Hi,
Where is the TACACS configured.
I would have thought you would need a reference to TACACS in your AAA statements and a
refernce to the TACACS server address.
aaa new-model
aaa authentication login default tacacs+ local
aaa authentication login console tacacs+ enable
aaa authentication ppp default if-needed tacacs+ local
aaa authentication ppp routers if-needed local
aaa authorization exec default tacacs+ if-authenticated local
aaa authorization network default tacacs+ local if-authenticated
!
OTHER ROUTER STUFF
!
tacacs-server host 192.168.0.1
tacacs-server timeout 10
tacacs-server key akeyword
Just a thought. It seems you don't say to use TACACS in your AAA statements.
Teunis
Hobart, Tasmania
Australia
On Wednesday, March 28, 2001 at 11:27:08 AM, Radford Dion wrote:
> Hi Everyone.
>
> I am having trouble trying to work out why I cannot get a router to connect
> via ISDN to another router when tacacs is configured. I want to use the
> local Tacacs database and I have followed the instructions on the cisco web
> site
> http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/aaaisg/c262c2.htm.
> I would appreciate any feedback that anyone has.
>
> This is the scenario
>
> RouterA ---> dials into ----> RouterB
>
> When I remove the aaa configuration parameters from router A it works fine.
>
> Router A config:
> username RouterB password xxxxxxxxx
>
> aaa new-model
> aaa authentication enable default enable
> aaa authentication ppp default local
>
> int bri 0/0
> no ip address
> no ip redirects
> no ip directed-broadcast
> encapsulation ppp
> dialer pool-member 1
> isdn switch-type basic-net3
> no fair-queue
> ppp authentication chap
> !
> interface Dialer1
> ip address 192.168.0.186 255.255.255.252
> no ip redirects
> no ip directed-broadcast
> encapsulation ppp
> dialer remote-name RouterB
> dialer pool 1
> dialer idle-timeout 60
> dialer string 5555555
> dialer hold-queue 10
> dialer-group 1
> no fair-queue
> ppp authentication chap
>
>
> Router B config:
> username RouterA password xxxxxxxxx
>
> aaa new-model
> aaa authentication enable default enable
> aaa authentication ppp default local
>
> int bri 3/1
> ip address 192.168.0.186 255.255.255.252
> encapsulation ppp
> dialer idle-timeout 60
> dialer map ip 192.168.0.186 name RouterA 5554324
> dialer-group 2
> ppp authentication chap
>
> This is the debug output - I tried using debug aaa authentication but there
> was no output from either router.
>
> Debug ppp authentication on Router A:
> *Mar 21 23:30:17: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
> *Mar 21 23:30:17: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
> *Mar 21 23:30:17: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to
> 5555555 .
> *Mar 21 23:30:17: BR0/0:1 PPP: Treating connection as a callout
> *Mar 21 23:30:17: BR0/0:1 CHAP: O CHALLENGE id 142 len 31 from "RouterA"
> *Mar 21 23:30:17: BR0/0:1 CHAP: I CHALLENGE id 227 len 31 from "RouterB"
> *Mar 21 23:30:17: BR0/0:1 CHAP: Unable to authenticate for peer
> *Mar 21 23:30:17: BR0/0:1 PPP: Treating connection as a callout
> *Mar 21 23:30:17: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from profile
> Di1
> *Mar 21 23:30:18: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
> *Mar 21 23:30:19: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to up
> *Mar 21 23:30:19: %DIALER-6-BIND: Interface BR0/0:2 bound to profile Di1.
> *Mar 21 23:30:19: BR0/0:2 PPP: Treating connection as a callout
> *Mar 21 23:30:19: BR0/0:2 CHAP: O CHALLENGE id 66 len 31 from "RouterA"
> *Mar 21 23:30:19: BR0/0:2 CHAP: I CHALLENGE id 228 len 31 from "RouterB"
> *Mar 21 23:30:19: BR0/0:2 CHAP: Unable to authenticate for peer
> *Mar 21 23:30:19: BR0/0:2 PPP: Treating connection as a callout
> *Mar 21 23:30:19: %DIALER-6-UNBIND: Interface BR0/0:2 unbound from profile
> Di1
> *Mar 21 23:30:20: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to down
> *Mar 21 23:30:21: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
> *Mar 21 23:30:21: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
> *Mar 21 23:30:21: BR0/0:1 PPP: Treating connection as a callout
> *Mar 21 23:30:21: BR0/0:1 CHAP: O CHALLENGE id 143 len 31 from "RouterA"
> *Mar 21 23:30:21: BR0/0:1 CHAP: I CHALLENGE id 229 len 31 from "RouterB"
> ..*Mar 21 23:30:21: BR0/0:1 CHAP: Unable to authenticate for peer
>
>
> Debug ppp authentication on Router B:
> *May 14 07:46:25: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to up
> *May 14 07:46:25: BR3/1:1 PPP: Treating connection as a callin
> *May 14 07:46:26: BR3/1:1 PPP: Phase is AUTHENTICATING, by both
> *May 14 07:46:26: BR3/1:1 CHAP: O CHALLENGE id 217 len 31 from "RouterB"
> *May 14 07:46:26: BR3/1:1 CHAP: I CHALLENGE id 136 len 31 from "RouterA"
> *May 14 07:46:26: BR3/1:1 CHAP: Waiting for peer to authenticate first
> *May 14 07:46:26: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to down
> *May 14 07:46:27: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to up
> *May 14 07:46:27: BR3/1:1 PPP: Treating connection as a callin
> *May 14 07:46:28: BR3/1:1 PPP: Phase is AUTHENTICATING, by both
> *May 14 07:46:28: BR3/1:1 CHAP: O CHALLENGE id 218 len 31 from "RouterB"
> *May 14 07:46:28: BR3/1:1 CHAP: I CHALLENGE id 62 len 31 from "RouterA"
> *May 14 07:46:28: BR3/1:1 CHAP: Waiting for peer to authenticate first
> *May 14 07:46:28: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to down
> *May 14 07:46:29: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to up
> *May 14 07:46:29: BR3/1:1 PPP: Treating connection as a callin
> *May 14 07:46:30: BR3/1:1 PPP: Phase is AUTHENTICATING, by both
> *May 14 07:46:30: BR3/1:1 CHAP: O CHALLENGE id 219 len 31 from "RouterB"
> *May 14 07:46:30: BR3/1:1 CHAP: I CHALLENGE id 137 len 31 from "RouterA"
>
>
>
> *****************************************************************
> DISCLAIMER: The information contained in this e-mail may be confidential
> and is intended solely for the use of the named addressee. Access, copying
> or re-use of the e-mail or any information contained therein by any other
> person is not authorized. If you are not the intended recipient please
> notify us immediately by returning the e-mail to the originator.
>
> _________________________________
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
--
www.tasmail.com
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
