RADIUS to RSA ACE/server witch SecurId

jmgeldhof · ‎10-16-2001

Hi, everybody,

we configured RADIUS to an ACE/server with SecurId tokens. Due to the 'lifetime' of a passcode, we'd like (as when using SHIVA) to have the opportunity to retry 2 times the passcode in case of error. With next config, the line is immediately shut down. Thanks for your help,

Sincerely, Jean-Michel

Here part of our 3640 config:

!

aaa new-model

aaa authentication login AUTH-LINE group radius local

aaa authentication login NO-RADIUS local

aaa authentication ppp AUTH-PPP group radius local

aaa authorization exec default group radius local

aaa authorization network default group radius local

!

modem country mica belgium

ip subnet-zero

no ip domain-lookup

!

isdn switch-type basic-net3

!

interface Loopback0

ip address 30.30.30.1 255.255.255.248

!

interface Ethernet0/0

ip address 20.20.20.2 255.255.255.192

no ip redirects

ip ospf hello-interval 30

!

interface BRI1/0

no ip address

encapsulation ppp

dialer rotary-group 2

dialer-group 1

isdn switch-type basic-net3

isdn incoming-voice modem

!

interface Group-Async1

ip unnumbered Loopback0

encapsulation ppp

async default routing

async mode interactive

peer default ip address pool default

ppp authentication pap AUTH-PPP

group-range 65 70

!

interface Dialer2

ip unnumbered Loopback0

encapsulation ppp

dialer in-band

dialer-group 1

peer default ip address pool default

ppp authentication pap AUTH-PPP

!

ip local pool default 10.10.10.1 10.10.10.20

ip classless

ip route 0.0.0.0 0.0.0.0 222.222.222.222 no ip http server

!

dialer-list 1 protocol ip permit

radius-server host 111.111.111.111 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key 7 xxxxxxxxxxx

!

line con 0

session-timeout 60

exec-timeout 60 0

password 7 xxxxxxxxx

login authentication NO-RADIUS

transport input none

line 65 70

no motd-banner

no exec-banner

autoselect during-login

autoselect ppp

login authentication AUTH-LINE

modem Dialin

modem autoconfigure type mica

transport input all

flowcontrol hardware

line aux 0

line vty 0 4

session-timeout 60

exec-timeout 60 0

password 7 --moderator edit--

login authentication NO-RADIUS

!

nd

ciscomoderator · ‎10-20-2001

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

dmiley · ‎10-29-2001

How is your ace server set up, versions, are you using profiles, how are they set up.

I'm not an expert, but I play one at work.

Dan

p.jacques · ‎10-29-2001

Hmm, I'd have thought the radius retransmit would take care of this. Are you sure it's an error condition you are seeing, and not simply a NAK error?

If the return code is a NAK error, there is no point in sending the packet again as the Ace Server will blackball you (Next Token Code, Disable) if you send the same successive bad Passcodes, as it will assume you are trying a reply attack (evade error in the audit log).

robin · ‎11-23-2001

Hi, Have you had any results with this case yet ?

I am trying to get callback for async users working with ACE Server and Tokens with Radius on a 3600 router. Dialin works fine, just can't get the dialback initiated by the ACE server

Regards

Robin