23.030: AAA/AUTHEN/PPP (0000005C): Pick method list 'default'

*Jan 3 04:48:24.962: Se3/0:0 PPP: Phase is FORWARDING, Attempting Forward

*Jan 3 04:48:24.962: Se3/0:0 PPP: Phase is AUTHENTICATING, Authenticated User

*Jan 3 04:48:24.962: Se3/0:0 PAP: O AUTH-ACK id 1 len 5

*Jan 3 04:48:24.962: Se3/0:0 PPP: Phase is UP

*Jan 3 04:48:24.966: Se3/0:0 AAA/AUTHOR/FSM: We can start IPCP

*Jan 3 04:48:24.966: Se3/0:0 IPCP: O CONFREQ [Closed] id 5 len 10

*Jan 3 04:48:24.966: Se3/0:0 IPCP: Address 194.200.235.137 (0x0306C2C8EB89)

*Jan 3 04:48:24.966: Se3/0:0 AAA/AUTHOR/FSM: We can start CDPCP

*Jan 3 04:48:24.966: Se3/0:0 CDPCP: O CONFREQ [Closed] id 3 len 4

*Jan 3 04:48:24.986: Se3/0:0 IPCP: I CONFREQ [REQsent] id 1 len 40

*Jan 3 04:48:24.986: Se3/0:0 IPCP: CompressType VJ 15 slots CompressSlotID (

0x0206002D0F01)

*Jan 3 04:48:24.986: Se3/0:0 IPCP: Address 0.0.0.0 (0x030600000000)

*Jan 3 04:48:24.986: Se3/0:0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)

*Jan 3 04:48:24.986: Se3/0:0 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)

*Jan 3 04:48:24.986: Se3/0:0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)

*Jan 3 04:48:24.986: Se3/0:0 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)

*Jan 3 04:48:24.986: Se3/0:0 IPCP: Pool returned 194.200.234.17

*Jan 3 04:48:24.986: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for primary dns

*Jan 3 04:48:24.986: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for primary wins

*Jan 3 04:48:24.986: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for seconday dns

*Jan 3 04:48:24.986: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for seconday wins

*Jan 3 04:48:24.986: Se3/0:0 IPCP: O CONFREJ [REQsent] id 1 len 34

*Jan 3 04:48:24.986: Se3/0:0 IPCP: CompressType VJ 15 slots CompressSlotID (

0x0206002D0F01)

*Jan 3 04:48:24.986: Se3/0:0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)

*Jan 3 04:48:24.986: Se3/0:0 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)

*Jan 3 04:48:24.990: Se3/0:0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)

*Jan 3 04:48:24.990: Se3/0:0 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)

*Jan 3 04:48:24.990: Se3/0:0 IPCP: I CONFACK [REQsent] id 5 len 10

*Jan 3 04:48:24.990: Se3/0:0 IPCP: Address 194.200.235.137 (0x0306C2C8EB89)

*Jan 3 04:48:24.990: Se3/0:0 LCP: I PROTREJ [Open] id 3 len 10 protocol CDPCP (

0x820701030004)

*Jan 3 04:48:24.990: Se3/0:0 CDPCP: State is Listen

*Jan 3 04:48:26.966: Se3/0:0 IPCP: TIMEout: State ACKrcvd

*Jan 3 04:48:26.966: Se3/0:0 IPCP: O CONFREQ [ACKrcvd] id 6 len 10

*Jan 3 04:48:26.966: Se3/0:0 IPCP: Address 194.200.235.137 (0x0306C2C8EB89)

*Jan 3 04:48:26.982: Se3/0:0 IPCP: I CONFACK [REQsent] id 6 len 10

*Jan 3 04:48:26.982: Se3/0:0 IPCP: Address 194.200.235.137 (0x0306C2C8EB89)

*Jan 3 04:48:27.990: Se3/0:0 IPCP: I CONFREQ [ACKrcvd] id 2 len 34

*Jan 3 04:48:27.990: Se3/0:0 IPCP: Address 0.0.0.0 (0x030600000000)

*Jan 3 04:48:27.990: Se3/0:0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)

*Jan 3 04:48:27.990: Se3/0:0 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)

*Jan 3 04:48:27.990: Se3/0:0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)

*Jan 3 04:48:27.990: Se3/0:0 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)

*Jan 3 04:48:27.990: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for primary dns

*Jan 3 04:48:27.990: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for primary wins

*Jan 3 04:48:27.990: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for seconday dns

*Jan 3 04:48:27.990: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for seconday wins

*Jan 3 04:48:27.994: Se3/0:0 IPCP: O CONFREJ [ACKrcvd] id 2 len 28

*Jan 3 04:48:27.994: Se3/0:0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)

*Jan 3 04:48:27.994: Se3/0:0 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)

*Jan 3 04:48:27.994: Se3/0:0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)

*Jan 3 04:48:27.994: Se3/0:0 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)

*Jan 3 04:48:28.014: Se3/0:0 IPCP: I CONFREQ [ACKrcvd] id 3 len 10

*Jan 3 04:48:28.014: Se3/0:0 IPCP: Address 0.0.0.0 (0x030600000000)

*Jan 3 04:48:28.014: Se3/0:0 IPCP: O CONFNAK [ACKrcvd] id 3 len 10

*Jan 3 04:48:28.014: Se3/0:0 IPCP: Address 194.200.234.17 (0x0306C2C8EA11)

*Jan 3 04:48:28.030: Se3/0:0 IPCP: I CONFREQ [ACKrcvd] id 4 len 10

*Jan 3 04:48:28.030: Se3/0:0 IPCP: Address 194.200.234.17 (0x0306C2C8EA11)

*Jan 3 04:48:28.030: Se3/0:0 IPCP: O CONFACK [ACKrcvd] id 4 len 10

*Jan 3 04:48:28.030: Se3/0:0 IPCP: Address 194.200.234.17 (0x0306C2C8EA11)

*Jan 3 04:48:28.030: Se3/0:0 IPCP: State is Open

*Jan 3 04:48:28.034: Se3/0:15 IPCP: Install route to 194.200.234.17

*Jan 3 04:48:28.034: Se3/0:0 IPCP: Add link info for cef entry 194.200.234.17

*Jan 3 04:48:28.298: Se3/0:0 PPP: Outbound cdp packet dropped, CDPCP state is L

isten

*Jan 3 04:49:28.298: Se3/0:0 PPP: Outbound cdp packet dropped, CDPCP state is L

0 Helpful

tepatel
Cisco Employee
Cisco Employee
In response to bodders_uk

‎07-11-2003 04:27 PM

There is a problem in the config at this point. The aaa authorization to tacacs is not configured. So pl. add

aaa authorization network default group vish group tacacs+

After that the authorization from tacacs should work fine.

0 Helpful
Customers Also Viewed These Support Documents