Re: IP Address Assignments to dial-in clients

valastra · ‎02-28-2002

Instead of using AAA Server IP Pool to assign IP addresses to dial-in clients, is it possible to assign IP addresses to dial-in clients from a Windows based DHCP server but would still authenticate through AAA server.

tepatel · ‎02-28-2002

YES..yo can do that. Just configure the aaa authentication to be done via AAA

Now don't configure aaa to assign ip address in user/group profile.

Now follow the url for DHCP address assignment

http://www.cisco.com/warp/public/793/access_dial/winsdhcp.html

Here is the url which assign ip address from a pool configured on a router, but authentication via RADIUS

http://www.cisco.com/warp/public/793/access_dial/basicradius.shtml

Hope this will helps..Thx..Tejal

valastra · ‎02-28-2002

Sir,

Thanks for your quick reply to my concern.

In the RAS,we did not input any IP Pool.We used and have tried that link already.We inputted these commands; "ip helper-address" address of dhcp server in the e0, "peer default ip address dhcp" in the int Group-Async1, "ip dhcp-server" address of the dhcp server in the global.

After doing that,our main concern is...what config we should do in the AAA server-in the IP Assignments of the User/Group Settings? Which on these options we should select; a)No IP address Assignments b) Assigned by dial-up client, c)Assigned from network access server pool, d) Assigned from AAA server pool.

Also, the protocol we used in the AAA server is TACACS+ not RADIUS.

The ff. are the aaa configurations we made in the RAS global.

aaa new model

aaa authentication login default group tacacs+ local

aaa authentication login no_authen none

aaa authentication ppp default group tacacs+ local

aaa authentication exec default group tacacs+ local

aaa authorization exec no_author none

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

Where do you think we missed in our setup or config? The setup we intend to do is...let their existing Windows based DHCP server assign ip address to dial-in clients and provide aaa server using TACACS+.

Hoping to receive your idea.

Thanks.

tepatel · ‎02-28-2002

You need to choose "Assigned from network access server pool" (Which basically means NAS will manage to assign ip address) in aaa tacacs config for user/group. Now on router you should have "peer default ip address dhcp" under the interface. So router will querry the dhcp server for that.

By the way you aaa part of the config looks ok.

valastra · ‎03-04-2002

Ok, we have tried and followed your instruction. But,dial-in client still cannot connect successfully. And in the ACS logging "Failed Attempts" tab, it will display Author failed and under the user attribute it displays pools-"scope name" and at the Author Failure code tab, it displays user unknown.

By the way, the DHCP service is installed in the same machine as with the ACS/AAA server.It has to be in a separate machine? Also,the dial-in username is defined in local ACS database not in the Windows NT database. What do you think is the problem?

tepatel · ‎03-04-2002

Now we really need to debug this issue.

debug ppp authentication

debug ppp negotiation

debug aaa authentication

debug aaa authorization

debug radius

debug ip dhcp server events

term mon

will help to see the problem..Now as long as PC can handle aaa and dhcp server services fine, you don't really need it on different machine..The debug will display the correct picture..You can take a help from Cisco's TAC engineers by opening a case at

www.cisco.com/tac for this issue. Thx..Tejal