10-16-2001 06:06 AM - edited 02-20-2020 09:16 PM
Hi, everybody,
we configured RADIUS to an ACE/server with SecurId tokens. Due to the 'lifetime' of a passcode, we'd like (as when using SHIVA) to have the opportunity to retry 2 times the passcode in case of error. With next config, the line is immediately shut down. Thanks for your help,
Sincerely, Jean-Michel
Here part of our 3640 config:
!
aaa new-model
aaa authentication login AUTH-LINE group radius local
aaa authentication login NO-RADIUS local
aaa authentication ppp AUTH-PPP group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
!
!
modem country mica belgium
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-net3
!
interface Loopback0
ip address 30.30.30.1 255.255.255.248
!
interface Ethernet0/0
ip address 20.20.20.2 255.255.255.192
no ip redirects
ip ospf hello-interval 30
!
interface BRI1/0
no ip address
encapsulation ppp
dialer rotary-group 2
dialer-group 1
isdn switch-type basic-net3
isdn incoming-voice modem
!
interface Group-Async1
ip unnumbered Loopback0
encapsulation ppp
async default routing
async mode interactive
peer default ip address pool default
ppp authentication pap AUTH-PPP
group-range 65 70
!
interface Dialer2
ip unnumbered Loopback0
encapsulation ppp
dialer in-band
dialer-group 1
peer default ip address pool default
ppp authentication pap AUTH-PPP
!
ip local pool default 10.10.10.1 10.10.10.20
ip classless
ip route 0.0.0.0 0.0.0.0 222.222.222.222 no ip http server
!
dialer-list 1 protocol ip permit
radius-server host 111.111.111.111 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key 7 xxxxxxxxxxx
!
line con 0
session-timeout 60
exec-timeout 60 0
password 7 xxxxxxxxx
login authentication NO-RADIUS
transport input none
line 65 70
no motd-banner
no exec-banner
autoselect during-login
autoselect ppp
login authentication AUTH-LINE
modem Dialin
modem autoconfigure type mica
transport input all
flowcontrol hardware
line aux 0
line vty 0 4
session-timeout 60
exec-timeout 60 0
password 7 --moderator edit--
login authentication NO-RADIUS
!
nd
10-20-2001 03:20 PM
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
10-29-2001 12:02 PM
How is your ace server set up, versions, are you using profiles, how are they set up.
I'm not an expert, but I play one at work.
Dan
10-29-2001 03:08 PM
Hmm, I'd have thought the radius retransmit would take care of this. Are you sure it's an error condition you are seeing, and not simply a NAK error?
If the return code is a NAK error, there is no point in sending the packet again as the Ace Server will blackball you (Next Token Code, Disable) if you send the same successive bad Passcodes, as it will assume you are trying a reply attack (evade error in the audit log).
11-23-2001 04:11 AM
Hi, Have you had any results with this case yet ?
I am trying to get callback for async users working with ACE Server and Tokens with Radius on a 3600 router. Dialin works fine, just can't get the dialback initiated by the ACE server
Regards
Robin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide