Instead of using AAA Server IP Pool to assign IP addresses to dial-in clients, is it possible to assign IP addresses to dial-in clients from a Windows based DHCP server but would still authenticate through AAA server.
In the RAS,we did not input any IP Pool.We used and have tried that link already.We inputted these commands; "ip helper-address" address of dhcp server in the e0, "peer default ip address dhcp" in the int Group-Async1, "ip dhcp-server" address of the dhcp server in the global.
After doing that,our main concern is...what config we should do in the AAA server-in the IP Assignments of the User/Group Settings? Which on these options we should select; a)No IP address Assignments b) Assigned by dial-up client, c)Assigned from network access server pool, d) Assigned from AAA server pool.
Also, the protocol we used in the AAA server is TACACS+ not RADIUS.
The ff. are the aaa configurations we made in the RAS global.
aaa new model
aaa authentication login default group tacacs+ local
aaa authentication login no_authen none
aaa authentication ppp default group tacacs+ local
aaa authentication exec default group tacacs+ local
aaa authorization exec no_author none
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
Where do you think we missed in our setup or config? The setup we intend to do is...let their existing Windows based DHCP server assign ip address to dial-in clients and provide aaa server using TACACS+.
You need to choose "Assigned from network access server pool" (Which basically means NAS will manage to assign ip address) in aaa tacacs config for user/group. Now on router you should have "peer default ip address dhcp" under the interface. So router will querry the dhcp server for that.
Ok, we have tried and followed your instruction. But,dial-in client still cannot connect successfully. And in the ACS logging "Failed Attempts" tab, it will display Author failed and under the user attribute it displays pools-"scope name" and at the Author Failure code tab, it displays user unknown.
By the way, the DHCP service is installed in the same machine as with the ACS/AAA server.It has to be in a separate machine? Also,the dial-in username is defined in local ACS database not in the Windows NT database. What do you think is the problem?
will help to see the problem..Now as long as PC can handle aaa and dhcp server services fine, you don't really need it on different machine..The debug will display the correct picture..You can take a help from Cisco's TAC engineers by opening a case at
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :