[c-nsp] PPP Authentication on Serial T1 Interface with PPP

Nick Voth nvoth at estreet.com
Wed Feb 6 00:24:29 EST 2008


> From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
> Date: Wed, 6 Feb 2008 05:13:56 +0100
> To: Nick Voth <nvoth at estreet.com>, <cisco-nsp at puck.nether.net>
> Conversation: [c-nsp] PPP Authentication on Serial T1 Interface with PPP
> Subject: RE: [c-nsp] PPP Authentication on Serial T1 Interface with PPP
> 
> Nick Voth <> wrote on Tuesday, February 05, 2008 11:14 PM:
> 
>> Hello folks,
>> 
>> Sorry for hammering on the list again for help, but this is my first
>> T1 done this way. We have a channelized DS3 coming in on a PA-MC-T3
>> card on a 7206. We are getting LCP errors from the far end. I suspect
>> it's because I haven't set up any PPP authentication on the 7206 end,
>> BUT I don't know how to get past this.
>> 
>> With "debug ppp auth" enabled I see:
>> 
>>   AAA/AUTHOR/LCP: Denied
>> 
>> Here is the config of the individual T1 interface:
>> 
>> interface Serial4/0/1:0
>>  description Titan Manufacturing
>>  ip address 10.0.0.5 255.255.255.252
>>  no ip redirects
>>  no ip unreachables
>>  no ip proxy-arp
>>  encapsulation ppp
>>  no cdp enable
>> 
>> Is there a PPP command that will tell my end, (7206 with the DS3),
>> that no authentication is necessary? The far end is a Kentrox T1
>> router and we've never needed to configure a PPP username/password
>> with those, when they are talking to each other on both sides of the
>> T1. 
> 
> I guess you have 
> 
> aaa new-model
> aaa authorization network default group {tacacs+|radius} ...
> 
> somewhere in your config? This triggers authorization (not
> authentication) on your leased line. To "fix" this, just use
> 
> aaa authorization network NOAUTH none
> int s4/0/1:0
>  ppp authorization NOAUTH
> 
> or use a non-default group on your other interface where you do want to
> use authen/author.
> 
> oli

Oliver,

Thanks very much. That definitely did the trick!

-Nick Voth




More information about the cisco-nsp mailing list