Solved

Cisco NAS...

Posted on 2004-04-08
10
4,586 Views
Last Modified: 2013-11-16
Hi,

I need some help with the configuration of the Cisco NM-24DM with a T1 Pri on a 3600 router.

Just wondering if anyone know how to configure it or have configure it to work of both dialin and dialout usage.  Dialin using ACS and dialout not using any authentication.  I've been to the Cisco site and look at their sample config and try to implement it, but it doesn't work.  Have try mostly everything, but no luck.  Just wondering if someone have this product working and up and running?

Thank you in advance.

yackko
0
Comment
Question by:yackko
  • 6
  • 4
10 Comments
 
LVL 6

Expert Comment

by:Pascal666
ID: 10804666
You, I have had this working before.  What problem are you running into?  What does your config look like?

-Pascal
0
 
LVL 1

Author Comment

by:yackko
ID: 10805771
Hi Pascal,

Thanks for the reply...

I finally got the dialout portion to work.  Currently I'm trying to get the dialin part to work.  It will dial and the challenge handshake works fine.  The problem is when I authenticate using TACACS+.  I'm trying to have the dialin users go through TACACS+ and then TACACS+ will pass on the authentication to SecurID (SDI).  Then it will prompt the user to type in their SecurID code to authenticate to the network.  We have it working fine on the Shiva NAS, but the Cisco solution is suppose to replace the Shiva.

Thank you in advance.

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10806859
Verify that you added the router to the TACACS+ server and the secret key is correct.  Check the log for failed authentication attempts to see why they failed.  On your router you should have something like:

aaa new-model
aaa authentication ppp default group tacacs+
tacacs-server host 10.1.1.36
tacacs-server key secret

-Pascal
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:yackko
ID: 10808704
Yep.  That's all there.  I've look at the TACACS+ server and everything is setup correctly.  The share key is correct.  Cisco TAC doesn't seem to know also.  My case has been re-assigned several time already and five TAC Engineer has look at it...Well two have look at it.  The other three just won't respond back to my email's.  The current one I think gave up and stop responding also.  Don't know why...???  Any way, the config is exactly the one on the Cisco website using a T1 PRI with a NM-24DM (Mica).  

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080094691.shtml

It's really weird.  It will go to TACACS+, but then TACACS+ won't pass authentication to SecurID.  Is there a way to just have it interface with SecurID and bypass TACACS+?  Or is there a retry commad that I can put on the NAS?

Thanks,

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10811223
"tacacs-server ?" shows you the retry and timeout params.

Are you using the same TACACS+ box for both the Shiva and the Cisco?

Do the following through a telnet session on the router and paste the output of a login attempt here.  After the attempt do "u all" to turn back off.

debug tac
debug tac ev
debug ppp auth
term mon

-Pascal
0
 
LVL 1

Author Comment

by:yackko
ID: 10813348
Here is the debugs from the NAS.  It fails at PPP/CHAP authentication...

Apr 13 13:35:12.664: %ISDN-6-CONNECT: Interface Serial0/0:0 is now connected to unknown
Apr 13 13:35:34.720: As34 PPP: Using dialer call direction
Apr 13 13:35:34.720: As34 PPP: Treating connection as a callin
Apr 13 13:35:34.720: As34 PPP: Authorization NOT required
Apr 13 13:35:34.724: %LINK-3-UPDOWN: Interface Async34, changed state to up
Apr 13 13:35:34.868: As34 CHAP: O CHALLENGE id 1 len 29 from "NAS-3640"
Apr 13 13:35:35.020: As34 CHAP: I RESPONSE id 1 len 28 from "hmd"
Apr 13 13:35:35.020: As34 PPP: Sent CHAP LOGIN Request
Apr 13 13:35:35.024: TPLUS: Queuing AAA Authentication request 24 for processing
Apr 13 13:35:35.024: TPLUS: processing authentication start request id 24
Apr 13 13:35:35.024: TPLUS: no address for get_server
Apr 13 13:35:35.024: TPLUS: Authentication start packet created for 24(hmd)
Apr 13 13:35:35.024: TPLUS: Using server 172.20.10.19
Apr 13 13:35:35.024: TPLUS(00000018)/0/NB_WAIT/624B8BA0: Started 5 sec timeout
Apr 13 13:35:35.028: TPLUS(00000018)/0/NB_WAIT: socket event 2
Apr 13 13:35:35.028: TPLUS(00000018)/0/NB_WAIT: wrote entire 83 bytes request
Apr 13 13:35:35.028: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.028: TPLUS(00000018)/0/READ: Would block while reading
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.036: TPLUS(00000018)/0/READ: read entire 18 bytes response
Apr 13 13:35:35.036: TPLUS(00000018)/0/624B8BA0: Processing the reply packet
Apr 13 13:35:35.036: TPLUS: Received authen response status FAIL (3)
Apr 13 13:35:35.036: As34 PPP: Received LOGIN Response FAIL
Apr 13 13:35:35.040: As34 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed"
Apr 13 13:35:35.264: %ISDN-6-DISCONNECT: Interface Serial0/0:0  disconnected from unknown , call lasted 28 seconds
Apr 13 13:35:37.164: As34 PPP: Authorization NOT required
Apr 13 13:35:37.172: %LINK-5-CHANGED: Interface Async34, changed state to reset
Apr 13 13:35:42.172: %LINK-3-UPDOWN: Interface Async34, changed state to down

Thanks,

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10814077
That definitely shows that the router is passing the request to the TACACS+ box and getting a response.  Question becomes: why are you getting a negative response?

Are you using the same TACACS+ box for both the Shiva and the Cisco?  What do the logs show on the TACACS+ box?  Is there any debugging there you can turn on?  What about on the SecurID box?  Which TACACS+ and SecurID servers specifically are you using?

-Pascal
0
 
LVL 6

Accepted Solution

by:
Pascal666 earned 300 total points
ID: 10814142
I just noticed that you are trying to use CHAP.  This will not work.  You must use PAP.  Try using just "ppp authentication pap" under the interface.

-Pascal
0
 
LVL 1

Author Comment

by:yackko
ID: 10835440
HI Pascal,

Sorry for the late response.  Yeah I saw that CHAP was there when I took it out, it works fine.  The dialin and dialout works fine, but for some reason when I dial into another analog modem doesn't work.  It will dial my phone, but not my cell phone.  It looks like it work on digial line vs. analog.  Is there a difference?  

Thanks,

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10835768
I've never had a problem dialing into an analog modem, or my cell phone for testing.  Post the relevent parts of your config and I'll take a look.

-Pascal
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Basic Client Hyper-V test lab connectivity issue. 7 76
cannot view videos at msnbc 12 69
Can’t disable NAT protocol in Windows Server 2012 3 88
Sonos and 5ghz 14 51
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question