AAA Authorization with RADIUS and RSA SecurID Authentication Manager

Similar Messages

• Aaa authorization with Funk SBR EE

  Hello,
  I do not get aaa authorization with Funk SBR EE to work.
  On our cisco switches I configure:
  aaa authentication default group radius local
  aaa authorization exec default radius local
  On the Funk radius server I return
  service-type login
  Cisco-AVPAIR shell:priv-lvl=15
  Authorization always fails and the debug output shows:
  1063433: 46w0d: CLUSTER_MEMBER_1: RADIUS: ustruct sharecount=1
  1063434: 46w0d: CLUSTER_MEMBER_1: RADIUS: Initial Transmit tty3 id 60 [**radius-ip**}:1812, Access-Request, len 82
  1063435: 46w0d: CLUSTER_MEMBER_1: Attribute 4 6 C3A976E2
  1063436: 46w0d: CLUSTER_MEMBER_1: Attribute 5 6 00000003
  1063437: 46w0d: CLUSTER_MEMBER_1: Attribute 61 6 00000005
  1063438: 46w0d: CLUSTER_MEMBER_1: Attribute 1 9 66726974
  1063439: 46w0d: CLUSTER_MEMBER_1: Attribute 31 17 3139352E
  1063440: 46w0d: CLUSTER_MEMBER_1: Attribute 2 18 8772DAFD
  1063441: 46w0d: CLUSTER_MEMBER_1: RADIUS: Received from id 60 [**radius-ip**]:1812, Access-Accept, len 87
  1063442: 46w0d: CLUSTER_MEMBER_1: Attribute 25 67 53425232
  1063443: 46w0d: CLUSTER_MEMBER_1: RADIUS: saved authorization data for user 111BFD8 at D4E310
  1063444: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Port='tty3' list='' service=EXEC
  1063445: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: tty3 (3848954035) user='username'
  1063446: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV service=shell
  1063447: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV cmd*
  1063448: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): found list "default"
  1063449: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Method=radius (radius)
  1063450: 46w0d: CLUSTER_MEMBER_1: RADIUS: no appropriate authorization type for user.
  1063451: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR (3848954035): Post authorization status = FAIL
  1063452: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: Authorization FAILED
  1063453: 46w0d: CLUSTER_MEMBER_1: AAA/MEMORY: free_user (0x111BFD8) user='username' ruser='' port='tty3' rem_addr='[**client-ip**]' authen_type=ASCII service=LOGIN priv=1
  What do I need to add to the radius server to make it work?
  --Joerg

  The document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• Aaa authorization with Tacacs+

  Hello All,
  I am trying to figure out how aaa authorization with tacacs+ works.
  I am totally comfortable with aaa authentication..But am not able to understand how it works...How diff priv levels are assigned to diff users?..
  I am totally freaked out...

  The device side side setup is pretty simple. You just use the aaa authorization command set. A good bit of the setup is on the ACS server end.
  Cisco has a pretty thorough configuration example posted here.

• RSA SecurID authentication and privilege level

  Hello,
  I'm new working with Cisco ACS, learning by seat of pants; most of the documentation on Cisco's website is fairly cryptic and does not use many pictures. Therefore,I would appreciate some help setting up privileges. We have ACS v5.2 which I have set up using RSA SecurID and appears to be working correctly. However, I'm having problems with the privilege level when I access a router it lands me in user mode. I'm trying to set up a administrator group for the routers and switches to have each member dropped in privilege level 15, exec mode but I'm having difficulty doing this.
  Unfortunately, I'm unable to find any real useful information in reference to setting up RSA SecurID. It seems more of the information is geared around radius servers. Any help would be greatly appreciated. Thank you much!

  Hello.
  Remember AAA means authentication, authorization and accounting. In your case you authenticate with RSA , but you authorize with ACS policies. For TACACS+ and traditional IOS from routers and switches you can use a ACS policy element called "shell profile" which you can use to specify some attributes like privilege level. Then you can use the "shell profile" to create an authorization policy.
  I'm attaching some screenshots. In this example I'm using AD instead of RSA because I don't have a RSA available. Please rate if it helps.

• ISDN Authorization with RADIUS using ISE 1.1.2

  Hi,
  I am trying to move my ISDN dialup branches authentication/authorization from old ACS 4.1 to ISE appliance. Before it was through ACS 4.2 with TACACS protocol but now since we are moving to ISE we are moving them to ISE with radius.
  Problem is that isdn client gets authenticated and authorized but calls get dropped and they dont able to communicate with HO. IP address is assigned by Head End router to all remote isdn dialing branches..
  I have used default "PermitAccess" in authorization policy and authentication policy is also default. I dont understand where I am going wrong as authentication and authorization is sucessful.
  aaa authentication ppp default group radius local
  aaa authentication network default group radius
  aaa accounting network default start-stop group radius
  radius-server host 12.18.22.41
  radius-server key *****
  below is the router configuration for AAA
  can any one help in this

  CoA is not needed, nor supported for ISDN aaa, i used ACS 3.3 for this a long time ago. I think you should do some debugging if ise does not give you any errors.
  try doing some debug aaa / debug radius & deb ppp nego  if your calls are authenticated and ip is assigned to the calling router, you should see some disconnect reason in the debug.

• RSA SecurID authentication

  Hi,
  I am trying to set up RSA authentication with OAM, and having problems.
  1. if securid.pl is not proctected (using Anonymous Auth) or protected by a scheme not for SecurID Auth, I get "The page cannnot be displayed" at login, securid.pl shows in URL in the same browser. The securid.pl debug log shows info in fields: cookie, servename, and serverport.
  2. if securid.pl is proctected with scheme "SecurID Authentication", RSA login hangs for 10-20 minutes, then "The page cannnot be displayed" shows up. The securid.pl debug log is not updated.
  Any suggestions or hints? Thanks in advance.

  Hi Vinod,
  running an authentication test with ACE agent utility works fine. The ACE server log will be veriified tomorrow as I dont access to it.
  1. How to tell if Securid.pl can connect to ACE agent? and connect to ACE server? Any indications in Access or WebGate trace logs to show securid.pl is trying to connect to ACE agent/server?
  2. what is correct scheme to protect securid.pl?
  the ACE server log will be veriified tomorrow ...
  Thanks,
  Charlie

• RSA SecurID Authentication Plug-In

  Hi all!
  I am trying to integrate the SecurID PlugIn and have the following problems.
  When i am trying to login for the first time i get back a file from the ace server called sdstatus.12. It is stored in the same directory where the sdconf.rec file resides. Both are binary files and not readable.
  In the webgate log file i get the following error message "the access manager returned a fatal error with no detailed information"
  Turning on the debug mode of the access server does not help. I can only see, that my credentials are passed by the webgate and you can see "Client 'name of the webgate' Authenticated"
  Before the webgate makes the redirect to the error page i can find the following "Failed to get formname from credentials" in the debug file.
  Any hints are welcome.
  Kind regards
  Gregor

  Hi Gregor:
  I assume you are already looking at the docs, right? I'm referring to:
  http://download.oracle.com/docs/cd/E12530_01/oam.1014/e10356/rsa.htm
  +"Oracle Access Manager enables integration of SecurID authentication by providing the following:+
  *· +The HTML forms required for SecurID authentication operations+*
  +· The CGI script required to authenticate users with the RSA ACE/Server+
  +· The SecurID authentication plug-in, authn_securid, required for the Oracle Access Manager SecurID authentication scheme”+
  The documentation goes on to mention that there are forms required for the SecurID system's New PIN and Next Tokencode Mode.
  A first authentication would likely require a new PIN. Perhaps the appropriate form is missing or not installed properly?
  Hope this helps. I've been a consultant to RSA for many years, but I've never actually installed this plug-in. If all the parts are properly installed and you still have problems, you should probably check with your SSE or RSA Tech Support.
  _Vin

• ACS5.2 with Radius to RSA token server

  I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?

  It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.

• AAA authorization with ACS 3.2

  I'm trying to configure my devices to use shell command authorization sets located on my ACS box. I want users that are members of a specific group to only be allowed to certain commands (ex. show). I'm pretty sure my ACS box is setup correctly, but my devices aren't. Here is the current config:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local
  aaa accounting exec default start-stop group tacacs+
  I want the aaa authorization to use tacacs on my ACS box and whatever shell commands sets that are group specific when a user that is a member of that group logs in.

  Marek
  1) it is good to know that authentication is working and does fail over to the enable password. This helps assure that the problem that we are dealing with is not an issue of failure to communicate.
  2) it is not necessary that the router mirror the groups that are configured on the server. So unless you want to specify authentication or authorization processing different from default then you do not need level1 to be mentioned on the router.
  I agree that there is not a lot of clear documentation about authorization. One of the purposes of this forum is to allow people to ask questions about things that they do not yet understand and hopefully to get some helpful answers. As you get more experience and understand more then you may be able to participate in the forum and providing answers in addition to asking questions.
  3) As I read your config authentication does have a backup method and authorization does not. I am a proponent of having backup methods configured. As long as the server is available you do not need them. But if they are not configured and the server is not available you can manage to lock yourself out of the router.
  I can understand removing them while you concentrate on why the authorization is not working (though I would not do it that way) but I strongly suggest that you plan to put the backups in before you put anything like this into production.
  4) the fact that both users log in and are already at privilege level 15 may be a clue. Look in the config under the console and under the vty ports. Look for this configuration command privilege level 15. If it is there remove it and test over again.
  HTH
  Rick

• AAA Authorization with ACS Shell-Sets

  Hi all,
  I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
  I am having trouble getting AAA Authorization to work correctly with ACS.
  I am able to set the users up on ACS fine and assign them shell and priv level 7.
  I then setup a Shell Auth Set, and enter in the commands show and configure.
  When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
  to access global config mode by typing in conf (or configure) terminal or t.
  If I type con? the only command there is connect, configure is never an option...
  The only way I can get this to work is by entering the command:
  privilege exec level 7 configure terminal
  I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
  This is most frustrating
  The ACS Server is set up with a Shell Command Authorization Set named Level_7
  It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
  The "Permit Unmatched Args" is also selected.
  See an excerpt of my IOS config below:
  aaa new-model
  aaa group server tacacs+ ACS
  server 10.90.0.11
  aaa authentication login default group ACS local
  aaa authorization exec default group ACS
  aaa authorization commands 7 default group ACS local
  tacacs-server host 10.90.0.11 key cisco
  privilege exec level 7 configure terminal
  privilege exec level 7 configure
  privilege exec level 7 show running-config
  privilege exec level 7 show
  Hope you can help me with this one..
  P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

  Hi,
  So here it is,
  You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
  Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
  This is what I suggest the commands back to normal level.
  Below provided are steps to configure shell command authorization:
  Follow the following steps over the router:
  !--- is the desired username
  !--- is the desired password
  !--- we create a local username and password
  !--- in case we are not able to get authenticated via
  !--- our tacacs+ server. To provide a back door.
  username password privilege 15
  !--- To apply aaa model over the router
  aaa new-model
  !--- Following command is to specify our ACS
  !--- server location, where is the
  !--- ip-address of the ACS server. And
  !--- is the key that should be same over the ACS and the router.
  tacacs-server host key
  !--- To get users authentication via ACS, when they try to log-in
  !--- If our router is unable to contact to ACS, then we will use
  !--- our local username & password that we created above. This
  !--- prevents us from locking out.
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  !--- Following commands are for accounting the user's activity,
  !--- when user is logged into the device.
  aaa accounting exec default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Configuration on ACS
  [1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
  Provide any name to the set.
  provide the sufficent description (if required)
  (a) For Full Access administrative set.
  In Unmatched Commands, select 'Permit'
  (b) For Limited Access set.
  In Unmatched commands, select 'Deny'.
  And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
  For example: If we want user to be only able to access the following commads:
  login
  logout
  exit
  enable
  disable
  show
  Then the configuration should be:
  ------------------------Permit unmatched Args--
  login permit
  logout permit
  exit permit
  enable permit
  disable permit
  configure permit terminal
  interface permit ethernet
  permit 0
  show permit running-config
  in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
  [2] Press 'Submit'.
  [3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
  (cont...)

• Exec authorization with radius..

  Hi guys, i was configuring auth-proxy . i had a
  m/c---(inside)router(outside)---internet
  now i want that a normal user is not able to get the telnet access of my router, only certain users can have the telnet access fromt the inside. i dont want to use NAR. i want to do this only with radius authorization.
  i was looking for controlling the access of the users to the router with the help of radius,
  aaa authorization exec default group tacacs+
  when i use the above command i knw that i can control the shell access by checking shell box,but when i use the below command
  aaa authorization exec default group radius
  i was not able to find any particular radius av-pair which can control the exec shell access in respect to the above one.

  Hi,
  Make use of this,
  shell:priv-lvl=15
  shell:autocmd=exit
  So what will happen with this is, as soon as user tries to log into shell, BOOM!, user will exit out.
  NOTE: I have not tried this exactly, but should work, you might be required to use separator, ";" i.e.,
  shell:priv-lvl=15;
  shell:autocmd=exit
  Regards,
  Prem

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• AAA issues with VPN and IPCP?

  Hi,
       I have been struggling to find a solution as to why my L2TP tunnel comes up, but, no ip through IPCP is working.  I have a few third party VPN providers that I can connect to with no problem.  My config is solid as far as the Virtual-PPP interface is concerned.  So, as far as the AAA is concerned, here are a few commands that I have used:
  aaa new-model
  aaa authentication login local_auth local
  aaa authentication ppp default none
  So, here is the revelant debugs:
  008940: *Jan  7 15:08:05.543 MDT: Vp1 LCP: Timeout: State Listen
  008941: *Jan  7 15:08:05.543 MDT: AAA/AUTHOR (00000007): Method list id=0 not configured. Skip author
  008942: *Jan  7 15:08:05.543 MDT: Vp1 PPP: Authorization NOT required
  008943: *Jan  7 15:08:05.543 MDT: Vp1 PPP: No remote authentication for call-out
  008944: *Jan  7 15:08:05.543 MDT: Vp1 AAA/AUTHOR/LCP: Authorization succeeds trivially
  008945: *Jan  7 15:08:05.543 MDT: Vp1 LCP: O CONFREQ [Listen] id 142 len 10
  008946: *Jan  7 15:08:05.543 MDT: Vp1 LCP:    MagicNumber 0x1A220FED (0x05061A220FED)
  Cisco3825#
  008947: *Jan  7 15:08:07.559 MDT: Vp1 LCP: Timeout: State REQsent
  008948: *Jan  7 15:08:07.559 MDT: Vp1 LCP: O CONFREQ [REQsent] id 143 len 10
  008949: *Jan  7 15:08:07.559 MDT: Vp1 LCP:    MagicNumber 0x1A220FED (0x05061A220FED)
  Cisco3825#
  008950: *Jan  7 15:08:09.575 MDT: Vp1 LCP: Timeout: State REQsent
  008951: *Jan  7 15:08:09.575 MDT: Vp1 LCP: O CONFREQ [REQsent] id 144 len 10
  008952: *Jan  7 15:08:09.575 MDT: Vp1 LCP:    MagicNumber 0x1A220FED (0x05061A220FED)
  Cisco3825#
  008953: *Jan  7 15:08:11.591 MDT: Vp1 LCP: Timeout: State REQsent
  008954: *Jan  7 15:08:11.591 MDT: Vp1 LCP: O CONFREQ [REQsent] id 145 len 10
  008955: *Jan  7 15:08:11.591 MDT: Vp1 LCP:    MagicNumber 0x1A220FED (0x05061A220FED)
  Cisco3825#
  008956: *Jan  7 15:08:13.607 MDT: Vp1 LCP: Timeout: State REQsent
  008957: *Jan  7 15:08:13.607 MDT: Vp1 LCP: O CONFREQ [REQsent] id 146 len 10
  008958: *Jan  7 15:08:13.607 MDT: Vp1 LCP:    MagicNumber 0x1A220FED (0x05061A220FED)
  008959: *Jan  7 15:08:13.691 MDT: Vp1 LCP: I CONFREQ [REQsent] id 0 len 8
  008960: *Jan  7 15:08:13.691 MDT: Vp1 LCP:    AuthProto PAP (0x0304C023)
  008961: *Jan  7 15:08:13.691 MDT: Vp1 LCP: O CONFACK [REQsent] id 0 len 8
  008962: *Jan  7 15:08:13.691 MDT: Vp1 LCP:    AuthProto PAP (0x0304C023)
  008963: *Jan  7 15:08:13.691 MDT: Vp1 LCP: State is Open
  008964: *Jan  7 15:08:13.691 MDT: Vp1 PPP: Phase is AUTHENTICATING, by the peer
  Cisco3825#
  008965: *Jan  7 15:08:13.691 MDT: AAA/AUTHEN/PPP (00000007): Pick method list 'default'
  008966: *Jan  7 15:08:13.691 MDT: Vp1 LCP: I CONFREJ [Open] id 146 len 10
  008967: *Jan  7 15:08:13.691 MDT: Vp1 LCP:    MagicNumber 0x1A220FED (0x05061A220FED)
  008968: *Jan  7 15:08:13.691 MDT: Vp1 LCP: O CONFREQ [ACKsent] id 147 len 4
  008969: *Jan  7 15:08:13.775 MDT: Vp1 LCP: I CONFACK [ACKsent] id 147 len 4
  008970: *Jan  7 15:08:13.775 MDT: Vp1 LCP: State is Open
  008971: *Jan  7 15:08:13.775 MDT: AAA/AUTHEN/PPP (00000007): Pick method list 'default'
  Cisco3825#
  008972: *Jan  7 15:08:23.783 MDT: Vp1 AUTH: Timeout 1
  Cisco3825#
  008973: *Jan  7 15:08:33.799 MDT: Vp1 AUTH: Timeout 2
  Cisco3825#
  008974: *Jan  7 15:08:43.815 MDT: Vp1 AUTH: Timeout 3
  Cisco3825#
  008975: *Jan  7 15:08:53.831 MDT: Vp1 AUTH: Timeout 4
  Cisco3825#
  008976: *Jan  7 15:09:03.847 MDT: Vp1 AUTH: Timeout 5
  Cisco3825#
  008977: *Jan  7 15:09:07.356 MDT: Vp1 PPP: Outbound ip packet dropped
  Cisco3825#
  008978: *Jan  7 15:09:13.864 MDT: Vp1 AUTH: Timeout 6
  Cisco3825#
  008979: *Jan  7 15:09:17.356 MDT: Vp1 PPP: Outbound ip packet dropped
  Cisco3825#
  008980: *Jan  7 15:09:23.880 MDT: Vp1 AUTH: Timeout 7
  Cisco3825#
  008981: *Jan  7 15:09:27.356 MDT: Vp1 PPP: Outbound ip packet dropped
  Cisco3825#
  008982: *Jan  7 15:09:33.896 MDT: Vp1 AUTH: Timeout 8
  Cisco3825#
  008983: *Jan  7 15:09:37.356 MDT: Vp1 PPP: Outbound ip packet dropped
  Cisco3825#
  008984: *Jan  7 15:09:43.912 MDT: Vp1 AUTH: Timeout 9
  Cisco3825#
  008985: *Jan  7 15:09:47.356 MDT: Vp1 PPP: Outbound ip packet dropped
  Cisco3825#
  008986: *Jan  7 15:09:53.928 MDT: Vp1 AUTH: Timeout 10
  Cisco3825#
  008987: *Jan  7 15:09:57.356 MDT: Vp1 PPP: Outbound ip packet dropped
  Cisco3825#
  008988: *Jan  7 15:10:03.944 MDT: Vp1 AUTH: Timeout 11
  008989: *Jan  7 15:10:03.944 MDT: Vp1 PPP: Sending Acct Event[Down] id[7]
  008990: *Jan  7 15:10:03.944 MDT: AAA/ACCT/EVENT/(00000007): NET DOWN
  008991: *Jan  7 15:10:03.944 MDT: AAA/ACCT/NET(00000007): Method list not found
  008992: *Jan  7 15:10:03.944 MDT: AAA/ACCT(00000007): del node, session 4
  008993: *Jan  7 15:10:03.944 MDT: AAA/ACCT/NET(00000007): free_rec, count 0
  008994: *Jan  7 15:10:03.944 MDT: AAA/ACCT/NET(00000007) reccnt 0, csr FALSE, osr 0
  008995: *Jan  7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Update Vp1
  008996: *Jan  7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Vp1 [pre-sess] (rx/tx) base 2114/15028 pre 15468/32490 call 15468/32490
  008997: *Jan  7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Vp1 [pre-sess] (rx/tx) adjusted, pre 13354/17462 call 0/0
  008998: *Jan  7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Update Vp1
  008999: *Jan  7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Vp1 [sess] (rx/tx) base 2114/15028
  Cisco3825# pre 15468/32490 call 15468/32490
  009000: *Jan  7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Vp1 [sess] (rx/tx) adjusted, pre 13354/17462 call 0/0
  009001: *Jan  7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Deregister Vp1
  009002: *Jan  7 15:10:03.944 MDT: Vp1 PPP: Phase is TERMINATING
  009003: *Jan  7 15:10:03.944 MDT: Vp1 LCP: O TERMREQ [Open] id 148 len 4
  009004: *Jan  7 15:10:03.944 MDT: AAA/ACCT/EVENT/(00000007): CALL STOP
  009005: *Jan  7 15:10:03.944 MDT: AAA/ACCT(00000007) reccnt 0, osr 0
  009006: *Jan  7 15:10:04.028 MDT: Vp1 LCP: I TERMACK [TERMsent] id 148 len 4
  009007: *Jan  7 15:10:04.028 MDT: Vp1 LCP: State is Closed
  009008: *Jan  7 15:10:04.028 MDT: Vp1 PPP: Phase is DOWN
  009009: *Jan  7 15:10:04.028 MDT: Vp1 PPP: Phase is ESTABLISHING, Passive Open
  009010: *Jan  7 15:10:04.028 MDT: Vp1 LCP: State is Listen
  Cisco3825#
  009011: *Jan  7 15:10:06.024 MDT: Vp1 LCP: Timeout: State Listen
  009012: *Jan  7 15:10:06.024 MDT: AAA/BIND(00000009): Bind i/f Virtual-PPP1
  009013: *Jan  7 15:10:06.024 MDT: AAA/ACCT/HC(00000009): Register Vp1 100Mbit/s, poll every 5m 0s
  009014: *Jan  7 15:10:06.024 MDT: AAA/ACCT/HC(00000009): Update Vp1
  009015: *Jan  7 15:10:06.024 MDT: AAA/ACCT/HC(00000009): Vp1 [init-sess] (rx/tx) base 15474/32498 pre 15474/32498 call 15474/32498
  009016: *Jan  7 15:10:06.024 MDT: AAA/ACCT/HC(00000009): Vp1 [init-sess] (rx/tx) adjusted, pre 0/0 call 0/0
  009017: *Jan  7 15:10:06.024 MDT: AAA/ACCT/EVENT/(00000009): CALL START
  009018: *Jan  7 15:10:06.024 MDT: Getting session id for NET(00000009) : db=6902396C
  009019: *Jan  7 15:10:06.024 MDT: AAA/ACCT(00000000): add node, session 6
  009020: *Jan  7 15:10:06.024 MDT: AAA/ACCT/NET(00000009): add, count 1
  009021: *Jan  7 15:10:06.024 MDT: Getting session id for NONE(00000009) : db=6902396C
  009022: *Jan  7 15:10:06.024 MDT: AAA/AUTHOR (0000
  Cisco3825#0009): Method list id=0 not configured. Skip author
  009023: *Jan  7 15:10:06.024 MDT: Vp1 PPP: Authorization NOT required
  009024: *Jan  7 15:10:06.024 MDT: Vp1 PPP: No remote authentication for call-out
  009025: *Jan  7 15:10:06.024 MDT: Vp1 AAA/AUTHOR/LCP: Authorization succeeds trivially
