12-19-2007 03:31 AM
Please can anyone help me regarding getting a windows dialup user to get access to internal resourced once authentication to RSA ACE server has been successful.
I have setup AAA authentication & authorization.
I can get the user to authentication to the RSA ACE server but after authentication i cannot get authorization to work but it has been configured in the list.see below
aaa authentication login default group tacacs+ local
aaa authentication login ACE group radius local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp ACE if-needed
aaa authorization network ACE if-authenticated none
aaa accounting commands 15 default start-stop group tacacs+
interface Group-Async1
description ** modem lines **
ip unnumbered GigabitEthernet0/0
encapsulation ppp
ip route-cache policy
dialer in-band
dialer idle-timeout 600
dialer-group 1
autodetect encapsulation ppp
async mode interactive
peer default ip address pool DIALIN
ppp authentication pap ms-chap ms-chap-v2 ACE
ppp authorization ACE
group-range 1/0 1/7
line 1/0 1/7
login authentication ACE
modem InOut
transport input all
autoselect during-login
autoselect ppp
flowcontrol hardware
the debug message i get is as follows
AAA/AUTHOR (000000A3): Method list id=0 not configured. Skip author
The username/password window on the client PC just sits there and then times out...
Any help is welcome
12-19-2007 03:47 AM
Under the group Async you have:
interface Group-Async1
ppp authorization ACE
This line is normally not needed and I presume it is the cause of your trouble because there is no corresponding line in the aaa-section. This sample is from a working configuration:
interface Group-Async1
bandwidth 56
ip unnumbered Loopback1
encapsulation ppp
ip tcp header-compression passive
dialer in-band
dialer idle-timeout 300
dialer enable-timeout 8
dialer-group 1
async mode interactive
peer default ip address pool ippool
no keepalive
ppp authentication chap pap
group-range 65 76
regards,
Leo
12-19-2007 03:52 AM
leo
Thanks for your reply
I have removed this line but i still continue to get the debug message as posted earlier.
12-19-2007 04:27 AM
You can also try this:
aaa authentication ppp ACE group radius local
Otherwise, please post the output of 'debug ppp neg'
regards,
Leo
12-19-2007 06:04 AM
tried this but no output for deb ppp neg
once login is authenticated i want to give me users full access, so hence ppp is setup as if-needed.
the raduis server is an ACE box and it checks the AD credentials if they exist then it returns an accept message back to the client.
but i have now noticed that PPP is doing anything which is a concern...
12-19-2007 06:22 AM
ppp is required here to make a connection so there must be debug output. Did you enable logging to your vty session using: term mon?
You will not get any debug info without it.
regards,
Leo
12-19-2007 07:01 AM
all my debug information is logged to the internal buffer, so no need to enable term mon..as this just gets messy
any other suggestions welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide