tacacs and ppp

Post the aaa part of your config.

Scott

"Will Plaice" wrote in message news:hR77e.16078$ snipped-for-privacy@newsfe2-win.ntli.net... Hi,

I am looking to secure a ppp authenticated session between two isdn routers:

I have ppp authentication set up to use local usernames and passwords... (chap) when I turn on aaa authentication ppp default group tacacs+ the router logs that the remote device is trying to connect, but nothing is sent to the tacacs server, even though the router says....

BR0/0:1 PPP: Treating connection as a callout .Apr 13 11:14:15.054 UTC: BR0/0:1 CHAP: O CHALLENGE id 181 len 49 from "ner-l-01-nex-gbreasoc01u-tt1" .Apr 13 11:14:15.086 UTC: BR0/0:1 CHAP: I CHALLENGE id 50 len 25 from "test" .Apr 13 11:14:15.090 UTC: AAA: parse name=BRI0/0:1 idb type=14 tty=-1 .Apr 13 11:14:15.090 UTC: AAA: name=BRI0/0:1 flags=0x55 type=2 shelf=0 slot=0 adapter=0 port=0 channel=1 .Apr 13 11:14:15.090 UTC: AAA: parse name= idb type=-1 tty=-1 .Apr 13 11:14:15.090 UTC: AAA/MEMORY: create_user (0x81E88744) user='test' ruser='NULL' ds0=0 port='BRI0/0:1' rem_addr='' authen_ty' .Apr 13 11:14:15.090 UTC: AAA/AUTHEN/START (2818076825): port='BRI0/0:1' list='' action=SENDAUTH service=PPP .Apr 13 11:14:15.090 UTC: AAA/AUTHEN/START (2818076825): using "default" list .Apr 13 11:14:15.090 UTC: AAA/AUTHEN/START (2818076825): Method=tacacs+ (tacacs+) .Apr 13 11:14:15.094 UTC: AAA/AUTHEN/SENDAUTH (2818076825): Failed sendauthen for test .Apr 13 11:14:15.094 UTC: TAC+: send AUTHEN/START packet ver=193 id=2818076825 .Apr 13 11:14:15.306 UTC: TAC+: ver=193 id=2818076825 received AUTHEN status = FAIL .Apr 13 11:14:15.306 UTC: AAA/AUTHEN (2818076825): status = FAIL .Apr 13 11:14:15.306 UTC: BR0/0:1 CHAP: Username test: lookup failure .Apr 13 11:14:15.306 UTC: AAA/MEMORY: free_user (0x81E88744) user='test' ruser='NULL' port='BRI0/0:1' rem_addr='' authen_type=CHAP 1 .Apr 13 11:14:15.306 UTC: BR0/0:1 CHAP: Unable to authenticate for peer .Apr 13 11:14:15.342 UTC: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 01189719074 .Apr 13 11:14:15.522 UTC: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down .Apr 13 11:14:15.522 UTC: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from profile Di5

any ideas ?

do I have to set somthing in order to trigger the ppp process to "talk" to the tacacs server ?

many thanks !!!!!!

Will

Post the aaa part of your config.

Scott

"Will Plaice" wrote in message news:hR77e.16078$ snipped-for-privacy@newsfe2-win.ntli.net... Hi,

I am looking to secure a ppp authenticated session between two isdn routers:

I have ppp authentication set up to use local usernames and passwords... (chap) when I turn on aaa authentication ppp default group tacacs+ the router logs that the remote device is trying to connect, but nothing is sent to the tacacs server, even though the router says....