  009026: *Jan  7 15:10:06.024 MDT: Vp1 LCP: O CONFREQ [Listen] id 149 len 10
  009027: *Jan  7 15:10:06.024 MDT: Vp1 LCP:    MagicNumber 0x1A23E698 (0x05061A23E698)
  009028: *Jan  7 15:10:06.108 MDT: Vp1 LCP: I CONFREJ [REQsent] id 149 len 10
  009029: *Jan  7 15:10:06.108 MDT: Vp1 LCP:    MagicNumber 0x1A23E698 (0x05061A23E698)
  009030: *Jan  7 15:10:06.108 MDT: Vp1 LCP: O CONFREQ [REQsent] id 150 len 4
  009031: *Jan  7 15:10:06.192 MDT: Vp1 LCP: I CONFACK [REQsent] id 150 len 4
  Cisco3825#
  009032: *Jan  7 15:10:07.356 MDT: Vp1 PPP: Outbound ip packet dropped
  009033: *Jan  7 15:10:08.104 MDT: Vp1 LCP: Timeout: State ACKrcvd
  009034: *Jan  7 15:10:08.104 MDT: Vp1 LCP: O CONFREQ [ACKrcvd] id 151 len 4
  009035: *Jan  7 15:10:08.188 MDT: Vp1 LCP: I CONFACK [REQsent] id 151 len 4
  Cisco3825#
  009036: *Jan  7 15:10:10.120 MDT: Vp1 LCP: Timeout: State ACKrcvd
  009037: *Jan  7 15:10:10.120 MDT: Vp1 LCP: O CONFREQ [ACKrcvd] id 152 len 4
  009038: *Jan  7 15:10:10.204 MDT: Vp1 LCP: I CONFACK [REQsent] id 152 len 4
  Cisco3825#show
  009039: *Jan  7 15:10:12.136 MDT: Vp1 LCP: Timeout: State ACKrcvd
  009040: *Jan  7 15:10:12.136 MDT: Vp1 LCP: O CONFREQ [ACKrcvd] id 153 len 4
  009041: *Jan  7 15:10:12.216 MDT: Vp1 LCP: I CONFACK [REQsent] id 153 len 4
  Cisco3825#show l2tp
  009042: *Jan  7 15:10:14.152 MDT: Vp1 LCP: Timeout: State ACKrcvd
  009043: *Jan  7 15:10:14.152 MDT: Vp1 LCP: O CONFREQ [ACKrcvd] id 154 len 4
  009044: *Jan  7 15:10:14.232 MDT: Vp1 LCP: I CONFACK [REQsent] id 154 len 4
  Cisco3825#show l2tp
  L2TP Tunnel and Session Information Total tunnels 1 sessions 1
  LocTunID   RemTunID   Remote Name   State  Remote Address  Sessn L2TP Class/
                                                             Count VPDN Group
  37822      1          xxxxxxxxxxxx est    xxx.xxx.xxx.xxx  1     l2tp_default_cl
  LocID      RemID      TunID      Username, Intf/      State  Last Chg Uniq ID
                                   Vcid, Circuit
  124        1          37822      1, Vp1               est    00:02:03 1
  Here are a couple things I noticed:
  009001: *Jan  7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Deregister Vp1
  008990: *Jan  7 15:10:03.944 MDT: AAA/ACCT/EVENT/(00000007): NET DOWN
  I don't have this issue with other providers.  I don't have the whole radius / tacacs things setup as it's not necessary for our needs.
  Ideas?
  Thanks for the help.
  Jason

  Hi,
  To resolve your issue as soon as possible, please post your question on the Forefront TMG forum:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=Forefrontedgegeneral
  Steven Lee
  TechNet Community Support

• AAA Authorization with DAP

  When forcing a tunnel-group to authorize users against an AAA server-group with a corresponding ldap attribute-map in that AAA group, does that mapping of usergroup->group-policy get passed up to the DAP process?

  The document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap