Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco NAS...

Posted on 2004-04-08
10
4,582 Views
Last Modified: 2013-11-16
Hi,

I need some help with the configuration of the Cisco NM-24DM with a T1 Pri on a 3600 router.

Just wondering if anyone know how to configure it or have configure it to work of both dialin and dialout usage.  Dialin using ACS and dialout not using any authentication.  I've been to the Cisco site and look at their sample config and try to implement it, but it doesn't work.  Have try mostly everything, but no luck.  Just wondering if someone have this product working and up and running?

Thank you in advance.

yackko
0
Comment
Question by:yackko
  • 6
  • 4
10 Comments
 
LVL 6

Expert Comment

by:Pascal666
ID: 10804666
You, I have had this working before.  What problem are you running into?  What does your config look like?

-Pascal
0
 
LVL 1

Author Comment

by:yackko
ID: 10805771
Hi Pascal,

Thanks for the reply...

I finally got the dialout portion to work.  Currently I'm trying to get the dialin part to work.  It will dial and the challenge handshake works fine.  The problem is when I authenticate using TACACS+.  I'm trying to have the dialin users go through TACACS+ and then TACACS+ will pass on the authentication to SecurID (SDI).  Then it will prompt the user to type in their SecurID code to authenticate to the network.  We have it working fine on the Shiva NAS, but the Cisco solution is suppose to replace the Shiva.

Thank you in advance.

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10806859
Verify that you added the router to the TACACS+ server and the secret key is correct.  Check the log for failed authentication attempts to see why they failed.  On your router you should have something like:

aaa new-model
aaa authentication ppp default group tacacs+
tacacs-server host 10.1.1.36
tacacs-server key secret

-Pascal
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 1

Author Comment

by:yackko
ID: 10808704
Yep.  That's all there.  I've look at the TACACS+ server and everything is setup correctly.  The share key is correct.  Cisco TAC doesn't seem to know also.  My case has been re-assigned several time already and five TAC Engineer has look at it...Well two have look at it.  The other three just won't respond back to my email's.  The current one I think gave up and stop responding also.  Don't know why...???  Any way, the config is exactly the one on the Cisco website using a T1 PRI with a NM-24DM (Mica).  

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080094691.shtml

It's really weird.  It will go to TACACS+, but then TACACS+ won't pass authentication to SecurID.  Is there a way to just have it interface with SecurID and bypass TACACS+?  Or is there a retry commad that I can put on the NAS?

Thanks,

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10811223
"tacacs-server ?" shows you the retry and timeout params.

Are you using the same TACACS+ box for both the Shiva and the Cisco?

Do the following through a telnet session on the router and paste the output of a login attempt here.  After the attempt do "u all" to turn back off.

debug tac
debug tac ev
debug ppp auth
term mon

-Pascal
0
 
LVL 1

Author Comment

by:yackko
ID: 10813348
Here is the debugs from the NAS.  It fails at PPP/CHAP authentication...

Apr 13 13:35:12.664: %ISDN-6-CONNECT: Interface Serial0/0:0 is now connected to unknown
Apr 13 13:35:34.720: As34 PPP: Using dialer call direction
Apr 13 13:35:34.720: As34 PPP: Treating connection as a callin
Apr 13 13:35:34.720: As34 PPP: Authorization NOT required
Apr 13 13:35:34.724: %LINK-3-UPDOWN: Interface Async34, changed state to up
Apr 13 13:35:34.868: As34 CHAP: O CHALLENGE id 1 len 29 from "NAS-3640"
Apr 13 13:35:35.020: As34 CHAP: I RESPONSE id 1 len 28 from "hmd"
Apr 13 13:35:35.020: As34 PPP: Sent CHAP LOGIN Request
Apr 13 13:35:35.024: TPLUS: Queuing AAA Authentication request 24 for processing
Apr 13 13:35:35.024: TPLUS: processing authentication start request id 24
Apr 13 13:35:35.024: TPLUS: no address for get_server
Apr 13 13:35:35.024: TPLUS: Authentication start packet created for 24(hmd)
Apr 13 13:35:35.024: TPLUS: Using server 172.20.10.19
Apr 13 13:35:35.024: TPLUS(00000018)/0/NB_WAIT/624B8BA0: Started 5 sec timeout
Apr 13 13:35:35.028: TPLUS(00000018)/0/NB_WAIT: socket event 2
Apr 13 13:35:35.028: TPLUS(00000018)/0/NB_WAIT: wrote entire 83 bytes request
Apr 13 13:35:35.028: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.028: TPLUS(00000018)/0/READ: Would block while reading
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Apr 13 13:35:35.032: TPLUS(00000018)/0/READ: socket event 1
Apr 13 13:35:35.036: TPLUS(00000018)/0/READ: read entire 18 bytes response
Apr 13 13:35:35.036: TPLUS(00000018)/0/624B8BA0: Processing the reply packet
Apr 13 13:35:35.036: TPLUS: Received authen response status FAIL (3)
Apr 13 13:35:35.036: As34 PPP: Received LOGIN Response FAIL
Apr 13 13:35:35.040: As34 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed"
Apr 13 13:35:35.264: %ISDN-6-DISCONNECT: Interface Serial0/0:0  disconnected from unknown , call lasted 28 seconds
Apr 13 13:35:37.164: As34 PPP: Authorization NOT required
Apr 13 13:35:37.172: %LINK-5-CHANGED: Interface Async34, changed state to reset
Apr 13 13:35:42.172: %LINK-3-UPDOWN: Interface Async34, changed state to down

Thanks,

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10814077
That definitely shows that the router is passing the request to the TACACS+ box and getting a response.  Question becomes: why are you getting a negative response?

Are you using the same TACACS+ box for both the Shiva and the Cisco?  What do the logs show on the TACACS+ box?  Is there any debugging there you can turn on?  What about on the SecurID box?  Which TACACS+ and SecurID servers specifically are you using?

-Pascal
0
 
LVL 6

Accepted Solution

by:
Pascal666 earned 300 total points
ID: 10814142
I just noticed that you are trying to use CHAP.  This will not work.  You must use PAP.  Try using just "ppp authentication pap" under the interface.

-Pascal
0
 
LVL 1

Author Comment

by:yackko
ID: 10835440
HI Pascal,

Sorry for the late response.  Yeah I saw that CHAP was there when I took it out, it works fine.  The dialin and dialout works fine, but for some reason when I dial into another analog modem doesn't work.  It will dial my phone, but not my cell phone.  It looks like it work on digial line vs. analog.  Is there a difference?  

Thanks,

yackko
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10835768
I've never had a problem dialing into an analog modem, or my cell phone for testing.  Post the relevent parts of your config and I'll take a look.

-Pascal
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question