07-10-2003 03:36 AM - edited 03-02-2019 08:46 AM
Hi.
I have the following problem.
Users currently login via as5200, here we apply access restrictions depending on the group they belong to. They are verified using tacacs+ server running acs ver 2.1 on nt4.
We have got the replacement as5350 working with the above but the access restrictions aren't applied to the users as with the as5200. Is this a software compatibility issue.
On the as5200 IOS 12.0(5)t
On the as5350 IOS 12.2(11)t8
Ciscosecure ACS ver 2.1 on NT4.
Is this an AV pairs issue?
Any help would be appreciated.
Thanks Bod
07-10-2003 08:09 AM
We need to see the debug, specially authorization debug, when the user with access restriction is trying to connect. That way we can verify that the access restrictions are applied or not.
So pl. turn on following debug
debug aaa authorization
debug aaa authetication
debug aaa per
debug ppp nego
Post it here for one call only.
07-11-2003 06:17 AM
This is the aaa config parts
aaa group server tacacs+ vish
server 194.XXX.XXX.XXX
server 194.XXX.XXX.XXX
!
aaa authentication login vty group vish group tacacs+
aaa authentication login console local enable
aaa authentication login dial group vish group tacacs+
aaa authentication ppp default group vish group tacacs+
aaa authorization config-commands
aaa session-id common
Debug log
*Jan 3 04:48:22.770: AAA/ACCT/DS0: channel=0, ds1=0, t3=0, slot=3, ds0=50331648
*Jan 3 04:48:22.770: AAA/ACCT/DS0: channel=0, ds1=0, t3=0, slot=3, ds0=50331648
*Jan 3 04:48:22.770: Se3/0:0 PPP: Treating connection as a callin
*Jan 3 04:48:22.770: Se3/0:0 PPP: Phase is ESTABLISHING, Passive Open
*Jan 3 04:48:22.770: Se3/0:0 LCP: State is Listen
*Jan 3 04:48:22.970: Se3/0:0 LCP: I CONFREQ [Listen] id 1 len 17
*Jan 3 04:48:22.970: Se3/0:0 LCP: MagicNumber 0x47D7D728 (0x050647D7D728)
*Jan 3 04:48:22.970: Se3/0:0 LCP: PFC (0x0702)
*Jan 3 04:48:22.970: Se3/0:0 LCP: ACFC (0x0802)
*Jan 3 04:48:22.970: Se3/0:0 LCP: Callback 6 (0x0D0306)
*Jan 3 04:48:22.970: AAA/AUTHOR (0000005C): Method list id=FFFFFFFF not configured. Skip author
*Jan 3 04:48:22.974: Se3/0:0 LCP: O CONFREQ [Listen] id 5 len 30
*Jan 3 04:48:22.974: Se3/0:0 LCP: AuthProto PAP (0x0304C023)
*Jan 3 04:48:22.974: Se3/0:0 LCP: MagicNumber 0x17854BBE (0x050617854BBE)
*Jan 3 04:48:22.974: Se3/0:0 LCP: MRRU 1524 (0x110405F4)
*Jan 3 04:48:22.974: Se3/0:0 LCP: EndpointDisc 1 AS5200-03 (0x130C0141533532
30302D3033)
*Jan 3 04:48:22.974: Se3/0:0 LCP: O CONFREJ [Listen] id 1 len 7
*Jan 3 04:48:22.974: Se3/0:0 LCP: Callback 6 (0x0D0306)
*Jan 3 04:48:23.002: Se3/0:0 LCP: I CONFREJ [REQsent] id 5 len 20
*Jan 3 04:48:23.002: Se3/0:0 LCP: MRRU 1524 (0x110405F4)
*Jan 3 04:48:23.002: Se3/0:0 LCP: EndpointDisc 1 AS5200-03 (0x130C0141533532
30302D3033)
*Jan 3 04:48:23.002: Se3/0:0 LCP: O CONFREQ [REQsent] id 6 len 14
*Jan 3 04:48:23.002: Se3/0:0 LCP: AuthProto PAP (0x0304C023)
*Jan 3 04:48:23.002: Se3/0:0 LCP: MagicNumber 0x17854BBE (0x050617854BBE)
*Jan 3 04:48:23.006: Se3/0:0 LCP: I CONFREQ [REQsent] id 2 len 14
*Jan 3 04:48:23.006: Se3/0:0 LCP: MagicNumber 0x47D7D728 (0x050647D7D728)
*Jan 3 04:48:23.006: Se3/0:0 LCP: PFC (0x0702)
*Jan 3 04:48:23.006: Se3/0:0 LCP: ACFC (0x0802)
*Jan 3 04:48:23.006: Se3/0:0 LCP: O CONFACK [REQsent] id 2 len 14
*Jan 3 04:48:23.006: Se3/0:0 LCP: MagicNumber 0x47D7D728 (0x050647D7D728)
*Jan 3 04:48:23.006: Se3/0:0 LCP: PFC (0x0702)
*Jan 3 04:48:23.006: Se3/0:0 LCP: ACFC (0x0802)
*Jan 3 04:48:23.026: Se3/0:0 LCP: I CONFACK [ACKsent] id 6 len 14
*Jan 3 04:48:23.026: Se3/0:0 LCP: AuthProto PAP (0x0304C023)
*Jan 3 04:48:23.026: Se3/0:0 LCP: MagicNumber 0x17854BBE (0x050617854BBE)
*Jan 3 04:48:23.026: Se3/0:0 LCP: State is Open
*Jan 3 04:48:23.026: Se3/0:0 PPP: Phase is AUTHENTICATING, by this end
*Jan 3 04:48:23.030: Se3/0:0 PAP: I AUTH-REQ id 1 len 22 from "testix"
*Jan 3 04:48:23.030: Se3/0:0 PAP: Authenticating peer testix
*Jan 3 04:48:23.030: Se3/0:0 PPP: Phase is FORWARDING, Attempting Forward
*Jan 3 04:48:23.030: Se3/0:0 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Jan 3 04:48:23.030: AAA/AUTHEN/PPP (0000005C): Pick method list 'default'
*Jan 3 04:48:24.962: Se3/0:0 PPP: Phase is FORWARDING, Attempting Forward
*Jan 3 04:48:24.962: Se3/0:0 PPP: Phase is AUTHENTICATING, Authenticated User
*Jan 3 04:48:24.962: Se3/0:0 PAP: O AUTH-ACK id 1 len 5
*Jan 3 04:48:24.962: Se3/0:0 PPP: Phase is UP
*Jan 3 04:48:24.966: Se3/0:0 AAA/AUTHOR/FSM: We can start IPCP
*Jan 3 04:48:24.966: Se3/0:0 IPCP: O CONFREQ [Closed] id 5 len 10
*Jan 3 04:48:24.966: Se3/0:0 IPCP: Address 194.200.235.137 (0x0306C2C8EB89)
*Jan 3 04:48:24.966: Se3/0:0 AAA/AUTHOR/FSM: We can start CDPCP
*Jan 3 04:48:24.966: Se3/0:0 CDPCP: O CONFREQ [Closed] id 3 len 4
*Jan 3 04:48:24.986: Se3/0:0 IPCP: I CONFREQ [REQsent] id 1 len 40
*Jan 3 04:48:24.986: Se3/0:0 IPCP: CompressType VJ 15 slots CompressSlotID (
0x0206002D0F01)
*Jan 3 04:48:24.986: Se3/0:0 IPCP: Address 0.0.0.0 (0x030600000000)
*Jan 3 04:48:24.986: Se3/0:0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Jan 3 04:48:24.986: Se3/0:0 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
*Jan 3 04:48:24.986: Se3/0:0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Jan 3 04:48:24.986: Se3/0:0 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
*Jan 3 04:48:24.986: Se3/0:0 IPCP: Pool returned 194.200.234.17
*Jan 3 04:48:24.986: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for primary dns
*Jan 3 04:48:24.986: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for primary wins
*Jan 3 04:48:24.986: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for seconday dns
*Jan 3 04:48:24.986: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for seconday wins
*Jan 3 04:48:24.986: Se3/0:0 IPCP: O CONFREJ [REQsent] id 1 len 34
*Jan 3 04:48:24.986: Se3/0:0 IPCP: CompressType VJ 15 slots CompressSlotID (
0x0206002D0F01)
*Jan 3 04:48:24.986: Se3/0:0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Jan 3 04:48:24.986: Se3/0:0 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
*Jan 3 04:48:24.990: Se3/0:0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Jan 3 04:48:24.990: Se3/0:0 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
*Jan 3 04:48:24.990: Se3/0:0 IPCP: I CONFACK [REQsent] id 5 len 10
*Jan 3 04:48:24.990: Se3/0:0 IPCP: Address 194.200.235.137 (0x0306C2C8EB89)
*Jan 3 04:48:24.990: Se3/0:0 LCP: I PROTREJ [Open] id 3 len 10 protocol CDPCP (
0x820701030004)
*Jan 3 04:48:24.990: Se3/0:0 CDPCP: State is Listen
*Jan 3 04:48:26.966: Se3/0:0 IPCP: TIMEout: State ACKrcvd
*Jan 3 04:48:26.966: Se3/0:0 IPCP: O CONFREQ [ACKrcvd] id 6 len 10
*Jan 3 04:48:26.966: Se3/0:0 IPCP: Address 194.200.235.137 (0x0306C2C8EB89)
*Jan 3 04:48:26.982: Se3/0:0 IPCP: I CONFACK [REQsent] id 6 len 10
*Jan 3 04:48:26.982: Se3/0:0 IPCP: Address 194.200.235.137 (0x0306C2C8EB89)
*Jan 3 04:48:27.990: Se3/0:0 IPCP: I CONFREQ [ACKrcvd] id 2 len 34
*Jan 3 04:48:27.990: Se3/0:0 IPCP: Address 0.0.0.0 (0x030600000000)
*Jan 3 04:48:27.990: Se3/0:0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Jan 3 04:48:27.990: Se3/0:0 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
*Jan 3 04:48:27.990: Se3/0:0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Jan 3 04:48:27.990: Se3/0:0 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
*Jan 3 04:48:27.990: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for primary dns
*Jan 3 04:48:27.990: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for primary wins
*Jan 3 04:48:27.990: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for seconday dns
*Jan 3 04:48:27.990: Se3/0:0 AAA/AUTHOR/IPCP: no author-info for seconday wins
*Jan 3 04:48:27.994: Se3/0:0 IPCP: O CONFREJ [ACKrcvd] id 2 len 28
*Jan 3 04:48:27.994: Se3/0:0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Jan 3 04:48:27.994: Se3/0:0 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000)
*Jan 3 04:48:27.994: Se3/0:0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Jan 3 04:48:27.994: Se3/0:0 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000)
*Jan 3 04:48:28.014: Se3/0:0 IPCP: I CONFREQ [ACKrcvd] id 3 len 10
*Jan 3 04:48:28.014: Se3/0:0 IPCP: Address 0.0.0.0 (0x030600000000)
*Jan 3 04:48:28.014: Se3/0:0 IPCP: O CONFNAK [ACKrcvd] id 3 len 10
*Jan 3 04:48:28.014: Se3/0:0 IPCP: Address 194.200.234.17 (0x0306C2C8EA11)
*Jan 3 04:48:28.030: Se3/0:0 IPCP: I CONFREQ [ACKrcvd] id 4 len 10
*Jan 3 04:48:28.030: Se3/0:0 IPCP: Address 194.200.234.17 (0x0306C2C8EA11)
*Jan 3 04:48:28.030: Se3/0:0 IPCP: O CONFACK [ACKrcvd] id 4 len 10
*Jan 3 04:48:28.030: Se3/0:0 IPCP: Address 194.200.234.17 (0x0306C2C8EA11)
*Jan 3 04:48:28.030: Se3/0:0 IPCP: State is Open
*Jan 3 04:48:28.034: Se3/0:15 IPCP: Install route to 194.200.234.17
*Jan 3 04:48:28.034: Se3/0:0 IPCP: Add link info for cef entry 194.200.234.17
*Jan 3 04:48:28.298: Se3/0:0 PPP: Outbound cdp packet dropped, CDPCP state is L
isten
*Jan 3 04:49:28.298: Se3/0:0 PPP: Outbound cdp packet dropped, CDPCP state is L
07-11-2003 04:27 PM
There is a problem in the config at this point. The aaa authorization to tacacs is not configured. So pl. add
aaa authorization network default group vish group tacacs+
After that the authorization from tacacs should work fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide