[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4598
  • Last Modified:

Cisco NAS...

Hi,

I need some help with the configuration of the Cisco NM-24DM with a T1 Pri on a 3600 router.

Just wondering if anyone know how to configure it or have configure it to work of both dialin and dialout usage.  Dialin using ACS and dialout not using any authentication.  I've been to the Cisco site and look at their sample config and try to implement it, but it doesn't work.  Have try mostly everything, but no luck.  Just wondering if someone have this product working and up and running?

Thank you in advance.

yackko
0
yackko
Asked:
yackko
  • 6
  • 4
1 Solution
 
Pascal666Commented:
You, I have had this working before.  What problem are you running into?  What does your config look like?

-Pascal
0
 
yackkoAuthor Commented:
Hi Pascal,

Thanks for the reply...

I finally got the dialout portion to work.  Currently I'm trying to get the dialin part to work.  It will dial and the challenge handshake works fine.  The problem is when I authenticate using TACACS+.  I'm trying to have the dialin users go through TACACS+ and then TACACS+ will pass on the authentication to SecurID (SDI).  Then it will prompt the user to type in their SecurID code to authenticate to the network.  We have it working fine on the Shiva NAS, but the Cisco solution is suppose to replace the Shiva.

Thank you in advance.

yackko
0
 
Pascal666Commented:
Verify that you added the router to the TACACS+ server and the secret key is correct.  Check the log for failed authentication attempts to see why they failed.  On your router you should have something like:

aaa new-model
aaa authentication ppp default group tacacs+
tacacs-server host 10.1.1.36
tacacs-server key secret

-Pascal
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
yackkoAuthor Commented:
Yep.  That's all there.  I've look at the TACACS+ server and everything is setup correctly.  The share key is correct.  Cisco TAC doesn't seem to know also.  My case has been re-assigned several time already and five TAC Engineer has look at it...Well two have look at it.  The other three just won't respond back to my email's.  The current one I think gave up and stop responding also.  Don't know why...???  Any way, the config is exactly the one on the Cisco website using a T1 PRI with a NM-24DM (Mica).  

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080094691.shtml

It's really weird.  It will go to TACACS+, but then TACACS+ won't pass authentication to SecurID.  Is there a way to just have it interface with SecurID and bypass TACACS+?  Or is there a retry commad that I can put on the NAS?

Thanks,

yackko
0
 
Pascal666Commented:
"tacacs-server ?" shows you the retry and timeout params.

Are you using the same TACACS+ box for both the Shiva and the Cisco?

Do the following through a telnet session on the router and paste the output of a login attempt here.  After the attempt do "u all" to turn back off.

debug tac
debug tac ev
debug ppp auth
term mon

-Pascal
0
 
yackkoAuthor Commented:
Here is the debugs from the NAS.  It fails at PPP/CHAP authentication...

Apr 13 13:35:12.664: %ISDN-6-CONNECT: Interface Serial0/0:0 is now connected to unknown
Apr 13 13:35:34.720: As34 PPP: Using dialer call direction
Apr 13 13:35:34.720: As34 PPP: Treating connection as a callin
Apr 13 13:35:34.720: As34 PPP: Authorization NOT required
Apr 13 13:35:34.724: %LINK-3-UPDOWN: Interface Async34, changed state to up
Apr 13 13:35:34.868: As34 CHAP: O CHALLENGE id 1 len 29 from "NAS-3640"
Apr 13 13:35:35.020: As34 CHAP: I RESPONSE id 1 len 28 from "hmd"
Apr 13 13:35:35.020: As34 PPP: Sent CHAP LOGIN Request
Apr 13 13:35:35.024: TPLUS: Queuing AAA Authentication request 24 for processing
Apr 13 13:35:35.024: TPLUS: processing authentication start request id 24
Apr 13 13:35:35.024: TPLUS: no address for get_server
Apr 13 13:35:35.024: TPLUS: Authentication start packet created for 24(hmd)
Apr 13 13:35:35.024: TPLUS: Using server 172.20.10.19
Apr 13 13:35:35.024: TPLUS(00000018)/0/NB_WAIT/624B8BA0: Started 5 sec timeout
Apr 13 13:35:35.028: TPLUS(00000018)/0/NB_WAIT: socket event 2
Apr 13 13:35:35.028: TPLUS(00000018)/0/NB_WAIT: wrote entire 83 bytes request
Apr 13 13:35:35.028: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.028: TPLUS(00000018)/0/READ: Would block while reading
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.036: TPLUS(00000018)/0/READ: read entire 18 bytes response
Apr 13 13:35:35.036: TPLUS(00000018)/0/624B8BA0: Processing the reply packet
Apr 13 13:35:35.036: TPLUS: Received authen response status FAIL (3)
Apr 13 13:35:35.036: As34 PPP: Received LOGIN Response FAIL
Apr 13 13:35:35.040: As34 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed"
Apr 13 13:35:35.264: %ISDN-6-DISCONNECT: Interface Serial0/0:0  disconnected from unknown , call lasted 28 seconds
Apr 13 13:35:37.164: As34 PPP: Authorization NOT required
Apr 13 13:35:37.172: %LINK-5-CHANGED: Interface Async34, changed state to reset
Apr 13 13:35:42.172: %LINK-3-UPDOWN: Interface Async34, changed state to down

Thanks,

yackko
0
 
Pascal666Commented:
That definitely shows that the router is passing the request to the TACACS+ box and getting a response.  Question becomes: why are you getting a negative response?

Are you using the same TACACS+ box for both the Shiva and the Cisco?  What do the logs show on the TACACS+ box?  Is there any debugging there you can turn on?  What about on the SecurID box?  Which TACACS+ and SecurID servers specifically are you using?

-Pascal
0
 
Pascal666Commented:
I just noticed that you are trying to use CHAP.  This will not work.  You must use PAP.  Try using just "ppp authentication pap" under the interface.

-Pascal
0
 
yackkoAuthor Commented:
HI Pascal,

Sorry for the late response.  Yeah I saw that CHAP was there when I took it out, it works fine.  The dialin and dialout works fine, but for some reason when I dial into another analog modem doesn't work.  It will dial my phone, but not my cell phone.  It looks like it work on digial line vs. analog.  Is there a difference?  

Thanks,

yackko
0
 
Pascal666Commented:
I've never had a problem dialing into an analog modem, or my cell phone for testing.  Post the relevent parts of your config and I'll take a look.

-Pascal
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now