thanks for the offline help guys. i actually found an AR that we have that has only 1 customer that
isn't operational yet.
utlimately...i think that the cisco documentation was wrong though?
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt1/scathen.htm
"For example, to specify that authentication should
succeed even if (in this example) the TACACS+ server
returns an error, enter the following:
aaa authentication ppp default tacacs+ none
Note Because none allows all users logging in to
authenticate successfully, it should be used as a
backup method of authentication."
*I tried this and it did not work...like the documentation states.
I noticed that the CPE authenticated the AR no matter what, but that
the AR failed the authentication ... even though the AR had the "none"
key word and the CPE didn't even specify PPP authentication.
Nov 14 20:30:58.716: AAA/MEMORY: create_user (0x61BBAEF4) user='CPE' ruser='' port='Serial1/1/0' rem_addr='' authen_type=CHAP
service=PPP priv=1
Nov 14 20:30:58.716: AAA/AUTHEN/START (4290707080): port='Serial1/1/0' list='' action=SENDAUTH service=PPP
Nov 14 20:30:58.716: AAA/AUTHEN/START (4290707080): using "default" list
Nov 14 20:30:58.716: AAA/AUTHEN (4290707080): status = UNKNOWN
Nov 14 20:30:58.716: AAA/AUTHEN/START (4290707080): Method=tacacs+ (tacacs+)
Nov 14 20:30:58.716: AAA/AUTHEN/SENDAUTH (4290707080): Failed sendauthen for CPE
Nov 14 20:30:58.716: TAC+: send AUTHEN/START packet ver=193 id=4290707080
Nov 14 20:30:58.716: AAA/AUTHEN (4290707080): status = ERROR
Nov 14 20:30:58.716: AAA/AUTHEN/START (4290707080): Method=LOCAL
Nov 14 20:30:58.716: AAA/AUTHEN (4290707080): SENDAUTH no password for CPE
Nov 14 20:30:58.720: AAA/AUTHEN (4290707080): status = ERROR
Nov 14 20:30:58.720: AAA/AUTHEN/START (4290707080): Method=NONE
Nov 14 20:30:58.720: AAA/AUTHEN (4290707080): status = ERROR
Nov 14 20:30:58.720: AAA/AUTHEN/START (4290707080): failed to authenticate
Nov 14 20:30:58.720: Se1/1/0 CHAP: Username CIBCCATOA1: lookup failure
Nov 14 20:30:58.720: AAA/MEMORY: free_user (0x61BBAEF4) user='CPE' ruser='' port='Serial1/1/0' rem_addr='' authen_type=CHAP
service=PPP priv=1
Nov 14 20:30:58.720: Se1/1/0 CHAP: Unable to authenticate for peer
AR1#
I was correct in that telling the AR to authenticate locally and placing
the actual password on the AR would get PPP up
-aaa authentication ppp default if-needed group tacacs+ local none
username CPE password password
Also, I don't think PPP re-authenticates ... I left the AR without a TACACS+ server
for 2 and 1/2 hours today and the PPP session didn't drop.
just an fyi..in case you were curious.
James
TARRY James wrote:
> SHORT SUMMARY:
>
> the specific questions are:
>
> 1) aaa authentication ppp default if-needed tacacs+ none
> -This command is used on our AR's (our CPE's use the username to authenticate the AR)
> -This command is saying...use TACACS+ and if you can not access TACACS+ then allow ANY
> connection to this AR to be successful ... is this right? or does it say....don't authenticate?
> -I only say this because i think it says...authenticate anyone..but 2 people at work say
> it means don't use any authentication.
>
> 2) By definition, PPP re-authenticates every so often....and this is controlled by the TACACS+
> server. So if TACACS+ server is down, then does that mean that PPP will not
> re-authenticate.
> -The implication is this....if PPP tries to reauthenticate, then every PPP session will go down
> since TACACS+ is down. (that is...unless the "none" command works like I think it does)
>
> 3) Someone also brought up a good point in that....even if the "none" command on the AR
> allows any connection in...that the CPE still has to authenticate the AR and the AR
> would not have any information (username/password) to send the CPE. I agreee with
> this since that is standard PPP...ie both sides authenticate each other.
> That leads me to state what I think the answer to preventing PPP failure on our
> network would be:
> -since we only use PPP on the AR to CPE connections and no where else...we would
> still have telnet access to the AR's
> -if both TACACS+ servers went down all I would have to do is telnet to the AR's
> tell them to authenticate locally - aaa authentication ppp default if-needed local none
> and at that point, cut and paste the CPE usernames and password into the configuration.
> -for that matter...i guess i could just use -aaa authentication ppp default if-needed tacacs+ local none
> which I think will use tacacs, then use local, and then just authenticate anything?
>
> **this should prevent complete customer failure on the network....but then again it all depends on
> what the "none" command does and whether or not PPP will even try to re-authenticate if
> TACACS+ goes down. any suggestions, ideas are welcome and helpful....but i think the
> key is answering questions 1 & 2 above.
>
> I don't have a lab to test with and I can't find any definitive documentation to clarify.
> Any ideas, suggestions are welcome and needed.
>
> LONG SUMMARY:
>
> The issue comes to this. If TACACS+ servers go down on our network.
> What implications does that have? Also what are some work-arounds to prevent total PPP failure.
> Just to add, I've done hours of research and think I know what happens and how to prevent it, but
> I just want to make sure by running this by you guys.
>
> SUMMARY of Network:
>
> Basically each CPE 2 AR connection we use uses PPP and the AR uses TACACS+ to
> authenticate PPP, while the CPE uses a local "username password" to authenticate with the AR.
> There are currently two TACACS+ servers that are being used.
>
> ROUTER CONFIGURATIONS
>
> Access Routers AAA current configuration
>
> aaa new-model
> aaa authentication login default line
> aaa authentication login COMPANYA tacacs+ enable
> aaa authentication ppp default if-needed tacacs+ none
> aaa authorization exec default tacacs+ if-authenticated
> aaa authorization commands 1 default tacacs+ if-authenticated
> aaa authorization commands 15 default tacacs+ if-authenticated
> aaa authorization network tacacs+ none
> virtual-profile aaa
> aaa accounting exec default start-stop tacacs+
> aaa accounting commands 15 default stop-only tacacs+
> !
> tacacs-server host IP.IP.IP.IP key XXXXXXXX
> tacacs-server host IP.IP.IP.IP key XXXXXXXX
> ip tacacs source-interface Loopback0
>
> CPE Routers AAA current configuration
>
> aaa new-model
> aaa authentication login default line
> aaa authentication login COMPANYA tacacs+ enable
> aaa authorization exec default tacacs+ if-authenticated
> aaa authorization commands 1 default tacacs+ if-authenticated
> aaa authorization commands 15 default tacacs+ if-authenticated
> aaa accounting exec default start-stop tacacs+
> aaa accounting commands 15 default stop-only tacacs+
> !
> tacacs-server host IP.IP.IP.IP key XXXXXXXX
> tacacs-server host IP.IP.IP.IP key XXXXXXXX
> ip tacacs source-interface Loopback0
> !
> username ACCESSROUTERA password XXXXXXXX
>
> thanks/regards,
>
> JAmes
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:23 EDT