From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Dec 15 2004 - 15:34:13 GMT-3
Thanks
"ppp authen chap ?" was the missing piece.
I figured there had to be some way to configure the interface to use aaa but
had no idea where to find it. I was looking for a standalone aaa interface
command. Live and learn.
Thanks again.
----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Wednesday, December 15, 2004 1:18 PM
Subject: RE: PPP Authentication
Tim,
Why not just configure it, then turn on "debug aaa
authentication" and see what's happening. Also try using the "?" after
the "ppp authentication chap" command as see what options are there.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Wednesday, December 15, 2004 9:55 AM
To: Brian Dennis; Group Study
Subject: Re: PPP Authentication
Thanks Brian for your response.
I'm familiar with that command and know that command is needed but
didn't
know if that is sufficient by itself.
Besides that aren't there other commands I need to configure on the
interface?
What I don't undersatnd is how the IOS "knows" to use the AAA commands
instead of the local database which might also be configured and which
is
what ppp normally uses.
Tim
----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
Sent: Wednesday, December 15, 2004 12:13 PM
Subject: RE: PPP Authentication
Tim,
Enable aaa (aaa new-model) then type "aaa authentication ?" in
the global configuration. The answer will be there ;-)
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Wednesday, December 15, 2004 8:50 AM
To: Group Study
Subject: PPP Authentication
Hi guys,
Suppose you have a user (or router) that calls into another router using
ISDN
and PPP.
You want the user (or router) calling in to be authenticated but instead
of
using the local username database, you want the caller to be
authenticated using TACACS+ or RADIUS.
I know how to configure everything except how to configured the called
router
to use an authentication server to authenticate the caller.
So, let's say I want chap used between the caller and the router and
TACACS+
between the router and authentication server.
I would still use the commmand, ppp authentication chap, under the bri
interface, right?
Now, after the caller submits his username and password using Chap, how
do I
make the router send that to the TACACS+ server?
Assume all the other commands for tacacs and ppp have been configured.
Thanks, Tim
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:27 GMT-3