I have aaa set up on a 1720 and an 837. I was authenticating using Cisco ACS, and had the 1720 as the NAS. AAA authorization kept failing when I would telnet to the NAS. Going thru the console, it was fine. So I moved the config to my adsl 837, and pointed the ACS to it. Same deal. When I look at the logs in the ACs, it just says that service is denied, service=shell cmd*. I'm using ACS ver. 3.2 on Windows 2000 ASdvanced Server, authenticating from the CiscoSecure Database. I matched the secret console password in the router config as the ACS config. Here's the router config, followed by sh ver...
Building configuration...
Current configuration : 6386 bytes
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Hudson
boot-start-marker
boot-end-marker
memory-size iomem 5
security authentication failure rate 2 log
logging count
logging userinfo
logging buffered 64000 debugging
logging rate-limit console 5
logging console warnings
enable secret 5 $1$QBhE$7ESljYkbolpAYlTHYXdgC/
enable password 7 15065A010933
username XXXXX privilege 15 password 7 1049591811310708070138
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
clock save interval 8
aaa new-model
aaa authentication login default group tacacs+
aaa authentication ppp default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
ip subnet-zero
no ip source-route
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.10.10.10
ip dhcp pool Hudson
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
dns-server 68.94.156.1
lease 7
ip tcp synwait-time 10
ip cef
no ip domain lookup
ip domain name local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
no ip bootp server
ip inspect udp idle-time 3600
ip inspect dns-timeout 60
ip inspect tcp synwait-time 60
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name ipv4-FireWall tcp
ip inspect name ipv4-FireWall udp
ip inspect name ipv4-FireWall ftp
ip inspect name ipv4-FireWall h323
ip inspect name ipv4-FireWall skinny
ip inspect name ipv4-FireWall icmp
ip inspect name ipv4-FireWall fragment maximum 256 timeout 1
ip inspect name ipv4-FireWall realaudio
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
login block-for 300 attempts 1 within 300
login delay 1
login quiet-mode access-class ssh-clients
login on-failure log
login on-success log
no ftp-server write-enable
interface Null0
no ip unreachables
interface Ethernet0
description Connected to Local Network
ip address 10.0.0.1 255.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect ipv4-FireWall in
ip inspect ipv4-FireWall out
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
priority-group 1
no cdp enable
interface Ethernet0.2
no cdp enable
interface ATM0
no ip address
ip access-group 118 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1
interface FastEthernet1
no ip address
duplex auto
speed auto
priority-group 1
interface FastEthernet2
no ip address
duplex auto
speed auto
interface FastEthernet3
no ip address
duplex auto
speed auto
interface FastEthernet4
no ip address
duplex auto
speed auto
interface Dialer0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect ipv4-FireWall in
ip inspect ipv4-FireWall out
ip route-cache flow
no cdp enable
interface Dialer1
ip address negotiated
ip access-group ipv4-inet-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname tim_liz@sbcglobal.net
ppp chap password 7 105F1C18161600
ppp pap sent-username tim_liz@sbcglobal.net password 7 01021305480A14
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
router eigrp 1
network 10.0.0.0
no auto-summary
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
ip access-list extended ipv4
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp any any eq 22 log
permit tcp any any eq smtp
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit 41 any any
deny ip any any log
ip access-list extended ssh-clients
remark -- Only local net remains after login failure ---------
permit tcp 10.0.0.0 0.255.255.255 any eq 22 log
remark -- Drop and log all other SSH attempts ----------------
deny tcp any any eq 22 log
remark -- DONE -----------------------------------------------
remark -- Only local net remains after login failure ---------
permit tcp 10.0.0.0 0.255.255.255 any eq 22 log
remark -- Drop and log all other SSH attempts ----------------
remark -- DONE -----------------------------------------------
logging trap debugging
access-list 10 remark Telnet Access
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 101 permit tcp any any eq www
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 118 deny tcp any 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
priority-list 1 protocol ip high list 101
priority-list 1 protocol ip medium list 102
snmp-server trap link ietf
snmp-server contact Tim from Router <XXXXXXXXXXXXXX.com>
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server host 10.0.0.1 public
no cdp run
tacacs-server host 172.16.0.1 single-connection
tacacs-server directed-request
tacacs-server key 7 121B091610070D06262A656972
control-plane
banner login ^Go Away.^
line con 0
exec-timeout 300 0
password 7 010757095612
no modem enable
transport output telnet
stopbits 1
line aux 0
transport output telnet
stopbits 1
line vty 0 4
session-timeout 15 output
access-class 10 in
exec-timeout 300 0
password 7 08351D430400
transport input telnet ssh
no scheduler max-task-time
scheduler interval 500
end
Hudson#sh ve
Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)
Technical Support: Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Sat 02-Apr-05 13:38 by yiyan
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
Hudson uptime is 56 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3sy6-mz.123-11.T5.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco C837 (MPC857DSL) processor (revision 0x500) with 46695K/2457K bytes of memory.
Processor board ID AMB082800Z3 (4065712450), with hardware revision 0000
CPU rev number 7
1 Ethernet interface
4 FastEthernet interfaces
1 ATM interface
128K bytes of NVRAM.
16384K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Configuration register is 0x2102
Hudson#
Sorry for the long post. Any ideas? Thanks.
Building configuration...
Current configuration : 6386 bytes
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Hudson
boot-start-marker
boot-end-marker
memory-size iomem 5
security authentication failure rate 2 log
logging count
logging userinfo
logging buffered 64000 debugging
logging rate-limit console 5
logging console warnings
enable secret 5 $1$QBhE$7ESljYkbolpAYlTHYXdgC/
enable password 7 15065A010933
username XXXXX privilege 15 password 7 1049591811310708070138
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
clock save interval 8
aaa new-model
aaa authentication login default group tacacs+
aaa authentication ppp default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
ip subnet-zero
no ip source-route
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.10.10.10
ip dhcp pool Hudson
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
dns-server 68.94.156.1
lease 7
ip tcp synwait-time 10
ip cef
no ip domain lookup
ip domain name local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
no ip bootp server
ip inspect udp idle-time 3600
ip inspect dns-timeout 60
ip inspect tcp synwait-time 60
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name ipv4-FireWall tcp
ip inspect name ipv4-FireWall udp
ip inspect name ipv4-FireWall ftp
ip inspect name ipv4-FireWall h323
ip inspect name ipv4-FireWall skinny
ip inspect name ipv4-FireWall icmp
ip inspect name ipv4-FireWall fragment maximum 256 timeout 1
ip inspect name ipv4-FireWall realaudio
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
login block-for 300 attempts 1 within 300
login delay 1
login quiet-mode access-class ssh-clients
login on-failure log
login on-success log
no ftp-server write-enable
interface Null0
no ip unreachables
interface Ethernet0
description Connected to Local Network
ip address 10.0.0.1 255.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect ipv4-FireWall in
ip inspect ipv4-FireWall out
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
priority-group 1
no cdp enable
interface Ethernet0.2
no cdp enable
interface ATM0
no ip address
ip access-group 118 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1
interface FastEthernet1
no ip address
duplex auto
speed auto
priority-group 1
interface FastEthernet2
no ip address
duplex auto
speed auto
interface FastEthernet3
no ip address
duplex auto
speed auto
interface FastEthernet4
no ip address
duplex auto
speed auto
interface Dialer0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect ipv4-FireWall in
ip inspect ipv4-FireWall out
ip route-cache flow
no cdp enable
interface Dialer1
ip address negotiated
ip access-group ipv4-inet-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname tim_liz@sbcglobal.net
ppp chap password 7 105F1C18161600
ppp pap sent-username tim_liz@sbcglobal.net password 7 01021305480A14
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
router eigrp 1
network 10.0.0.0
no auto-summary
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
ip access-list extended ipv4
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp any any eq 22 log
permit tcp any any eq smtp
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit 41 any any
deny ip any any log
ip access-list extended ssh-clients
remark -- Only local net remains after login failure ---------
permit tcp 10.0.0.0 0.255.255.255 any eq 22 log
remark -- Drop and log all other SSH attempts ----------------
deny tcp any any eq 22 log
remark -- DONE -----------------------------------------------
remark -- Only local net remains after login failure ---------
permit tcp 10.0.0.0 0.255.255.255 any eq 22 log
remark -- Drop and log all other SSH attempts ----------------
remark -- DONE -----------------------------------------------
logging trap debugging
access-list 10 remark Telnet Access
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 101 permit tcp any any eq www
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 118 deny tcp any 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
priority-list 1 protocol ip high list 101
priority-list 1 protocol ip medium list 102
snmp-server trap link ietf
snmp-server contact Tim from Router <XXXXXXXXXXXXXX.com>
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server host 10.0.0.1 public
no cdp run
tacacs-server host 172.16.0.1 single-connection
tacacs-server directed-request
tacacs-server key 7 121B091610070D06262A656972
control-plane
banner login ^Go Away.^
line con 0
exec-timeout 300 0
password 7 010757095612
no modem enable
transport output telnet
stopbits 1
line aux 0
transport output telnet
stopbits 1
line vty 0 4
session-timeout 15 output
access-class 10 in
exec-timeout 300 0
password 7 08351D430400
transport input telnet ssh
no scheduler max-task-time
scheduler interval 500
end
Hudson#sh ve
Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)
Technical Support: Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Sat 02-Apr-05 13:38 by yiyan
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
Hudson uptime is 56 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3sy6-mz.123-11.T5.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco C837 (MPC857DSL) processor (revision 0x500) with 46695K/2457K bytes of memory.
Processor board ID AMB082800Z3 (4065712450), with hardware revision 0000
CPU rev number 7
1 Ethernet interface
4 FastEthernet interfaces
1 ATM interface
128K bytes of NVRAM.
16384K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Configuration register is 0x2102
Hudson#
Sorry for the long post. Any ideas? Thanks.