Link to home
Start Free TrialLog in
Avatar of yackko
yackkoFlag for United States of America

asked on

Cisco NAS...

Hi,

I need some help with the configuration of the Cisco NM-24DM with a T1 Pri on a 3600 router.

Just wondering if anyone know how to configure it or have configure it to work of both dialin and dialout usage.  Dialin using ACS and dialout not using any authentication.  I've been to the Cisco site and look at their sample config and try to implement it, but it doesn't work.  Have try mostly everything, but no luck.  Just wondering if someone have this product working and up and running?

Thank you in advance.

yackko
Avatar of Pascal666
Pascal666
Flag of United States of America image

You, I have had this working before.  What problem are you running into?  What does your config look like?

-Pascal
Avatar of yackko

ASKER

Hi Pascal,

Thanks for the reply...

I finally got the dialout portion to work.  Currently I'm trying to get the dialin part to work.  It will dial and the challenge handshake works fine.  The problem is when I authenticate using TACACS+.  I'm trying to have the dialin users go through TACACS+ and then TACACS+ will pass on the authentication to SecurID (SDI).  Then it will prompt the user to type in their SecurID code to authenticate to the network.  We have it working fine on the Shiva NAS, but the Cisco solution is suppose to replace the Shiva.

Thank you in advance.

yackko
Verify that you added the router to the TACACS+ server and the secret key is correct.  Check the log for failed authentication attempts to see why they failed.  On your router you should have something like:

aaa new-model
aaa authentication ppp default group tacacs+
tacacs-server host 10.1.1.36
tacacs-server key secret

-Pascal
Avatar of yackko

ASKER

Yep.  That's all there.  I've look at the TACACS+ server and everything is setup correctly.  The share key is correct.  Cisco TAC doesn't seem to know also.  My case has been re-assigned several time already and five TAC Engineer has look at it...Well two have look at it.  The other three just won't respond back to my email's.  The current one I think gave up and stop responding also.  Don't know why...???  Any way, the config is exactly the one on the Cisco website using a T1 PRI with a NM-24DM (Mica).  

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080094691.shtml

It's really weird.  It will go to TACACS+, but then TACACS+ won't pass authentication to SecurID.  Is there a way to just have it interface with SecurID and bypass TACACS+?  Or is there a retry commad that I can put on the NAS?

Thanks,

yackko
"tacacs-server ?" shows you the retry and timeout params.

Are you using the same TACACS+ box for both the Shiva and the Cisco?

Do the following through a telnet session on the router and paste the output of a login attempt here.  After the attempt do "u all" to turn back off.

debug tac
debug tac ev
debug ppp auth
term mon

-Pascal
Avatar of yackko

ASKER

Here is the debugs from the NAS.  It fails at PPP/CHAP authentication...

Apr 13 13:35:12.664: %ISDN-6-CONNECT: Interface Serial0/0:0 is now connected to unknown
Apr 13 13:35:34.720: As34 PPP: Using dialer call direction
Apr 13 13:35:34.720: As34 PPP: Treating connection as a callin
Apr 13 13:35:34.720: As34 PPP: Authorization NOT required
Apr 13 13:35:34.724: %LINK-3-UPDOWN: Interface Async34, changed state to up
Apr 13 13:35:34.868: As34 CHAP: O CHALLENGE id 1 len 29 from "NAS-3640"
Apr 13 13:35:35.020: As34 CHAP: I RESPONSE id 1 len 28 from "hmd"
Apr 13 13:35:35.020: As34 PPP: Sent CHAP LOGIN Request
Apr 13 13:35:35.024: TPLUS: Queuing AAA Authentication request 24 for processing
Apr 13 13:35:35.024: TPLUS: processing authentication start request id 24
Apr 13 13:35:35.024: TPLUS: no address for get_server
Apr 13 13:35:35.024: TPLUS: Authentication start packet created for 24(hmd)
Apr 13 13:35:35.024: TPLUS: Using server 172.20.10.19
Apr 13 13:35:35.024: TPLUS(00000018)/0/NB_WAIT/624B8BA0: Started 5 sec timeout
Apr 13 13:35:35.028: TPLUS(00000018)/0/NB_WAIT: socket event 2
Apr 13 13:35:35.028: TPLUS(00000018)/0/NB_WAIT: wrote entire 83 bytes request
Apr 13 13:35:35.028: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.028: TPLUS(00000018)/0/READ: Would block while reading
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.036: TPLUS(00000018)/0/READ: read entire 18 bytes response
Apr 13 13:35:35.036: TPLUS(00000018)/0/624B8BA0: Processing the reply packet
Apr 13 13:35:35.036: TPLUS: Received authen response status FAIL (3)
Apr 13 13:35:35.036: As34 PPP: Received LOGIN Response FAIL
Apr 13 13:35:35.040: As34 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed"
Apr 13 13:35:35.264: %ISDN-6-DISCONNECT: Interface Serial0/0:0  disconnected from unknown , call lasted 28 seconds
Apr 13 13:35:37.164: As34 PPP: Authorization NOT required
Apr 13 13:35:37.172: %LINK-5-CHANGED: Interface Async34, changed state to reset
Apr 13 13:35:42.172: %LINK-3-UPDOWN: Interface Async34, changed state to down

Thanks,

yackko
That definitely shows that the router is passing the request to the TACACS+ box and getting a response.  Question becomes: why are you getting a negative response?

Are you using the same TACACS+ box for both the Shiva and the Cisco?  What do the logs show on the TACACS+ box?  Is there any debugging there you can turn on?  What about on the SecurID box?  Which TACACS+ and SecurID servers specifically are you using?

-Pascal
ASKER CERTIFIED SOLUTION
Avatar of Pascal666
Pascal666
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of yackko

ASKER

HI Pascal,

Sorry for the late response.  Yeah I saw that CHAP was there when I took it out, it works fine.  The dialin and dialout works fine, but for some reason when I dial into another analog modem doesn't work.  It will dial my phone, but not my cell phone.  It looks like it work on digial line vs. analog.  Is there a difference?  

Thanks,

yackko
I've never had a problem dialing into an analog modem, or my cell phone for testing.  Post the relevent parts of your config and I'll take a look.

-Pascal