Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Secure Access Control Server for Windows

Cisco Secure NT: Configuring Large Scale Dialout Using TACACS+

Downloads

Document ID: 13844


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Configure
      Cisco Secure NT Setup
      Network Diagram
      Configurations
      Download Static Routes
Verify
Troubleshoot
      Debug and Verify the Local Router
Cisco Support Community - Featured Conversations
Related Information

Introduction

This document explains how to configure Cisco Secure NT for Large Scale Dialout (LSDO) using the TACACS+ protocol. The configuration in this document assumes that the ISDN connection works prior to attempting LSDO.

In this example, Michigan is a router that acts as the caller, and Ohio is a router that acts as the receiver (or "callee"). Michigan downloads information from Cisco Secure NT on the routes to remote sites (including to Ohio) so that traffic hitting Michigan with an Ohio network destination is properly routed. In addition, Michigan dynamically composes the dialer-map to Ohio and authenticates Ohio through Cisco Secure NT.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IOSĀ® Software Release 12.0(3)T or later

  • Cisco 2511 router

  • Cisco 2524 router

  • PC serving as Cisco Secure NT server, TACACS+ server, and AAA server

  • Destination registration, admission, and status protocol (RAS) server (for example, a Cisco 2511, AS5200, AS5300, or a Microsoft RAS server)

  • Two modems

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .

Cisco Secure NT Setup

Note: In this sample configuration, the Cisco Secure NT server, the Terminal Access Controller Access Control System Plus (TACACS+) server, and the Authentication, Authorization, and Accounting (AAA) server all reside on the PC.

Create Outbound Service

Complete these steps to create new outbound service from the TACACS+ server to the remote networks. For this example, the NAS that dials out is called "michigan," and the remote router is called "ohio."

  1. Start your web browser and open Cisco Secure NT.

    Select the Interface Configuration button.

    16b.gif

  2. From interface configuration, choose TACACS+ (Cisco).

    16c.gif

  3. Under New Services, check Group, or check both Group and User.

    In the Service box, type outbound. In the Protocol box, type ip. (Both outbound and ip are typed lower case.) Click Submit.

    16d.gif

Create the michigan-1 Profile

Complete these steps:

  1. The static routes and the number to dialout are sent from the TACACS+ server to the NAS.

    You need three profiles, one for each network connected to the remote router. To download static routes to the NAS (michigan), create a michigan-1 user with the static route information in Cisco Secure.

    • Click the User Setup button.

      16e.gif

    • Type the username and then click Add/Edit.

      16f.gif

  2. Networks 20.1.1.0, 30.1.1.0, and 40.1.1.0 are connected to the remote router.

    Static routes for these networks are downloaded from the TACACS+ server. From the web admin for Cisco Secure NT, click Group Setup, select the group to which the users belong, and then click Edit Settings.

    16g.gif

  3. Enter this route information in the Custom Attributes window under PPP IP.

    Note: Make sure PPP IP is checked.

    16h.gif

    The route information is: 

    route#1=60.1.1.1 255.255.255.255 dialer 1 name ohio
route#2=20.1.1.0 255.255.255.0 60.1.1.1
route#3=30.1.1.0 255.255.255.0 60.1.1.1
route#4=40.1.1.0 255.255.255.0 60.1.1

Create the ohio-out Profile

Cisco Secure NT may not have an outbound service in the default interface. If that service does not appear, go to Interface Configuration > TACACS+ and add a new service called outbound for the appropriate level (user or group) and click Submit. This causes "service=outbound" to appear in the interface with a Custom Attributes box underneath it. You can use the Custom Attributes box to fill in this information. The destination number is in the ohio-out profile. 

send-auth=3

send-secret=cisco

dial-number=68858

addr=60.1.1.1

The password for this user is cisco. Use send-auth=3 for MS-CHAP, send-auth=2 for CHAP, and send-auth=1 for password authentication protocol (PAP). In this case, Microsoft Challenge Handshake Authentication (MS-CHAP) is performed. Include the number to dial and the IP address of the remote peer for PPP negotiations.

Create the ohio Profile

Use a normal Point-to-Point Protocol (PPP) profile to create the remote router's profile on the TACACS+ server.

Note: Because the router is configured for MS-CHAP, the TACACS+ server must support MS-CHAP. Cisco Secure NT supports MS-CHAP. Make sure that PPP/IP and PPP/LCP are checked. The password can be in either the NT or the Cisco Secure database.

Network Diagram

This document uses the network setup shown in this diagram.

16a.gif

Configurations

Cisco 2524 Remote Router Configuration

 
ohio#show run
Building configuration...
Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ohio
!
enable password cisco
!

