Solved

Cisco NAS...

Posted on 2004-04-08
10
4,581 Views
Last Modified: 2013-11-16
Hi,

I need some help with the configuration of the Cisco NM-24DM with a T1 Pri on a 3600 router.

Just wondering if anyone know how to configure it or have configure it to work of both dialin and dialout usage.  Dialin using ACS and dialout not using any authentication.  I've been to the Cisco site and look at their sample config and try to implement it, but it doesn't work.  Have try mostly everything, but no luck.  Just wondering if someone have this product working and up and running?

Thank you in advance.

yackko
0
Comment
Question by:yackko
  • 6
  • 4
10 Comments
 
LVL 6

Expert Comment

by:Pascal666
ID: 10804666
You, I have had this working before.  What problem are you running into?  What does your config look like?

-Pascal
0
 
LVL 1

Author Comment

by:yackko
ID: 10805771
Hi Pascal,

Thanks for the reply...

I finally got the dialout portion to work.  Currently I'm trying to get the dialin part to work.  It will dial and the challenge handshake works fine.  The problem is when I authenticate using TACACS+.  I'm trying to have the dialin users go through TACACS+ and then TACACS+ will pass on the authentication to SecurID (SDI).  Then it will prompt the user to type in their SecurID code to authenticate to the network.  We have it working fine on the Shiva NAS, but the Cisco solution is suppose to replace the Shiva.

Thank you in advance.

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10806859
Verify that you added the router to the TACACS+ server and the secret key is correct.  Check the log for failed authentication attempts to see why they failed.  On your router you should have something like:

aaa new-model
aaa authentication ppp default group tacacs+
tacacs-server host 10.1.1.36
tacacs-server key secret

-Pascal
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:yackko
ID: 10808704
Yep.  That's all there.  I've look at the TACACS+ server and everything is setup correctly.  The share key is correct.  Cisco TAC doesn't seem to know also.  My case has been re-assigned several time already and five TAC Engineer has look at it...Well two have look at it.  The other three just won't respond back to my email's.  The current one I think gave up and stop responding also.  Don't know why...???  Any way, the config is exactly the one on the Cisco website using a T1 PRI with a NM-24DM (Mica).  

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080094691.shtml

It's really weird.  It will go to TACACS+, but then TACACS+ won't pass authentication to SecurID.  Is there a way to just have it interface with SecurID and bypass TACACS+?  Or is there a retry commad that I can put on the NAS?

Thanks,

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10811223
"tacacs-server ?" shows you the retry and timeout params.

Are you using the same TACACS+ box for both the Shiva and the Cisco?

Do the following through a telnet session on the router and paste the output of a login attempt here.  After the attempt do "u all" to turn back off.

debug tac
debug tac ev
debug ppp auth
term mon

-Pascal
0
 
LVL 1

Author Comment

by:yackko
ID: 10813348
Here is the debugs from the NAS.  It fails at PPP/CHAP authentication...

Apr 13 13:35:12.664: %ISDN-6-CONNECT: Interface Serial0/0:0 is now connected to unknown
Apr 13 13:35:34.720: As34 PPP: Using dialer call direction
Apr 13 13:35:34.720: As34 PPP: Treating connection as a callin
Apr 13 13:35:34.720: As34 PPP: Authorization NOT required
Apr 13 13:35:34.724: %LINK-3-UPDOWN: Interface Async34, changed state to up
Apr 13 13:35:34.868: As34 CHAP: O CHALLENGE id 1 len 29 from "NAS-3640"
Apr 13 13:35:35.020: As34 CHAP: I RESPONSE id 1 len 28 from "hmd"
Apr 13 13:35:35.020: As34 PPP: Sent CHAP LOGIN Request
Apr 13 13:35:35.024: TPLUS: Queuing AAA Authentication request 24 for processing
Apr 13 13:35:35.024: TPLUS: processing authentication start request id 24
Apr 13 13:35:35.024: TPLUS: no address for get_server
Apr 13 13:35:35.024: TPLUS: Authentication start packet created for 24(hmd)
Apr 13 13:35:35.024: TPLUS: Using server 172.20.10.19
Apr 13 13:35:35.024: TPLUS(00000018)/0/NB_WAIT/624B8BA0: Started 5 sec timeout
Apr 13 13:35:35.028: TPLUS(00000018)/0/NB_WAIT: socket event 2
Apr 13 13:35:35.028: TPLUS(00000018)/0/NB_WAIT: wrote entire 83 bytes request
Apr 13 13:35:35.028: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.028: TPLUS(00000018)/0/READ: Would block while reading
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.036: TPLUS(00000018)/0/READ: read entire 18 bytes response
Apr 13 13:35:35.036: TPLUS(00000018)/0/624B8BA0: Processing the reply packet
Apr 13 13:35:35.036: TPLUS: Received authen response status FAIL (3)
Apr 13 13:35:35.036: As34 PPP: Received LOGIN Response FAIL
Apr 13 13:35:35.040: As34 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed"
Apr 13 13:35:35.264: %ISDN-6-DISCONNECT: Interface Serial0/0:0  disconnected from unknown , call lasted 28 seconds
Apr 13 13:35:37.164: As34 PPP: Authorization NOT required
Apr 13 13:35:37.172: %LINK-5-CHANGED: Interface Async34, changed state to reset
Apr 13 13:35:42.172: %LINK-3-UPDOWN: Interface Async34, changed state to down

Thanks,

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10814077
That definitely shows that the router is passing the request to the TACACS+ box and getting a response.  Question becomes: why are you getting a negative response?

Are you using the same TACACS+ box for both the Shiva and the Cisco?  What do the logs show on the TACACS+ box?  Is there any debugging there you can turn on?  What about on the SecurID box?  Which TACACS+ and SecurID servers specifically are you using?

-Pascal
0
 
LVL 6

Accepted Solution

by:
Pascal666 earned 300 total points
ID: 10814142
I just noticed that you are trying to use CHAP.  This will not work.  You must use PAP.  Try using just "ppp authentication pap" under the interface.

-Pascal
0
 
LVL 1

Author Comment

by:yackko
ID: 10835440
HI Pascal,

Sorry for the late response.  Yeah I saw that CHAP was there when I took it out, it works fine.  The dialin and dialout works fine, but for some reason when I dial into another analog modem doesn't work.  It will dial my phone, but not my cell phone.  It looks like it work on digial line vs. analog.  Is there a difference?  

Thanks,

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10835768
I've never had a problem dialing into an analog modem, or my cell phone for testing.  Post the relevent parts of your config and I'll take a look.

-Pascal
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question