BR0/0:1 PPP: Treating connection as a callout .Apr 13 11:14:15.054 UTC: BR0/0:1 CHAP: O CHALLENGE id 181 len 49 from "ner-l-01-nex-gbreasoc01u-tt1" .Apr 13 11:14:15.086 UTC: BR0/0:1 CHAP: I CHALLENGE id 50 len 25 from "test" .Apr 13 11:14:15.090 UTC: AAA: parse name=BRI0/0:1 idb type=14 tty=-1 .Apr 13 11:14:15.090 UTC: AAA: name=BRI0/0:1 flags=0x55 type=2 shelf=0 slot=0 adapter=0 port=0 channel=1 .Apr 13 11:14:15.090 UTC: AAA: parse name= idb type=-1 tty=-1 .Apr 13 11:14:15.090 UTC: AAA/MEMORY: create_user (0x81E88744) user='test' ruser='NULL' ds0=0 port='BRI0/0:1' rem_addr='' authen_ty' .Apr 13 11:14:15.090 UTC: AAA/AUTHEN/START (2818076825): port='BRI0/0:1' list='' action=SENDAUTH service=PPP .Apr 13 11:14:15.090 UTC: AAA/AUTHEN/START (2818076825): using "default" list .Apr 13 11:14:15.090 UTC: AAA/AUTHEN/START (2818076825): Method=tacacs+ (tacacs+) .Apr 13 11:14:15.094 UTC: AAA/AUTHEN/SENDAUTH (2818076825): Failed sendauthen for test .Apr 13 11:14:15.094 UTC: TAC+: send AUTHEN/START packet ver=193 id=2818076825 .Apr 13 11:14:15.306 UTC: TAC+: ver=193 id=2818076825 received AUTHEN status = FAIL .Apr 13 11:14:15.306 UTC: AAA/AUTHEN (2818076825): status = FAIL .Apr 13 11:14:15.306 UTC: BR0/0:1 CHAP: Username test: lookup failure .Apr 13 11:14:15.306 UTC: AAA/MEMORY: free_user (0x81E88744) user='test' ruser='NULL' port='BRI0/0:1' rem_addr='' authen_type=CHAP 1 .Apr 13 11:14:15.306 UTC: BR0/0:1 CHAP: Unable to authenticate for peer .Apr 13 11:14:15.342 UTC: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 01189719074 .Apr 13 11:14:15.522 UTC: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down .Apr 13 11:14:15.522 UTC: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from profile Di5

any ideas ?

do I have to set somthing in order to trigger the ppp process to "talk" to the tacacs server ?

many thanks !!!!!!

Will

Post the aaa part of your config.

Scott

"Will Plaice" wrote in message news:hR77e.16078$ snipped-for-privacy@newsfe2-win.ntli.net... Hi,

I am looking to secure a ppp authenticated session between two isdn routers:

I have ppp authentication set up to use local usernames and passwords... (chap) when I turn on aaa authentication ppp default group tacacs+ the router logs that the remote device is trying to connect, but nothing is sent to the tacacs server, even though the router says....

BR0/0:1 PPP: Treating connection as a callout .Apr 13 11:14:15.054 UTC: BR0/0:1 CHAP: O CHALLENGE id 181 len 49 from "ner-l-01-nex-gbreasoc01u-tt1" .Apr 13 11:14:15.086 UTC: BR0/0:1 CHAP: I CHALLENGE id 50 len 25 from "test" .Apr 13 11:14:15.090 UTC: AAA: parse name=BRI0/0:1 idb type=14 tty=-1 .Apr 13 11:14:15.090 UTC: AAA: name=BRI0/0:1 flags=0x55 type=2 shelf=0 slot=0 adapter=0 port=0 channel=1 .Apr 13 11:14:15.090 UTC: AAA: parse name= idb type=-1 tty=-1 .Apr 13 11:14:15.090 UTC: AAA/MEMORY: create_user (0x81E88744) user='test' ruser='NULL' ds0=0 port='BRI0/0:1' rem_addr='' authen_ty' .Apr 13 11:14:15.090 UTC: AAA/AUTHEN/START (2818076825): port='BRI0/0:1' list='' action=SENDAUTH service=PPP .Apr 13 11:14:15.090 UTC: AAA/AUTHEN/START (2818076825): using "default" list .Apr 13 11:14:15.090 UTC: AAA/AUTHEN/START (2818076825): Method=tacacs+ (tacacs+) .Apr 13 11:14:15.094 UTC: AAA/AUTHEN/SENDAUTH (2818076825): Failed sendauthen for test .Apr 13 11:14:15.094 UTC: TAC+: send AUTHEN/START packet ver=193 id=2818076825 .Apr 13 11:14:15.306 UTC: TAC+: ver=193 id=2818076825 received AUTHEN status = FAIL .Apr 13 11:14:15.306 UTC: AAA/AUTHEN (2818076825): status = FAIL .Apr 13 11:14:15.306 UTC: BR0/0:1 CHAP: Username test: lookup failure .Apr 13 11:14:15.306 UTC: AAA/MEMORY: free_user (0x81E88744) user='test' ruser='NULL' port='BRI0/0:1' rem_addr='' authen_type=CHAP 1 .Apr 13 11:14:15.306 UTC: BR0/0:1 CHAP: Unable to authenticate for peer .Apr 13 11:14:15.342 UTC: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 01189719074 .Apr 13 11:14:15.522 UTC: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down .Apr 13 11:14:15.522 UTC: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from profile Di5

any ideas ?

do I have to set somthing in order to trigger the ppp process to "talk" to the tacacs server ?

many thanks !!!!!!

Will

well,

I got the protocol analyser out.. the router is not sending anything to the tacacs server... is there something I need on the remote router in order for the local router to know to use tacacs authentication ?

any ideas ?