Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Mobile host authentication using TACACS+ Server

Instead of Home Agent(Router 7507),

I tried to use AAA Server and the instruction is as follow;

user = 20.0.0.1 {

service = mobileip {

set spi#0 = ¡°spi 100 key hex 12345678123456781234567812345678¡±

¡±

}

}

I don't know how to configure above the format on my ACS 3.0.

Please help me out.

2 REPLIES
Cisco Employee

Re: Mobile host authentication using TACACS+ Server

1. you need to define a new service in ACS3 which is called mobile ip. For this, first ensure that there is a TACACS+ NAS defined in network configuration.

2. Go to interface configuration->TACACS+ Cisco IOS,

Under new services, tick the first check box,

type mobileip in service textbox, in protocol type ip

now submit. IF there is not even a single tac+

NAS in the config, you will NOT see the TACACS+ CIsco IOS option in interface configuration !!!!

3. Go to group properties now and under tacacs+, at the end of the list, you will find the new service you defined, select the box, select custom attributes and then define

set spi#0 ....

Hope this helps. Pls. let the forum know if this solved your issue.

New Member

Re: Mobile host authentication using TACACS+ Server

Thank you very much for your appreciation.

But I am afraid that I still have a problem.

During authentication with Cisco Router, I got a debug message as follows;

MobileIP: HA 107 received registration for MN 172.31.3.235 on FastEthernet0/0/0

using COA 172.31.107.17 HA 172.31.107.70 lifetime 7200 options sbdmgVt

MobileIP: HA 107 get SA for MN 172.31.3.235

MobileIP: MN 172.31.3.235 SA is not available from AAA server

MobileIP: MN 172.31.3.235 SA is not configured, request ignored

%IPMOBILE-6-SECURE: Security violation on HA from MN 172.31.3.235 - errcode MN f

ailed authentication (131), reason No mobility security association (1)

I checked the 'spi', 'key' values in MN and had no problem.

What would be the real problem ?

180
Views
0
Helpful
2
Replies
CreatePlease to create content