It's a good plan, frankly. Last time we did it, we used TACACS and a separate database, but I like one directory database.
The realms are just like authentication domains in NT or AD - think of it as a domain name. You might have to use the full domain\username syntax to make it work. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: tuhlar [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 03, 2003 8:32 PM > To: NT 2000 Discussions > Subject: RE: WIN2K RADIUS from CISCO > > > Ok, here is what we have found so far - > > We used a 3rd party RADIUS product - to troubleshoot this. They had a > default "test user" name. When we used that, it worked - when > we used a 2000 > SAM or AD name, it did not. It appears I don't yet > understand the realm > function. > > Anyway, to answer your questions Roger, cisco aaa debugs show > that cisco is > doing it's job by sending the radius request to the radius > server - the > server (using netmon) just gives us access reject (error 3 in > radius RFC). > > The IAS logs are very useless, or at least cryptic, IMHO, > that is why we > installed a 3rd party product, and their logs helped. > > Now it is back to native IAS to see if the MS IAS will cut it for us. > > One note for all out there - when you install IAS, then > uninstall to use > some other radius, the ports for radius are still in use, you > must reboot, > this caused us much grief since all the other products wanted > to open that > port (1812). > > The reason for all this: we have at least 100 routers that we > need to change > passwords on every x days. With radius, we can just have the > router admins > use their NT/2000 accounts. Taking it further, with the > alleged cisco/AD > integration, we can set ACLs on a cisco router based on AD group/user > accounts, so we can have help desk folks log into routers and > have limited > functionality (show running config for example) and still > just use their NT > accounts. > > That is the theory/project I am into right now! > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Roger Seielstad > Sent: Friday, January 03, 2003 6:56 AM > To: NT 2000 Discussions > Subject: RE: WIN2K RADIUS from CISCO > > IS the shared secret set correctly? > > What's the Windows side error log saying? > > What does the Cisco logging show? > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: tuhlar [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, January 02, 2003 8:46 PM > > To: NT 2000 Discussions > > Subject: RE: WIN2K RADIUS from CISCO > > > > > > True, been trying for a few days now, keep getting auth > > failed from the > > RADIUS server. We think we have the Cisco box set up > > correctly, but have > > not figured it out yet. We know the Radius (IAS) works cause > > we can VPN in > > from a WIN2K client - and have RRAS use RADIUS (IAS) for auth. > > > > But telneting to a router set up to use IAS is not working. > > The packet > > sniffer just shows the level "3" (access rejected) error, not > > much else. > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of > David N. Precht > > Sent: Thursday, January 02, 2003 8:19 PM > > To: NT 2000 Discussions > > Subject: RE: WIN2K RADIUS from CISCO > > > > Plenty of documentation at www.cisco.com > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of tuhlar > > Sent: Thursday, January 02, 2003 20:14 > > To: NT 2000 Discussions > > Subject: WIN2K RADIUS from CISCO > > > > > > Anyone have experience/white papers on win2K RADIUS with > > CISCO? We are > > trying to have telnet into a CICSO, and have the router auth > > with RADIUS, on > > Win2K. > > > > TIA> > > > > > > > > > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
