PPP TACACS+ question

From: TARRY James (james.tarry@swift.com)
Date: Wed Nov 14 2001 - 11:12:59 EST


SHORT SUMMARY:

the specific questions are:

1) aaa authentication ppp default if-needed tacacs+ none
-This command is used on our AR's (our CPE's use the username to authenticate the AR)
-This command is saying...use TACACS+ and if you can not access TACACS+ then allow ANY
 connection to this AR to be successful ... is this right? or does it say....don't authenticate?
-I only say this because i think it says...authenticate anyone..but 2 people at work say
 it means don't use any authentication.

2) By definition, PPP re-authenticates every so often....and this is controlled by the TACACS+
     server. So if TACACS+ server is down, then does that mean that PPP will not
     re-authenticate.
-The implication is this....if PPP tries to reauthenticate, then every PPP session will go down
  since TACACS+ is down. (that is...unless the "none" command works like I think it does)

3) Someone also brought up a good point in that....even if the "none" command on the AR
     allows any connection in...that the CPE still has to authenticate the AR and the AR
     would not have any information (username/password) to send the CPE. I agreee with
     this since that is standard PPP...ie both sides authenticate each other.
     That leads me to state what I think the answer to preventing PPP failure on our
     network would be:
        -since we only use PPP on the AR to CPE connections and no where else...we would
          still have telnet access to the AR's
        -if both TACACS+ servers went down all I would have to do is telnet to the AR's
         tell them to authenticate locally - aaa authentication ppp default if-needed local none
        and at that point, cut and paste the CPE usernames and password into the configuration.
        -for that matter...i guess i could just use -aaa authentication ppp default if-needed tacacs+ local none
         which I think will use tacacs, then use local, and then just authenticate anything?

**this should prevent complete customer failure on the network....but then again it all depends on
    what the "none" command does and whether or not PPP will even try to re-authenticate if
    TACACS+ goes down. any suggestions, ideas are welcome and helpful....but i think the
    key is answering questions 1 & 2 above.

I don't have a lab to test with and I can't find any definitive documentation to clarify.
Any ideas, suggestions are welcome and needed.

LONG SUMMARY:

The issue comes to this. If TACACS+ servers go down on our network.
What implications does that have? Also what are some work-arounds to prevent total PPP failure.
Just to add, I've done hours of research and think I know what happens and how to prevent it, but
I just want to make sure by running this by you guys.

SUMMARY of Network:

Basically each CPE 2 AR connection we use uses PPP and the AR uses TACACS+ to
authenticate PPP, while the CPE uses a local "username password" to authenticate with the AR.
There are currently two TACACS+ servers that are being used.

ROUTER CONFIGURATIONS

Access Routers AAA current configuration

aaa new-model
aaa authentication login default line
aaa authentication login COMPANYA tacacs+ enable
aaa authentication ppp default if-needed tacacs+ none
aaa authorization exec default tacacs+ if-authenticated
aaa authorization commands 1 default tacacs+ if-authenticated
aaa authorization commands 15 default tacacs+ if-authenticated
aaa authorization network tacacs+ none
virtual-profile aaa
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default stop-only tacacs+
!
tacacs-server host IP.IP.IP.IP key XXXXXXXX
tacacs-server host IP.IP.IP.IP key XXXXXXXX
ip tacacs source-interface Loopback0

CPE Routers AAA current configuration

aaa new-model
aaa authentication login default line
aaa authentication login COMPANYA tacacs+ enable
aaa authorization exec default tacacs+ if-authenticated
aaa authorization commands 1 default tacacs+ if-authenticated
aaa authorization commands 15 default tacacs+ if-authenticated
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default stop-only tacacs+
!
tacacs-server host IP.IP.IP.IP key XXXXXXXX
tacacs-server host IP.IP.IP.IP key XXXXXXXX
ip tacacs source-interface Loopback0
!
username ACCESSROUTERA password XXXXXXXX

thanks/regards,

JAmes



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:23 EDT