Hi all,
I have a sticky problem with AAA authentication and I'm either reading the docs on CCO incorrectly or I'm missing something. What I have is a number of Aysnc users and a few 64K ISDN users coming in on a PRI. The Aysnc users work fine and authenticate via tacacs no problem. What I want is the 64K users only to authenticate locally.
Using the 'list' command 'router' in chap, this should ignore the 'aaa ppp authentication default' and go direct to the local username list. Well you've guessed it, it doesn't. The authentication is picked up as default and fails.
The reason this fails is the debugs show that the incoming interface is one of the serials which there is no 'list' configured. The binding to the dialer interface D3 only takes place after sucessful authentication so it never gets to act on the list. I can get round this by placing the list command on the D channnel but I suspect that will affect the async users too? Also this limits me to only one list!
Apart from configuring the 64K users in tacacs as well is there any other way around this or am I reading the docs wrong.
Cheers Bob
aaa new-model aaa authentication login default group tacacs+ local aaa authentication login no_tacacs local aaa authentication ppp default group tacacs+ local aaa authentication ppp router local aaa authorization exec default local group tacacs+ aaa authorization network default group tacacs+ local aaa authorization network ISDN group tacacs+ local aaa authorization reverse-access default group tacacs+ local aaa accounting exec default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ ! snip ! interface Serial1/0:15 no ip address encapsulation ppp dialer pool-member 1 isdn switch-type primary-net5 isdn incoming-voice modem isdn sending-complete no fair-queue no cdp enable ppp authentication ms-chap chap pap ! interface Group-Async1 ip unnumbered Ethernet0/0 encapsulation ppp dialer in-band dialer idle-timeout 600 dialer-group 1 async mode interactive ipx ppp-client Loopback0 peer default ip address pool dialin_pool ppp authentication chap group-range 65 76 ! interface Dialer1 ip unnumbered Ethernet0/0 encapsulation ppp dialer pool 1 dialer remote-name pnuthall dialer idle-timeout 600 dialer load-threshold 1 either dialer-group 1 peer default ip address pool router_pool no cdp enable ppp authentication chap callin router ppp multilink ! interface Dialer2 ip unnumbered Ethernet0/0 encapsulation ppp dialer pool 1 dialer remote-name xxxxx dialer idle-timeout 900 dialer-group 1 peer default ip address pool dialin_pool no cdp enable ppp authentication ms-chap chap pap ! interface Dialer3 ip unnumbered Ethernet0/0 encapsulation ppp dialer pool 1 dialer remote-name glamb dialer idle-timeout 900 dialer load-threshold 1 either dialer-group 1 peer default ip address pool dialin_pool no cdp enable ppp authentication ms-chap chap pap callin router ppp multilink
AAA Authentication debugging is on
*Mar 19 20:55:56: %LINK-3-UPDOWN: Interface Serial1/0:18, changed state to up *Mar 19 20:55:57: AAA: parse name=Serial1/0:18 idb type=13 tty=-1 *Mar 19 20:55:57: AAA: name=Serial1/0:18 flags=0x55 type=1 shelf=0 slot=1 adapter=0 port=0 channel=18 *Mar 19 20:55:57: AAA: parse name= idb type=-1 tty=-1 *Mar 19 20:55:57: AAA/MEMORY: create_user (0x616721D4) user='glamb' ruser='NULL' ds0=16777234 port='Serial1/0:18' rem_addr='/469230' authen_type=MSCHAP service=PPP priv=1 initial_task_id='0' *Mar 19 20:55:57: AAA/AUTHEN/START (3807844204):port='Serial1/0:18' list='' action=LOGIN service=PPP *Mar 19 20:55:57: AAA/AUTHEN/START (3807844204): using "default" list *Mar 19 20:55:57: AAA/AUTHEN/START (3807844204): Method=tacacs+ (tacacs+) *Mar 19 20:55:57: TAC+: send AUTHEN/START packet ver=193 id=3807844204 *Mar 19 20:55:57: TAC+: ver=193 id=3807844204 received AUTHEN status = FAIL *Mar 19 20:55:57: AAA/AUTHEN (3807844204): status = FAIL *Mar 19 20:55:57: AAA/MEMORY: free_user (0x616721D4) user='glamb' ruser='NULL' p