ACS & ACE Integration questions

spencer-kennedy · ‎11-21-2001

Hi All,

My customer wants to implement a redundant ACS system for authentication,which uses a redundant RSA ACE server for strong authentication of remote ISDN and PSTN dial users. I do have a number of questions whit this senario.

# I have been trying to emulate the remote access scenario using a Cisco 2600 router (12.0.10)with an ISDN Basic Rate Interface and the ACE 5 server.I have attached a config and it seems to work for local access onto the Aux port or Dial in using the windows dial up client without a post dial terminal window (i.e. I enter the PIN and tokencode in the password box of the dial client. However, when I implement the post dial terminal window (so that I can use next token mode and new pin mode) the client connects to the router but I do not get any meaningful text in the post dial window (I would expect a username/ passcode prompt) I just get ascii garbage. Do you know if this works with next token code and new pin mode (ala post dial terminal window) terminating on an ISDN BRI interface and if so why is it not working? I have tried this on Win 2K and 95.

#How can I support redundant multilink ISDN in this senario? Do I need to implement Token chaching and if so is this supported in ACS 2.6 for windows?

#Can I support redundant ACE servers if I am integrating the authentication with Cisco Secure Access Control Server (i.e. The authentication goes first to ACS which passes it on to ACE server)or am I limited to a single ACE server if I use ACE. If I can use redundant ACE servers how is this handled within ACS?

My router config is given below the IOS is 12.0.10 and the platform is a 2600.

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname NAS

!

aaa new-model

aaa authentication login radius-login radius local

aaa authentication login no-tacacs none

aaa authentication ppp radius-ppp radius local

enable secret 5 xxxxxxxxxxxxxxxxx

!

username admin password 7 xxxxxxxxxxx

ip subnet-zero

isdn switch-type basic-net3

!

interface Ethernet0/0

ip address 10.x.x.x 255.255.255.0

no ip directed-broadcast

!

interface Serial0/0

no ip address

no ip directed-broadcast

no ip mroute-cache

shutdown

no fair-queue

!

interface TokenRing0/0

no ip address

no ip directed-broadcast

shutdown

ring-speed 16

!

interface BRI0/0

ip unnumbered Ethernet0/0

no ip directed-broadcast

encapsulation ppp

dialer idle-timeout 300

dialer-group 1

isdn switch-type basic-net3

peer default ip address pool MyDialPool

ppp authentication pap radius-ppp

!

interface Serial0/1

no ip address

no ip directed-broadcast

shutdown

!

ip local pool MyDialPool 10.1.22.250 10.1.22.250

ip classless

!

dialer-list 1 Protocol IP permit

radius-server host 10.1.22.49 auth-port 1645 acct-port 1646 radius-server key xxxxxxxxx

!

line con 0

login authentication no-tacacs

transport input none

line aux 0

login authentication radius-login

line vty 0 4

password xxxxx

!

end

Thanks for your help,

Best regards,

Spencer Kennedy

jekrauss · ‎11-24-2001

#1 You need to change your config to read:

aaa authentication ppp radius-ppp if-needed radius local

#2 Not sure what you mean by redundant ISDN multilink, but yes

CSNT 2.6 supports token caching.

See the following link:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/ch2.htm#xtocid129825

(in particular see step4)

#3 No, CSNT only supports one ACE server.

HTH

Jeff