SHORT SUMMARY:
the specific questions are:
1) aaa authentication ppp default if-needed tacacs+ none
-This command is used on our AR's (our CPE's use the username to authenticate the AR)
-This command is saying...use TACACS+ and if you can not access TACACS+ then allow ANY
connection to this AR to be successful ... is this right? or does it say....don't authenticate?
-I only say this because i think it says...authenticate anyone..but 2 people at work say
it means don't use any authentication.
2) By definition, PPP re-authenticates every so often....and this is controlled by the TACACS+
server. So if TACACS+ server is down, then does that mean that PPP will not
re-authenticate.
-The implication is this....if PPP tries to reauthenticate, then every PPP session will go down
since TACACS+ is down. (that is...unless the "none" command works like I think it does)
3) Someone also brought up a good point in that....even if the "none" command on the AR
allows any connection in...that the CPE still has to authenticate the AR and the AR
would not have any information (username/password) to send the CPE. I agreee with
this since that is standard PPP...ie both sides authenticate each other.
That leads me to state what I think the answer to preventing PPP failure on our
network would be:
-since we only use PPP on the AR to CPE connections and no where else...we would
still have telnet access to the AR's
-if both TACACS+ servers went down all I would have to do is telnet to the AR's
tell them to authenticate locally - aaa authentication ppp default if-needed local none
and at that point, cut and paste the CPE usernames and password into the configuration.
-for that matter...i guess i could just use -aaa authentication ppp default if-needed tacacs+ local none
which I think will use tacacs, then use local, and then just authenticate anything?
**this should prevent complete customer failure on the network....but then again it all depends on
what the "none" command does and whether or not PPP will even try to re-authenticate if
TACACS+ goes down. any suggestions, ideas are welcome and helpful....but i think the
key is answering questions 1 & 2 above.
I don't have a lab to test with and I can't find any definitive documentation to clarify.
Any ideas, suggestions are welcome and needed.
LONG SUMMARY:
The issue comes to this. If TACACS+ servers go down on our network.
What implications does that have? Also what are some work-arounds to prevent total PPP failure.
Just to add, I've done hours of research and think I know what happens and how to prevent it, but
I just want to make sure by running this by you guys.
SUMMARY of Network:
Basically each CPE 2 AR connection we use uses PPP and the AR uses TACACS+ to
authenticate PPP, while the CPE uses a local "username password" to authenticate with the AR.
There are currently two TACACS+ servers that are being used.
ROUTER CONFIGURATIONS
Access Routers AAA current configuration
aaa new-model
aaa authentication login default line
aaa authentication login COMPANYA tacacs+ enable
aaa authentication ppp default if-needed tacacs+ none
aaa authorization exec default tacacs+ if-authenticated
aaa authorization commands 1 default tacacs+ if-authenticated
aaa authorization commands 15 default tacacs+ if-authenticated
aaa authorization network tacacs+ none
virtual-profile aaa
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default stop-only tacacs+
!
tacacs-server host IP.IP.IP.IP key XXXXXXXX
tacacs-server host IP.IP.IP.IP key XXXXXXXX
ip tacacs source-interface Loopback0
CPE Routers AAA current configuration
aaa new-model
aaa authentication login default line
aaa authentication login COMPANYA tacacs+ enable
aaa authorization exec default tacacs+ if-authenticated
aaa authorization commands 1 default tacacs+ if-authenticated
aaa authorization commands 15 default tacacs+ if-authenticated
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default stop-only tacacs+
!
tacacs-server host IP.IP.IP.IP key XXXXXXXX
tacacs-server host IP.IP.IP.IP key XXXXXXXX
ip tacacs source-interface Loopback0
!
username ACCESSROUTERA password XXXXXXXX
thanks/regards,
JAmes
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:54 EDT