!--- Username and password for MS-CHAP.

username michigan password 0 cisco
!
 interface Loopback0
 ip address 20.1.1.1 255.255.255.0
!interface Loopback1
 ip address 30.1.1.1 255.255.255.0
interface Loopback2
 ip address 40.1.1.1 255.255.255.0
!
interface Ethernet0
 ip address 171.68.201.30 255.255.255.0
 no cdp enable
!
interface Async1
 no ip address
 encapsulation ppp
 dialer rotary-group 1
 async dynamic address
 async mode dedicated
 no cdp enable

!--- Dialer Interface used for traffic to Michigan.

interface Dialer1
 ip address 60.1.1.1 255.255.255.0
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 3600
 dialer-group 1
 no peer default ip address
 no cdp enable
 ppp authentication ms-chap
!
ip classless
ip route 0.0.0.0 0.0.0.0 171.68.201.1
!access-list 199 permit icmp any any
dialer-list 1 protocol ip permit
no cdp run
!
 exec-timeout 0 0
line aux 0
 autoselect ppp
 modem InOut
 modem autoconfigure discovery
 transport input all
 speed 38400
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
!
end

Cisco 2511 Local Router Configuration 

!
michigan#show run

Building configuration...     
Current configuration:
!     
version 12.0
service timestamps debug datetime msec
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers

!
hostname michigan
aaa new-model
aaa authentication login default local group tacacs+
aaa authentication ppp default group tacacs+
aaa authorization network default group tacacs+
aaa authorization configuration default group tacacs+
enable password cisco
username cisco password 7 
ip subnet-zero
ip host hoover 171.68.207.179
ip host Rover 172.16.171.9
ip domain-name cisco.com
chat-script callback ABORT ERROR ABORT BUSY "" "ATDT\T" TIMEOUT 30 "CONNECT" 
        \c
cns event-service server
!
interface Ethernet0
 ip address 171.68.201.53 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
interface Serial0
 no ip address
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 shutdown
 no fair-queue
!
 interface Async1
 no ip address
 no ip directed-broadcast
 encapsulation ppp     
 no ip route-cache     
 no ip mroute-cache     
 keepalive 10     
 dialer in-band
 dialer rotary-group 1
 async dynamic address
 async mode interactive
 fair-queue 64 16 0
 no cdp enable
!

!--- Dialer.


interface Dialer1
 ip address 50.1.1.1 255.0.0.0
 no ip directed-broadcast
 encapsulation ppp     
 no ip route-cache     
 no ip mroute-cache     
 dialer in-band     
 dialer aaa     
 dialer idle-timeout 3600     
 dialer enable-timeout 10     
 dialer hold-queue 50     
 dialer-group 1     
 no cdp enable     
 ppp authentication ms-chap callin     
!
ip local pool default 171.68.201.25
ip classless
ip route 0.0.0.0 0.0.0.0 171.68.201.1
no ip http server    
!
dialer-list 1 protocol ip permit
no cdp run
!

!--- Tacacs server host and key.

tacacs-server host 171.68.207.177
tacacs-server key ontop
!
line con 0
 exec-timeout 0 0
 transport input none
line 1 16
 script dialer callback
 modem InOut
 transport input all
 speed 115200
line aux 0
 transport input all
line vty 0 4
 exec-timeout 0 0
 password cisco
!
end

Download Static Routes

Use the aaa route download [time] command, entered from the interface config mode on the router (michigan) console, to download static routes from the AAA server:

michigan# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
the '100' is the 'route update period in minutes'
michigan(config)#aaa route download 100

*Mar 2 03:58:54.453: AAA/AUTHOR: config command authorization not enabled
*Mar 2 03:58:54.465: AAA: parse name= idb type=-1 tty=-1
*Mar 2 03:58:54.465: AAA/MEMORY: create_user (0x474A18) user='' 
   ruser='' port='' rem_addr='' 
authen_type=NONE service=LOGIN priv=0
*Mar 2 03:58:54.473: unknown AAA/AUTHOR/CONFIG (2184933616): Port='' 
   list='default' service=unknown
*Mar 2 03:58:54.477: AAA/AUTHOR/CONFIG: unknown (2184933616) 
   user='michigan-1'
*Mar 2 03:58:54.477: unknown AAA/AUTHOR/CONFIG (2184933616): 
   send AV service=ppp
*Mar 2 03:58:54.481: unknown AAA/AUTHOR/CONFIG (2184933616): 
   send AV protocol=ip

*Mar 2 03:58:54.481: unknown AAA/AUTHOR/CONFIG (2184933616): 
   found list "default"
*Mar 2 03:58:54.485: unknown AAA/AUTHOR/CONFIG (2184933616): 
   Method=tacacs+ (tacacs+)
*Mar 2 03:58:54.489: AAA/AUTHOR/TAC+: (2184933616): user=michigan-1
*Mar 2 03:58:54.489: AAA/AUTHOR/TAC+: (2184933616): send AV service=ppp
*Mar 2 03:58:54.493: AAA/AUTHOR/TAC+: (2184933616): send AV protocol=ip
*Mar 2 03:58:54.497: TAC+: Using default tacacs server-group "tacacs+" list.
*Mar 2 03:58:54.497: TAC+: Opening TCP/IP to 171.68.207.177/49 timeout=5
*Mar 2 03:58:54.509: TAC+: Opened TCP/IP handle 0x47C6DC to 171.68.207.177/49nd
michigan#
*Mar 2 03:58:54.517: TAC+: 171.68.207.177 (2184933616) AUTHOR/START queued
*Mar 2 03:58:54.993: AAA/AUTHOR: config command authorization not enabled
1d03h: %SYS-5-CONFIG_I: Configured from console by cisco 
   on vty1 (171.68.201.34)
*Mar 2 03:58:55.009: TAC+: (2184933616) AUTHOR/START processed
*Mar 2 03:58:55.021: TAC+: (2184933616): received author response 
   status = PASS_ADD
*Mar 2 03:58:55.021: TAC+: Closing TCP/IP 0x47C6DC connection 
   to 171.68.207.177/49
*Mar 2 03:58:55.029: AAA/AUTHOR (2184933616): Post 
   authorization status = PASS_ADD

!--- The IP routes are downloaded from the TACACS+ server.

*Mar 2 03:58:55.037: AAA/AUTHOR/CONFIG: Processing AV service=ppp
*Mar 2 03:58:55.041: AAA/AUTHOR/CONFIG: Processing AV protocol=ip
*Mar 2 03:58:55.041: AAA/AUTHOR/CONFIG: Processing AV route#1=60.1.1.1 
   255.255.255.255 dialer 1 name ohio
*Mar 2 03:58:55.045: AAA/AUTHOR/CONFIG: Parse 'ip route 60.1.1.1 
   255.255.255.255 dialer 1 name ohio'
*Mar 2 03:58:55.265: AAA/AUTHOR/CONFIG: Parse returned ok (0)
*Mar 2 03:58:55.265: AAA/AUTHOR/CONFIG: Processing AV route#2=20.1.1.0 
   255.255.255.0 60.1.1.1
*Mar 2 03:58:55.269: AAA/AUTHOR/CONFIG: Parse 'ip route 20.1.1.0 
   255.255.255.0 60.1.1.1'
*Mar 2 03:58:55.321: AAA/AUTHOR/CONFIG: Parse returned ok (0)
*Mar 2 03:58:55.325: AAA/AUTHOR/CONFIG: Processing AV route#3=30.1.1.0 
   255.255.255.0 60.1.1.1
*Mar 2 03:58:55.329: AAA/AUTHOR/CONFIG: Parse 'ip route 30.1.1.0 
   255.255.255.0 60.1.1.1'
*Mar 2 03:58:55.369: AAA/AUTHOR/CONFIG: Parse returned ok (0)
*Mar 2 03:58:55.369: AAA/AUTHOR/CONFIG: Processing AV route#4=40.1.1.0 
   255.255.255.0 60.1.1.1
*Mar 2 03:58:55.373: AAA/AUTHOR/CONFIG: Parse 'ip route 40.1.1.0 
   255.255.255.0 60.1.1.1'
*Mar 2 03:58:55.413: AAA/AUTHOR/CONFIG: Parse returned ok (0)
*Mar 2 03:58:55.417: unknown AAA/AUTHOR/CONFIG (2239451311): Port='' 
   list='default' service=unknown
*Mar 2 03:58:55.417: AAA/AUTHOR/CONFIG: unknown (2239451311) user='michigan-2'
*Mar 2 03:58:55.421: unknown AAA/AUTHOR/CONFIG (2239451311): send AV service=ppp
*Mar 2 03:58:55.421: unknown AAA/AUTHOR/CONFIG (2239451311): send AV protocol=ip
*Mar 2 03:58:55.425: AAA/AUTHOR/CONFIG: unknown (2239451311) 
   Processing AV service=ppp
*Mar 2 03:58:55.429: AAA/AUTHOR/CONFIG: unknown (2239451311) 
   Processing AV protocol=ip
*Mar 2 03:58:55.429: AAA/AUTHOR/CONFIG: unknown (2239451311) Processing AV 
   route#1=60.1.1.1 255.255.255.255 dialer 1 name ohio
*Mar 2 03:58:55.433: AAA/AUTHOR/CONFIG: unknown (2239451311) Processing AV 
   route#2=20.1.1.0 255.255.255.0 60.1.1.1
*Mar 2 03:58:55.437: AAA/AUTHOR/CONFIG: unknown (2239451311) Processing AV 
   route#3=30.1.1.0 255.255.255.0 60.1.1.1
*Mar 2 03:58:55.441: AAA/AUTHOR/CONFIG: unknown (2239451311) Processing AV 
   route#4=40.1.1.0 255.255.255.0 60.1.1.1
*Mar 2 03:58:55.445: unknown AAA/AUTHOR/CONFIG (2239451311): found list "default"
*Mar 2 03:58:55.445: unknown AAA/AUTHOR/CONFIG (2239451311): 
   Method=tacacs+ (tacacs+)
*Mar 2 03:58:55.449: AAA/AUTHOR/TAC+: (2239451311): user=michigan-2
*Mar 2 03:58:55.453: AAA/AUTHOR/TAC+: (2239451311): send AV service=ppp
*Mar 2 03:58:55.453: AAA/AUTHOR/TAC+: (2239451311): send AV protocol=ip
*Mar 2 03:58:55.457: TAC+: using previously set server 171.68.207.177 
   from group tacacs+
*Mar 2 03:58:55.461: TAC+: Opening TCP/IP to 171.68.207.177/49 timeout=5
*Mar 2 03:58:55.473: TAC+: Opened TCP/IP handle 0x47CFC8 to 171.68.207.177/49
*Mar 2 03:58:55.473: TAC+: Opened 171.68.207.177 index=1
*Mar 2 03:58:55.481: TAC+: 171.68.207.177 (2239451311) AUTHOR/START queued
*Mar 2 03:58:55.681: TAC+: (2239451311) AUTHOR/START processed
*Mar 2 03:58:55.685: TAC+: (2239451311): received author response status = FAIL
*Mar 2 03:58:55.689: TAC+: Closing TCP/IP 0x47CFC8 connection to 171.68.207.177/49
*Mar 2 03:58:55.693: AAA/AUTHOR (2239451311): Post authorization status = FAIL
*Mar 2 03:58:55.697: AAA/AUTHOR/CONFIG: authorization failed or network error
*Mar 2 03:58:55.701: AAA/AUTHOR/CONFIG: route downloading completed
*Mar 2 03:58:55.701: AAA/MEMORY: free_user (0x474A18) user='michigan-2' 
   ruser='' port='' rem_addr='' authen_type=NONE
   service=LOGIN priv=0

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Debug and Verify the Local Router

Use theshow ip route static download command to see that the routes are in the route table:

michigan#show ip route static download
Connectivity: A - Active, I - Inactive
A 20.1.1.0 255.255.255.0 60.1.1.1
A 30.1.1.0 255.255.255.0 60.1.1.1
A 40.1.1.0 255.255.255.0 60.1.1.1
A 60.1.1.1 255.255.255.255 Dialer1 name ohio

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands.

  • debug aaa authorization—Used to see if the user is authorized by the AAA server.

  • debug tacacs—Used to see if a TACACS login attempt is successful.

  • debug chat-script—Used to see if the chat script calls the client.

  • debug ppp authentication—Used to see if a client passes authentication.

  • debug ppp negotiation—Used to see if a client passes PPP negotiation. This shows which options (callback, MLP, and so on) and what protocols (IP, IPX, and so on) are negotiated.

ping the remote networks to verify the connection. 

michigan#ping 60.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 60.1.1.1, timeout is 2 seconds:

*Mar  2 03:59:34.669: AAA: parse name=Dialer1 idb type=-1 TTY=-1
*Mar  2 03:59:34.673: AAA: name=Dialer1 flags=0x11 type=6 shelf=0 
   slot=0 adapter=0 port=1 channel=0
*Mar  2 03:59:34.677: AAA: parse name=<no string> idb type=-1 TTY=-1
*Mar  2 03:59:34.677: AAA/MEMORY: create_user (0x47CC34) user=ohio-out 
   ruser='' port='Dialer1' rem_addr='Dial out' authen_type=NONE 
   service=LOGIN priv=0
*Mar  2 03:59:34.685: Di1 AAA/AUTHOR/DIALOUT (110659631): Port='Dialer1' 
   list='default' service=unknown
*Mar  2 03:59:34.689: AAA/AUTHOR/DIALOUT: Di1 (110659631) user=ohio-out
*Mar  2 03:59:34.689: Di1 AAA/AUTHOR/DIALOUT (110659631): send AV service=outbound
*Mar  2 03:59:34.693: Di1 AAA/AUTHOR/DIALOUT (110659631): send AV protocol=ip
*Mar  2 03:59:34.693: Di1 AAA/AUTHOR/DIALOUT (110659631): found list "default"
*Mar  2 03:59:34.697: Di1 AAA/AUTHOR/DIALOUT (110659631): Method=tacacs+ (tacacs+)
*Mar  2 03:59:34.701: AAA/AUTHOR/TAC+: (110659631): user=ohio-out
*Mar  2 03:59:34.701: AAA/AUTHOR/TAC+: (110659631): send AV service=outbound
*Mar  2 03:59:34.705: AAA/AUTHOR/TAC+: (110659631): send AV protocol=ip
*Mar  2 03:59:34.709: TAC+: Using default tacacs server-group "tacacs+" list.
*Mar  2 03:59:34.709: TAC+: Opening TCP/IP to 171.68.207.177/49 timeout=5
*Mar  2 03:59:34.721: TAC+: Opened TCP/IP handle 0x47D40C to 171.68.207.177/49
*Mar  2 03:59:34.729: TAC+: 171.68.207.177 (110659631) AUTHOR/START queued
*Mar  2 03:59:35.129: TAC+: (110659631) AUTHOR/START processed
*Mar  2 03:59:35.137: TAC+: (110659631): received author response 
   status = PASS_ADD
*Mar  2 03:59:35.137: TAC+: Closing TCP/IP 0x47D40C connection 
   to 171.68.207.177/49

!--- TACACS+ server provides attributes used for dialout.

*Mar  2 03:59:35.145: Di1 AAA/AUTHOR (110659631): Post authorization 
   status = PASS_ADD
*Mar  2 03:59:35.153: Di1 AAA/AUTHOR/DIALOUT: Processing AV service=outbound
*Mar  2 03:59:35.157: Di1 AAA/AUTHOR/DIALOUT: Processing AV protocol=ip
*Mar  2 03:59:35.157: Di1 AAA/AUTHOR/DIALOUT: Processing AV send-auth=3
*Mar  2 03:59:35.161: Di1 AAA/AUTHOR/DIALOUT: Processing AV send-secret=cisco
*Mar  2 03:59:35.165: Di1 AAA/AUTHOR/DIALOUT: Processing AV dial-number=68858
*Mar  2 03:59:35.165: Di1 AAA/AUTHOR/DIALOUT: Processing AV addr=60.1.1.1
*Mar  2 03:59:35.169: Di1 AAA/AUTHOR/DIALOUT: Authorization succeeded
*Mar  2 03:59:35.169: Di1 AAA/AUTHOR/DIALOUT: truncating '-out' 
   suffix, user now is ohio
*Mar  2 03:59:35.173: %LSdialout: temporary debug to verify 
   the data integrity
*Mar  2 03:59:35.177: 	dial number = 68858
*Mar  2 03:59:35.177: 	dialnum_count = 1
*Mar  2 03:59:35.177: 	force_56 = 0
*Mar  2 03:59:35.181: 	routing = 0
*Mar  2 03:59:35.181: 	data_svc = -1
*Mar  2 03:59:35.181: 	port_type = -1
*Mar  2 03:59:35.185: 	map_class = 
*Mar  2 03:59:35.185: 	ip_address = 60.1.1.1
*Mar  2 03:59:35.189: 	send_secret = cisco
*Mar  2 03:59:35.189: 	send_auth = 3
*Mar  2 03:59:35.197: CHAT1: Attempting async line dialer script
*Mar  2 03:59:35.197: CHAT1: Dialing using Modem script: 
   callback & System script: none
*Mar  2 03:59:35.205: CHAT1: process started
*Mar  2 03:59:35.209: CHAT1: Asserting DTR
*Mar  2 03:59:35.213: CHAT1: Chat script callback started
*Mar  2 03:59:35.213: CHAT1: Sending string: ATDT\T<68858>.
*Mar  2 03:59:35.217: CHAT1: Expecting string: CONNECT....
Success rate is 0 percent (0/5)
michigan#
*Mar  2 03:59:50.069: CHAT1: Completed match for expect: CONNECT
*Mar  2 03:59:50.073: CHAT1: Sending string: \c
*Mar  2 03:59:50.073: CHAT1: Chat script callback finished, status = Success
*Mar  2 03:59:50.085: Di1 IPCP: Install route to 60.1.1.1
1d03h: %LINK-3-UPDOWN: Interface Async1, changed state to up
*Mar  2 03:59:52.097: As1 PPP: Treating connection as a callout
*Mar  2 03:59:52.101: As1 PPP: Phase is ESTABLISHING, Active Open
*Mar  2 03:59:52.105: As1 PPP: No remote authentication for call-out
*Mar  2 03:59:52.105: As1 PPP: Overriding authentication config 
   with AAA authorization
*Mar  2 03:59:52.109: As1 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
*Mar  2 03:59:52.113: As1 LCP: O CONFREQ [Closed] id 59 Len 25
*Mar  2 03:59:52.117: As1 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Mar  2 03:59:52.121: As1 LCP:    AuthProto MS-CHAP (0x0305C22380)
*Mar  2 03:59:52.121: As1 LCP:    MagicNumber 0x167D31E6 (0x0506167D31E6)
*Mar  2 03:59:52.125: As1 LCP:    PFC (0x0702)
*Mar  2 03:59:52.125: As1 LCP:    ACFC (0x0802)
*Mar  2 03:59:52.329: As1 LCP: I CONFREQ [REQsent] id 12 Len 25
*Mar  2 03:59:52.333: As1 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Mar  2 03:59:52.337: As1 LCP:    AuthProto MS-CHAP (0x0305C22380)
*Mar  2 03:59:52.337: As1 LCP:    MagicNumber 0x61AFFF85 (0x050661AFFF85)
*Mar  2 03:59:52.341: As1 LCP:    PFC (0x0702)
*Mar  2 03:59:52.345: As1 LCP:    ACFC (0x0802)
*Mar  2 03:59:52.349: As1 LCP: O CONFACK [REQsent] id 12 Len 25
*Mar  2 03:59:52.349: As1 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Mar  2 03:59:52.353: As1 LCP:    AuthProto MS-CHAP (0x0305C22380)
*Mar  2 03:59:52.357: As1 LCP:    MagicNumber 0x61AFFF85 (0x050661AFFF85)
*Mar  2 03:59:52.361: As1 LCP:    PFC (0x0702)
*Mar  2 03:59:52.361: As1 LCP:    ACFC (0x0802)
*Mar  2 03:59:52.365: As1 LCP: I CONFACK [ACKsent] id 59 Len 25
*Mar  2 03:59:52.369: As1 LCP:    ACCM 0x000A0000 (0x0206000A0000)
*Mar  2 03:59:52.373: As1 LCP:    AuthProto MS-CHAP (0x0305C22380)
*Mar  2 03:59:52.373: As1 LCP:    MagicNumber 0x167D31E6 (0x0506167D31E6)
*Mar  2 03:59:52.377: As1 LCP:    PFC (0x0702)
*Mar  2 03:59:52.377: As1 LCP:    ACFC (0x0802)
*Mar  2 03:59:52.381: As1 LCP: State is Open
*Mar  2 03:59:52.385: As1 PPP: Phase is AUTHENTICATING, by both
*Mar  2 03:59:52.385: As1 MS-CHAP: O CHALLENGE id 10 Len 21 from "michigan  "
*Mar  2 03:59:52.513: As1 MS-CHAP: I CHALLENGE id 10 Len 21 from "ohio     "
*Mar  2 03:59:52.521: AAA: parse name=Async1 idb type=10 TTY=1
*Mar  2 03:59:52.521: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0 
   adapter=0 port=1 channel=0
*Mar  2 03:59:52.525: AAA/MEMORY: create_user (0x47DF08) user=ohio ruser='' 
   port='Async1' rem_addr='async' authen_type=MSCHAP service=PPP priv=1
*Mar  2 03:59:52.533: TAC+: Look for cached secret first for sendauth
*Mar  2 03:59:53.337: AAA/MEMORY: free_user (0x47DF08) user=ohio ruser='' 
   port='Async1' rem_addr='async' authen_type=MSCHAP service=PPP priv=1
*Mar  2 03:59:53.345: As1 MS-CHAP: O RESPONSE id 10 Len 60 from "michigan"
*Mar  2 03:59:55.133: As1 MS-CHAP: I SUCCESS id 10 Len 4
*Mar  2 03:59:55.145: As1 MS-CHAP: I RESPONSE id 10 Len 57 from "ohio"
*Mar  2 03:59:55.153: AAA: parse name=Async1 idb type=10 TTY=1
*Mar  2 03:59:55.153: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0 
   adapter=0 port=1 channel=0
*Mar  2 03:59:55.157: AAA/MEMORY: create_user (0x47DF68) user=ohio ruser='' 
   port='Async1' rem_addr='async' authen_type=MSCHAP service=PPP priv=1
*Mar  2 03:59:55.165: TAC+: send AUTHEN/START packet ver=193 id=3033142512
*Mar  2 03:59:55.165: TAC+: Using default tacacs server-group "tacacs+" list.
*Mar  2 03:59:55.169: TAC+: Opening TCP/IP to 171.68.207.177/49 timeout=5
*Mar  2 03:59:55.181: TAC+: Opened TCP/IP handle 0x47E924 to 171.68.207.177/49
*Mar  2 03:59:55.189: TAC+: 171.68.207.177 (3033142512) 
   AUTHEN/START/LOGIN/MSCHAP queued
*Mar  2 03:59:55.389: TAC+: (3033142512) AUTHEN/START/LOGIN/MSCHAP processed
*Mar  2 03:59:55.393: TAC+: ver=193 id=3033142512 received AUTHEN status = PASS
*Mar  2 03:59:55.397: TAC+: Closing TCP/IP 0x47E924 connection to 171.68.207.177/49
*Mar  2 03:59:55.405: As1 AAA/AUTHOR/LCP: Authorize LCP
*Mar  2 03:59:55.405: As1 AAA/AUTHOR/LCP (1887155294): Port='Async1' 
   list='' service=NET
*Mar  2 03:59:55.409: AAA/AUTHOR/LCP: As1 (1887155294) user=ohio
*Mar  2 03:59:55.413: As1 AAA/AUTHOR/LCP (1887155294): send AV service=ppp
*Mar  2 03:59:55.413: As1 AAA/AUTHOR/LCP (1887155294): send AV protocol=lcp
*Mar  2 03:59:55.417: As1 AAA/AUTHOR/LCP (1887155294): found list "default"
*Mar  2 03:59:55.421: As1 AAA/AUTHOR/LCP (1887155294): Method=tacacs+ (tacacs+)
*Mar  2 03:59:55.421: AAA/AUTHOR/TAC+: (1887155294): user=ohio
*Mar  2 03:59:55.425: AAA/AUTHOR/TAC+: (1887155294): send AV service=ppp
*Mar  2 03:59:55.425: AAA/AUTHOR/TAC+: (1887155294): send AV protocol=lcp
*Mar  2 03:59:55.429: TAC+: using previously set server 171.68.207.177 
   from group tacacs+
*Mar  2 03:59:55.433: TAC+: Opening TCP/IP to 171.68.207.177/49 timeout=5
*Mar  2 03:59:55.457: TAC+: Opened TCP/IP handle 0x47ED68 to 171.68.207.177/49
*Mar  2 03:59:55.461: TAC+: Opened 171.68.207.177 index=1
*Mar  2 03:59:55.469: TAC+: 171.68.207.177 (1887155294) AUTHOR/START queued
*Mar  2 03:59:55.665: TAC+: (1887155294) AUTHOR/START processed
*Mar  2 03:59:55.669: TAC+: (1887155294): received author response status = PASS_ADD
*Mar  2 03:59:55.673: TAC+: Closing TCP/IP 0x47ED68 connection to 
   171.68.207.177/49
*Mar  2 03:59:55.677: As1 AAA/AUTHOR (1887155294): Post authorization 
   status = PASS_ADD
*Mar  2 03:59:55.681: As1 MS-CHAP: O SUCCESS id 10 Len 4
*Mar  2 03:59:55.689: As1 PPP: Phase is UP
*Mar  2 03:59:55.689: As1 AAA/AUTHOR/FSM: (0): Can we start IPCP?
*Mar  2 03:59:55.693: As1 AAA/AUTHOR/FSM (763417858): Port='Async1' 
   list='' service=NET
*Mar  2 03:59:55.697: AAA/AUTHOR/FSM: As1 (763417858) user=ohio
*Mar  2 03:59:55.697: As1 AAA/AUTHOR/FSM (763417858): send AV service=ppp
*Mar  2 03:59:55.701: As1 AAA/AUTHOR/FSM (763417858): send AV protocol=ip
*Mar  2 03:59:55.701: As1 AAA/AUTHOR/FSM (763417858): found list "default"
*Mar  2 03:59:55.705: As1 AAA/AUTHOR/FSM (763417858): Method=tacacs+ (tacacs+)
*Mar  2 03:59:55.709: AAA/AUTHOR/TAC+: (763417858): user=ohio
*Mar  2 03:59:55.709: AAA/AUTHOR/TAC+: (763417858): send AV service=ppp
*Mar  2 03:59:55.713: AAA/AUTHOR/TAC+: (763417858): send AV protocol=ip
*Mar  2 03:59:55.713: TAC+: using previously set server 171.68.207.177 
   from group tacacs+
*Mar  2 03:59:55.717: TAC+: Opening TCP/IP to 171.68.207.177/49 timeout=5
*Mar  2 03:59:55.733: TAC+: Opened TCP/IP handle 0x47F1AC to 171.68.207.177/49
*Mar  2 03:59:55.737: TAC+: Opened 171.68.207.177 index=1
*Mar  2 03:59:55.745: TAC+: 171.68.207.177 (763417858) AUTHOR/START queued
*Mar  2 03:59:55.813: As1 IPCP: I CONFREQ [Closed] id 17 Len 10
*Mar  2 03:59:55.817: As1 IPCP:    Address 60.1.1.1 (0x03063C010101)
*Mar  2 03:59:56.377: TAC+: (763417858) AUTHOR/START processed
*Mar  2 03:59:56.385: TAC+: (763417858): received author response status = PASS_ADD
*Mar  2 03:59:56.389: TAC+: Closing TCP/IP 0x47F1AC connection to 171.68.207.177/49
*Mar  2 03:59:56.393: As1 AAA/AUTHOR (763417858): Post authorization status = PASS_ADD
*Mar  2 03:59:56.397: As1 AAA/AUTHOR/FSM: We can start IPCP
*Mar  2 03:59:56.401: As1 IPCP: O CONFREQ [Closed] id 46 Len 10
*Mar  2 03:59:56.405: As1 IPCP:    Address 50.1.1.1 (0x030632010101)
*Mar  2 03:59:56.541: As1 IPCP: I CONFACK [REQsent] id 46 Len 10
*Mar  2 03:59:56.545: As1 IPCP:    Address 50.1.1.1 (0x030632010101)
1d03h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up
*Mar  2 03:59:58.145: As1 IPCP: I CONFREQ [ACKrcvd] id 18 Len 10
*Mar  2 03:59:58.149: As1 IPCP:    Address 60.1.1.1 (0x03063C010101)
*Mar  2 03:59:58.153: As1 AAA/AUTHOR/IPCP: Start.  Her address 60.1.1.1, 
   we want 60.1.1.1
*Mar  2 03:59:58.157: As1 AAA/AUTHOR/IPCP (3965742514): Port='Async1' 
   list='' service=NET
*Mar  2 03:59:58.161: AAA/AUTHOR/IPCP: As1 (3965742514) user=ohio
*Mar  2 03:59:58.165: As1 AAA/AUTHOR/IPCP (3965742514): send AV service=ppp
*Mar  2 03:59:58.165: As1 AAA/AUTHOR/IPCP (3965742514): send AV protocol=ip
*Mar  2 03:59:58.169: As1 AAA/AUTHOR/IPCP (3965742514): send AV addr*60.1.1.1
*Mar  2 03:59:58.169: As1 AAA/AUTHOR/IPCP (3965742514): found list "default"
*Mar  2 03:59:58.173: As1 AAA/AUTHOR/IPCP (3965742514): Method=tacacs+ (tacacs+)
*Mar  2 03:59:58.177: AAA/AUTHOR/TAC+: (3965742514): user=ohio
*Mar  2 03:59:58.177: AAA/AUTHOR/TAC+: (3965742514): send AV service=ppp
*Mar  2 03:59:58.181: AAA/AUTHOR/TAC+: (3965742514): send AV protocol=ip
*Mar  2 03:59:58.185: AAA/AUTHOR/TAC+: (3965742514): send AV addr*60.1.1.1
*Mar  2 03:59:58.185: TAC+: using previously set server 171.68.207.177 
   from group tacacs+
*Mar  2 03:59:58.189: TAC+: Opening TCP/IP to 171.68.207.177/49 timeout=5
*Mar  2 03:59:58.201: TAC+: Opened TCP/IP handle 0x47F5F0 to 171.68.207.177/49
*Mar  2 03:59:58.205: TAC+: Opened 171.68.207.177 index=1
*Mar  2 03:59:58.213: TAC+: 171.68.207.177 (3965742514) AUTHOR/START queued
*Mar  2 03:59:58.413: TAC+: (3965742514) AUTHOR/START processed
*Mar  2 03:59:58.417: TAC+: (3965742514): received author response 
   status = PASS_ADD
*Mar  2 03:59:58.421: TAC+: Closing TCP/IP 0x47F5F0 connection 
   to 171.68.207.177/49
*Mar  2 03:59:58.425: As1 AAA/AUTHOR (3965742514): Post authorization 
   status = PASS_ADD
*Mar  2 03:59:58.433: As1 AAA/AUTHOR/IPCP: Processing AV service=ppp
*Mar  2 03:59:58.433: As1 AAA/AUTHOR/IPCP: Processing AV protocol=ip
*Mar  2 03:59:58.437: As1 AAA/AUTHOR/IPCP: Processing AV addr*60.1.1.1
*Mar  2 03:59:58.437: As1 AAA/AUTHOR/IPCP: Authorization succeeded
*Mar  2 03:59:58.441: As1 AAA/AUTHOR/IPCP: Done.  Her address 60.1.1.1, 
   we want 60.1.1.1
*Mar  2 03:59:58.445: As1 IPCP: O CONFACK [ACKrcvd] id 18 Len 10
*Mar  2 03:59:58.449: As1 IPCP:    Address 60.1.1.1 (0x03063C010101)
*Mar  2 03:59:58.449: As1 IPCP: State is Open
michigan#

!--- Ping to Ohio is successful.

michigan#ping 60.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 60.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/172/180 ms


!--- Ping to networks whose routes are downloaded 
!--- from TACACS+ are sucessful.

michigan#ping 20.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 164/168/172 ms

!--- !--- Ping to networks whose routes are 
!--- downloaded from TACACS+ are sucessful

michigan#ping 30.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 160/165/168 ms
michigan#show user
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:07:54   
   1 TTY 1     ohio       Async interface      00:00:08   PPP: 60.1.1.1


  Interface  User      Mode                     Idle Peer Address

Cisco Support Community - Featured Conversations

Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers. Below are just some of the most recent and relevant conversations happening right now.

&nbsp;

Related Information

Updated: Jan 17, 2006Document ID: 13844