AAA authentication in Cisco router

I want to create the user name and password with the level of prévilige for each user in the Cisco 3640 router. I don't have any authentication server, and I want to use the local database of the Cisco router to do this. Can someone suggest me how should I proceed.

Thanks in advance

Hello

If you want to create users in the local database of the router, you must use the following command

username cisco password privilege 5 test

AAA new-model

AAA authentic login default local

AAA exec default local author

http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm#12277

Thank you

Sujit

Tags: Cisco Security

capture.jpg


How is my password being encrypted and how strong is the encryption?

Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.

Hello

RADIUS encrypts the password, but sends the username in clear. GANYMEDE encrypts the user name and password.

You can find the encryption used by RADIUS in the RFC scheme:

https://Tools.ietf.org/html/rfc2865#page-27

MS-Chap-V2 is used for the authentication of users such as the remote access and vpn, not management switch

Thank you

John

No network on computer - 2 routers, 1 no CISCO router.

Hi guys!

I hope someone can help me with that.
First some information about what material I got.
I got a Cisco 860VAE router, I didn't get no cable from the console (so I'm connected to telnet), I got a home router also (got it from my ISP).

I use my router I have of my TV service provider, so I can't remove it just... boring...
I was getting the Cisco router because I am a Cisco CCNA student at my school (first year) and I thought it might be cool to NetFlow

The router I got from my ISP is quite advanced so not a lot of options here. In any case, it uses the 10.0.0.0/8 range IP
Then my CISCO router uses the ip range 192.168.1.0/24

The problem is that I can't connect to the internet from my computer (I know...)

Let me show you my config(remember I'm NEW) race:

Current configuration: 2500 bytes
!
! Last configuration change at 18:04:48 UTC Wednesday, January 15, 2014, by admin
version 15.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
!
no set record in buffered memory
activate tnhtc92DsfdXBhelxjLWJy3243i4ntXrpb4RdfFmfqY secret 4
!
No aaa new-model
WAN ethernet mode
!
!
!
IP dhcp pool ccp_pool
import all
network 192.168.1.0 255.255.255.0
Server DNS 8.8.8.8 8.8.4.4
!
!
!
!
IP flow-cache timeout active 1
8.8.8.8 IP name-server
IP-server names 8.8.4.4
IP cef
No ipv6 cef
!
!
!
!
!
username admin privilege 15 secret 4 lUgFIkgcrt4SYXMq7jZtxq52lwdfgkj238
!
!
VDSL controller 0
Shutdown
!
!
!
!
!
interface Loopback0
IP 11.0.0.1 255.255.255.0
penetration of the IP stream
stream IP output
!
interface Loopback1
no ip address
!
ATM0 interface
no ip address
Shutdown
No atm ilmi-keepalive
!
interface Ethernet0
no ip address
penetration of the IP stream
stream IP output
Shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
spanning tree portfast
!
interface GigabitEthernet0
Description $ETH - WAN$
the IP 10.0.0.1 255.0.0.0
penetration of the IP stream
stream IP output
automatic duplex
automatic speed
!
interface Vlan1
IP 192.168.1.1 255.255.255.0
penetration of the IP stream
stream IP output
!
interface Vlan2
no ip address
penetration of the IP stream
stream IP output
!
interface Dialer0
no ip address
penetration of the IP stream
stream IP output
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
No Auto-resume
!
by default-gateway IP 10.0.0.100
IP forward-Protocol ND
IP http server
local IP http authentication
no ip http secure server
capture IP stream vlan id
IP flow-export Vlan1 source
IP flow-export version 9
192.168.1.3 IP flow-export destination 9991
!
IP route 0.0.0.0 0.0.0.0 10.0.0.100
IP route 10.0.0.0 255.0.0.0 GigabitEthernet0
IP route 192.168.1.0 255.255.255.0 Vlan1
!
MAC-address-table-aging time 15
!
public RW SNMP-server community
RO SNMP-Server Community public
Server SNMP ifindex persist
config SNMP-server enable traps
public version 2 c SNMP-server host 10.0.0.3
!
control plan
!
connection of the banner ^ C * CISCO * ^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 60 0
Cisco password
Synchronous recording
local connection
transport telnet entry
!
Scheduler allocate 1000-60000
!
end

I haven't CHANGED anything!
Some of it was just conjecture...

When I try Googles PING DNS(IP: 8.8.8.8) of the router I get
Send 5, echoes ICMP 100 bytes to 8.8.8.8, time-out is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 36/39/40 ms

When I try to PING my own computer DNS googles, I get
Request timed out.
Request timed out.
Request timed out.

My CISCO router ip: 192.168.1.1 (vlan1) 10.0.0.1(gigabitethernet/WAN)
My ip from the ISP router: 10.0.0.100
My computer ip: 192.168.1.3 gateway: 192.168.1.1

Try to do a topology of MY ISP text-> router ISP-> Switch-> CISCO router-> workstation

It's not like I can configure RIP on my ISP router if... ? And BTW, my cisco router only support RIP as the routing protocol
Then what should I do?

You need to configure nat on the Cisco. I'm assuming that the ISP router connects to G0 on the Cisco. The ISP router probably does not know on your subnet 192.168.1.0/24 and you can't nat several subnets in their router anyway. You need to with the Cisco nat address 10.0.0.0/8 on Cisco.

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

IP nat inside source list 100 interface g0 overload

int g0

NAT outside IP

int vlan 1

IP nat inside

Get rid of these:

IP route 10.0.0.0 255.0.0.0 GigabitEthernet0

IP route 192.168.1.0 255.255.255.0 Vlan1

You don't need them because these two subnets will be seen as connected routes.

You will also need to add a default router in your dhcp pool:

IP dhcp pool ccp_pool

default router 192.168.1.1

And you can get rid of this line as well:

by default-gateway IP 10.0.0.100

HTH,
John

Please note all useful messages *.

L2TP/ipsec passthrough firewall of cisco router

Hello! I have the following problem.

External network users wish to connect internal Windows to network and share resources 2012 (start the software, files, etc)

So it's time to deploy a vpn server and as I did not have a free license to run on my windows 2012, I decided to use my qnap for it (because it has this built-in feature) so I chose l2tp/ipsec and tested on the laboratory at home with simple tplink router with upnp function and it worked like a charm.

However, in the real production environment, I need to use the cisco router, and this is how the story begins ;)

Thus, clients with their machines say (7, 8.1, 10) must pass router cisco (with nat) firewall and access a vpn server and the internal network on qnap.

I googled for sample configuration, but most of them related to the configuration of the router as a vpn server, and I want to achieve is to make my pass router vpn traffic. Once I found the same sample of pptp config, I have modified it a bit, but do not know if it works because I have not yet tested.

In any case, could you check my config and see if it's ok? I'm doing a static nat for vpn 192.168.5.253 server to external address?

Also, here is a short pattern

vpn client VPN server (win 7,8,10)---routeur cisco 1921 - qnap)

xxx.194 cloud 5,254 5.253 (internal network)

test #show runn
Building configuration...

Current configuration: 3611 bytes
!
! Last modified at 19:31:01 UTC Wednesday, may 4, 2016 configuration by
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable secret $5
!
No aaa new-model
!
!
!
!
!
!
!
!
!
!
!
DHCP excluded-address IP 192.168.5.200 192.168.5.254
DHCP excluded-address IP 192.168.5.1 192.168.5.189
!
pool dhcp IP network
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
network domain name
xxx.x.xxx.244 DNS server
!
!
!
IP domain name temp
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
CTS verbose logging
!
!
license udi pid CISCO1921/K9 sn xxxxxx
licence start-up module c1900 technology-package securityk9
!
!
username secret abc 5
username privilege 15 7 cisco password
!
redundancy
!
!
!
!
!
property intellectual ssh version 2
!
type of class-card inspect entire game cm_helpdek_protocols
http protocol game
https protocol game
ssh protocol game
type of class-card inspect entire game cm_gre_protocols
Access-group name WILL
type of class-card inspect entire game cm_icmp
group-access icmp name game
type of class-card inspect the correspondence cm_helpdesk
match the name of group-access helpdesk
type of class-card inspect entire game inside_to_outside
h323 Protocol game
match Protocol pptp
ftp protocol game
tcp protocol match
udp Protocol game
match icmp Protocol
!
type of policy-card inspect pm_outside_to_inside
class type inspect cm_gre_protocols
Pass
class type inspect cm_icmp
inspect
class type inspect cm_helpdesk
inspect
class class by default
Drop newspaper
type of policy-card inspect pm_inside_to_outside
class type inspect inside_to_outside
inspect
class type inspect cm_gre_protocols
Pass
class class by default
Drop newspaper
!
area inside security
Description inside the zone of confidence
security of the outside area
Outside the untrusted area description
source of zonep_insiede_to_outside security pair area inside the destination outside
type of service-strategy inspect pm_inside_to_outside
source of zonep_outside_to_inside security zone-pair outside the destination inside
type of service-strategy inspect pm_outside_to_inside
!
!
!
!
!
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description 'LAN '.
IP 192.168.5.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
security of the inside members area
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description "WAN CID: xxxxx".
IP address xxx.xxx.xxx.194 255.255.255.252
NAT outside IP
IP virtual-reassembly in
security of the outside Member area
automatic duplex
automatic speed
!
IP forward-Protocol ND
!
IP http server
local IP http authentication
no ip http secure server
!
IP nat pool network xxx.xxx.xxx.201 xxx.xxx.xxx.201 netmask 255.255.255.248
IP nat inside source list 1 pool overload the network
IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
!
GRE extended IP access list
Note ACL to allow ACCORD of PPTP OUTBOUND
allow a gre
permit any any eq udp 1701
allow udp any any eq isakmp
permit any any eq non500-isakmp udp
helpdesk extended IP access list
IP enable any host 192.168.5.253
icmp extended IP access list
allow icmp any host 192.168.5.253
!
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
control plan
!
!
!
Line con 0
local connection
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad telnet, rlogin xxxxx
StopBits 1
line vty 0 4
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end

Kind regards

Andrew

Once the client has been connected to the VPN, you want traffic back to flow to the client. Which can be easily received with "inspect".

And from the point of view of the firewall, you do not have ESP-traffic (which would be the IP/50). You have only UDP traffic (initially UDP/500 which goes into UDP/4500)

And you are right with your last ACE. That of a lot to permissive and not necessary for this function.

Cisco router some computers were able to access the internet.

I'm having a weird problem recently that some computers were unable to browse some site. I even try to put in place a different router from cisco (cisco 2811) with IOS version 15.0 and the same configuration but still no luck. Tried to reboot all devices and I also try to use the computer that is having problem to access the web connect directly to the router, but the result is the same. FYI the router being works well for a month a few without this problem. I try to use the inexpensive router like the dlink / tplink and there is no problem. Another piece of information, it's the computer that could not browse some site were able to ping the website, but fail to load in the web browser. 10 computer there are 3 unit have this problem and new features such as my customer/guest computer also were unable to browse some site. There are no firewall or any security in our regard. It makes me crazy!

My circuit diagram as below;

WAN-> router (Cisco 2821)-> switch-> computer

-See the version-

Cisco IOS software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4 (24) T6, VERSION of the SOFTWARE (fc2)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Updated Wednesday, Aug 23, 11 01:30 by prod_rel_team

ROM: System Bootstrap, Version 12.4 (13r) T, RELEASE SOFTWARE (fc1)

Linear_Router uptime is 2 weeks, 3 days, 21 hours, 56 minutes
System return to the ROM to reload at 12:49:51 MAS Thu Sep 1 2016
System image file is "flash: c2800nm-adventerprisek9 - mz.124 - 24.T6.bin".

This product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.

A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

If you need assistance please contact us by mail at
[email protected] / * /.

Cisco 2821 (revision 53.51) with 249856K / 12288K bytes of memory.
Card processor ID FHK1235F3T0
2 gigabit Ethernet interfaces
2 interfaces Serial (sync/async)
1 ATM interface
1 module of virtual private network (VPN)
Configuration of DRAM is wide with parity 64-bit capable.
239K bytes of non-volatile configuration memory.
1000944K bytes of ATA CompactFlash (read/write)

Configuration register is 0 x 2102

-show running-config-

Building configuration...

Current configuration: 8378 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime localtime
encryption password service
!
hostname Linear_Router
!
boot-start-marker
start the flash system: c2800nm-adventerprisek9 - mz.124 - 24.T6.bin
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 16000
enable password 7
!
AAA new-model
!
!
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization sdm_vpn_group_ml_1 LAN
!
!
AAA - the id of the joint session
clock timezone 8 MAS
!
dot11 syslog
IP source-route
!
!
IP cef
No dhcp use connected vrf ip
dhcp IP 30 binding cleanup interval
DHCP excluded-address IP 192.168.88.1 192.168.88.141
DHCP excluded-address IP 192.168.88.180 192.168.88.254
!
pool of dhcp IP LAN
network 192.168.88.0 255.255.255.0
router by default - 192.168.88.254
domain losb.local
Server DNS 8.8.8.8 8.8.4.4
0 0 15 rental
!
!
IP domain name losb.local
8.8.8.8 IP name-server
IP-server names 8.8.4.4
!
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
Crypto pki trustpoint test_trustpoint_config_created_for_sdm
e subject name =[email protected] / * /
crl revocation checking
!
Crypto pki trustpoint TP-self-signed-3132623275
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3132623275
revocation checking no
rsakeypair TP-self-signed-3132623275
!
!
for the crypto pki certificate chain test_trustpoint_config_created_for_sdm
TP-self-signed-3132623275 crypto pki certificate chain
certificate self-signed 01
30820250 308201B 9 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 33313332 36323332 6174652D 3735301E 170 3134 31323032 31393436
35385A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 33 31333236 65642D
32333237 3530819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8569B 674 5F07B434 8E5F9D59 D298DB7E 51FBB58A B 460084 9 34AE8461 8100D01A
471637 C F6CFC65F 9639C1C6 2 50CF9117 D459482F 1EF22E29 322F39AA 88 42306
F4B6686A 161FDD3D 69B0647B 46FC7CD0 966C03E8 D6CF9181 8E2B3514 300D980B
EE9225A6 173F7673 655A1DE8 FB720F13 0FD8E550 A7DDB314 50461510 A72C5DBE
010001A 3 78307630 1 130101 FF040530 030101FF 30230603 0F060355 A1CF0203
551D 1104 1C301A82 184C696E 6561725F 526F7574 65722E6C 6F73622E 6C6F6361
23 04183016 8014FA7F D98E6D69 462EEAED 41BEC8D3 7042F812 03551D 6C301F06
95B3301D 0603551D 0E041604 14FA7FD9 8E6D6946 2EEAED41 BEC8D370 42F81295
B3300D06 092 HAS 8648 01040500 03818100 043EC1A4 7363A7FD 3AED777D 86F70D01
CAAEC570 99 HAS 02166 A3958A66 0E5A5DD2 368C2F8B D9A96E69 9F57852C ACE0C67F
73 D 17753 53BE14C4 824BE043 B8A52822 E38DBC3C C3F33787 813FD207 0AB04004
E0303A2F 2A3BF5AA 81481429 F53C1EDD 8AC2EC48 D64DF89A 4D047B7C 6B 516970
55EAFF10 B1453DBD ABC96845 FDF7AAF9 77B8C381
quit smoking
!
!
password username privilege 15 7 kent
Archives
The config log
hidekeys
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group customer crypto isakmp 11
11 key
DNS 8.8.8.8 8.8.4.4
losb.local field
pool SDM_POOL_1
ACL 100
Max-users 11
ISAKMP crypto sdm-ike-profile-1 profile
identity group game 11
client authentication list sdm_vpn_xauth_ml_1
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec SDM_Profile1
game of transformation-ESP-3DES-SHA
isakmp-profile sdm-ike-profile-1 game
!
!
Crypto ctcp port 10000
!
!
!
!
!
!
interface GigabitEthernet0/0
Description of connection WAN to Unifi BTU
no ip address
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
No mop enabled
!
interface GigabitEthernet0/0.500
encapsulation dot1Q 500
no ip route cache
PPPoE enable global group
PPPoE-client dial-pool-number 1
!
interface GigabitEthernet0/1
internal network LAN Description
IP 192.168.88.254 255.255.255.0
IP access-group UDP/TCP in
IP nat inside
IP virtual-reassembly
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
Shutdown
ATM 300 restart timer
No atm ilmi-keepalive
!
interface Serial0/1/0
no ip address
Shutdown
2000000 clock frequency
!
interface Serial0/1/1
no ip address
Shutdown
2000000 clock frequency
!
type of interface virtual-Template1 tunnel
11 description
Dialer1 IP unnumbered
ipv4 ipsec tunnel mode
Tunnel SDM_Profile1 ipsec protection profile
!
interface Dialer1
the negotiated IP address
IP mtu 1480
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer idle-timeout 0
persistent Dialer
Dialer-Group 1
PPP authentication chap callin pap
PPP chap hostname [email protected] / * /
password PPP chap 7 15381
PPP pap sent-username [email protected] / * / 132F0 password 7
!
local IP SDM_POOL_1 192.168.88.130 pool 192.168.88.141
default IP gateway - 192.168.88.254
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer1
IP http server
local IP http authentication
IP http secure server
!
!
overload of IP nat inside source list Internet_List interface Dialer1
IP nat inside source static tcp 192.168.88.89 8001 interface 3389 Dialer1
IP nat inside source static udp 192.168.88.89 8001 interface 3389 Dialer1
IP nat inside interface 80 static udp 192.168.88.102 source Dialer1 5555
IP nat inside source static tcp 192.168.88.102 80 5555 Dialer1 interface
IP nat inside source static tcp 192.168.88.90 80 Dialer1 8080 interface
IP nat inside interface 80 static udp 192.168.88.90 source Dialer1 8080
IP nat inside source static tcp 192.168.88.101 interface 8888-8888 Dialer1
IP nat inside source static udp 192.168.88.101 interface 8888-8888 Dialer1
IP nat inside source static tcp 192.168.88.101 80 Dialer1 7777 interface
IP nat inside interface 80 static udp 192.168.88.101 7777 Dialer1 source
!
Internet_List extended IP access list
IP 192.168.88.0 allow 0.0.0.255 any
!
Access-list 100 = 4 SDM_ACL category note
access-list 100 permit ip 192.168.88.0 0.0.0.255 any
Dialer-list 1 ip protocol allow
!
!
!
!
!
!
control plan
!
!
!
!
!
!
!
!
!
Banner motd ^ CC
#####################################################################
#                            WARNING!!!                             #
# This system is for the use of only authorized customers.        #
# Who is using the computer network system without #.
authorization of #, or their permission, are #.
# subject to having their activities on this computer.
# Network monitored and recorded by system #.
staff of #. To protect the computer network system of #.
# unauthorized use and to ensure that computer network systems #.
# does not work properly, system administrators monitor this #.
system of #. Anyone using this computer system #.
# consents to such monitoring and is expressly informed that #.
# If this control reveals possible criminal conduct.
activity #, the system can provide evidence of #.
# This activity to police officers.              #
#                                                                   #
# Access is limited to authorized users only.           #
# Unauthorized access is a violation of # State and federal.
# civil and criminal.                       #
#####################################################################^C
!
Line con 0
line to 0
line vty 0 4
privilege level 15
password 7
transport input telnet ssh
exit telnet ssh transport
!
Scheduler allocate 20000 1000
NTP-Calendar Update
end

Hello

try changing the size of the "ip mtu" on your Dialer interface to 1492, and/or the 'ip tcp adjust-mss' on your GigabitEthernet interfaces to 1452 and see if that makes a difference.

the AAA authentication enable default group Ganymede + activate

I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command

the AAA authentication enable default group Ganymede + activate

What happens if I connect via the console? I need to enter a name of user and password?

Here is my configuration

AAA new-model

Group authvty of connection authentication AAA GANYMEDE + local

the AAA authentication enable default group Ganymede + activate

authvty orders 15 AAA authorization GANYMEDE + local

RADIUS-server host IP

Radius-server key

Ganymede IP source interface VLAN 3

AAA accounting send stop-record an authentication failure

AAA accounting delay start

AAA accounting exec authvty start-stop group Ganymede +.

orders accounting AAA 15 authvty power group Ganymede +.

AAA accounting connection authvty start-stop group Ganymede +.

line vty 0 15

connection of authentication authvty

authorization orders 15 authvty

authvty connection accounting

accounting orders 15 authvty

accunting exec authvty

Any suggestion will be appreciated!

It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.

If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:

************************************************************

Username: cisco, password: cisco (priv 15f - local) *.

************************************************************

Any unauthorized use is prohibited.

Enter your name here: User1

Now enter your password:

Router #.

The configuration more or less looks like this:

AAA new-model

AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C

AAA authentication password prompt "enter your password now:

AAA-guest authentication username "enter your name here:

Group AAA authentication login default RADIUS

local authentication AAA CONSOLE connection

HTH

AK

Excluding the lines of Terminal Server in the AAA authentication

Hi all

Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router. Does anyone know how to do this, or point me in the right direction to solve?

I've included the output below:

AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
AAA accounting default connection group power Ganymede
AAA accounting system default start-stop Ganymede group.
AAA - the id of the joint session

line 41
session-timeout 20
decoder location - XXXXXX XXXXXX BT
No banner motd
No exec-banner
absolute-timeout 240
Modem InOut
No exec
transport of entry all
StopBits 1
Speed 38400

Is it a question of disabling the command line or using a defined group?

Thanks a lot for your help.

Jim.

Hi Jim

You may need to create another group for authentication to the and send your AAA configuration

line to 0

connection of authentication aux_auth

AAA authentication login aux_auth line

You can also configure a username local/pw and map it on the group to here...

Console and telnet would still use the configured default group, or you can specify specific groups:

Line con 0

console login authentication

line 4 vty0

vty authentication login

and specify the aaa authentication settings individually...

I hope this helps... all the best

REDA

LDAP authentication on vty router login

I'm trying to deploy authentication ldap (AD MS) for a connection vty router. I used the manual like this - http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ldap/configuration/15-2mt/sec_conf_ldap.html

But my scenario was unlucky

My config is...

_____

AAA new-model

!

!

AAA server ldap ad1 group

test server

!

AAA authentication login default group local ad1

AAA authorization exec default authenticated if

!

jump...

!

map1 LDAP attribute-map

user name of card type sAMAccountName

!

test LDAP server

IPv4 172.16.107.145

attribute map map1

Retransmission Timeout 20

bind authenticates root-dn CN = Administrator, CN = users, DC = fabrikam, dc = com password 7 02050D 480809

base-dn CN = users, DC = fabrikam, dc = com

_____

instead of "ldap attribute-map map1" I tried to use "search user-object-type-filter name. No effect

I used wireshark for sniffer of cisco to AD packages. No package at the port of AD (389 or 3268) have been captured.

I used the ldap debugging all the

This is the output

* Jun 9 19:38:45.414: LDAP: LDAP: AAA Queuing 117 of treatment application

* Jun 9 19:38:45.414: LDAP: received the queue event, new demand for AAA

* Jun 9 19:38:45.414: LDAP: LDAP authentication request

* Jun 9 19:38:45.414: LDAP: no attributes to check username mental health

* Jun 9 19:38:45.414: LDAP: name of user/password validation test failed!

* Jun 9 19:38:45.414: LDAP: LDAP not suport interactive logon

Note the last string. Is that what it means I can't use ldap for this?

What I've done wrong?

I am grateful for!

LDAP on IOS support is limited to the VPN authentication and unfortunately cannot be used for authentication of the Admin (exec).

CSCug65194 Document nonsupport LDAP for authentication of connection

AAA does not support using a LDAP method for interactive logon authentication. Customers can configure 'aaa authentication login default group ldap', but when an interactive session (Terminal) attempts to authenticate via the LDAP protocol, the

following message is syslogged:

"LDAP: LDAP does not support interactive logon [sic]."

This is due to the aaa/ldap/src/ldap_main.c of next record ldap_authen_req():

If (intf & intf-> ATS) {}

LDAP_EVENT ("LDAP don't suport interactive logon");

ldap_method_failover (proto_req);

Jatin kone
-Does the rate of useful messages-

multiple server Raduis on Cisco router configuration

I have a cisco router, who works as a PPPoE NAS Server I need to configure multiple raduis servers each one is dedicated to an interface, so I will each of my clients to authenticate via the server correct raduis

Thanks in advance

Hello

a brief overview of the steps config:

AAA new-model

create 2 separate radius servers, use the modern syntax with host and key in the same line

host 10.1.1.1 XXXXXXXXX RADIUS server key.
```
radius-server host 10.1.1.2 key XXXXXXXXX
```
Create 2 separate aaa-servers in a group radgroup1 and radgroup2 and add each of the servers to a server group aaa
```
aaa group server radius radgroup1
```
```
 server 10.1.1.1

    aaa group server radius radgroup2

    server 10.1.1.2
```
create 2 lists different servers as a method of authentication with groups aaa:

AAA authenticate ppp login1 group radgroup1

AAA authenticate ppp Connexion2 group radgroup2

Use the two authetications on what appropriate interfaces:

Router (config) #interface {name-of-interface-1}

Router(Config-if) #ppp login1 chap authentication

Router (config) #interface {name-of-interface-2}

Router(Config-if) #ppp Connexion2 chap authentication

Rgds,

MiKa

RADIUS server two in 1 Cisco router

Hello

Just need to know if it is possible to use two RADIUS server in 1 Cisco router. The first server RADIUS authenticate remote users to access our internal LAN while the other RADIUS server will authenticate users who will have access to routers. The reason why we cannot use the same RADIUS server to authenticate remote users and users of router is due to our contract with our supplier (long story!).

in any case, if it's possible, could someone help me how to do or give me the link to the documentation.

Thank you

Yes, it's the way to do it. This gives you two different methods, the user.

connection key radius-server 1.1.1.1

RADIUS - 2.2.2.2 key server logon

3.3.3.3 RADIUS server remote key

4.4.4.4 RADIUS server remote key

RADIUS AAA server telnet protocol group

Server 1.1.1.1

2.2.2.2 Server

AAA-server group remoteaccess radius Protocol

3.3.3.3 Server

Server 4.4.4.4

AAA authentication login default group remoteaccess

AAA authentication connection group telnet

line vty 0 4

SUCH connection authentication

Line con 0

authentication of SUCH loging

This is an example which will allow your access telnet to the router to use a server group

while allowing your users to remote access use other radius servers.

-Jesse

Client VPN Cisco router Cisco, MSW CA + certificates

Dear Sirs,
Let me approach you on the following problem.

I wanted to use a secure between the Cisco VPN client connection
(Windows XP) and Cisco 2821 with certificate-based authentication.
I used the Microsoft certification authority (Windows 2003 server).
Cisco VPN client used eTokenPRO Aladdin as a certificate store.

Certificate of MSW CA registration and implementation in eToken ran OK
Customer VPN Cisco doesn't have a problem with the cooperation of eToken.
Certificate of registration of Cisco2821 MSW ca ran okay too.

Cisco 2821 configuration is standard. IOS version 12.4 (6).

Attempt to connect to the client VPN Cisco on Cisco 2821 was
last update of the error messages:

ISAKMP: (1020): cannot get router cert or routerdoes do not have a cert: had to find DN!
ISAKMP: (1020): ITS been RSA signature authentication more XAUTH using id ID_FQDN type
ISAKMP (1020): payload ID
next payload: 6
type: 2
FULL domain name: cisco - ca.firm.com
Protocol: 17
Port: 500
Length: 25
ISAKMP: (1020): the total payload length: 25
ISAKMP (1020): no cert string to send to peers
ISAKMP (1020): peer not specified not issuing and none found appropriate profile
ISAKMP (1020): Action of WSF returned the error: 2
ISAKMP: (1020): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1020): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

Is there some refence where is possible to find some information on
This problem? There is someone who knows how to understand these mistakes?
Thank you very much for your help.

Best regards
P.Sonenberk

PS Some useful information for people who are interested in the above problem.

Address IP of Cisco 2821 10.1.1.220, client VPN IP address is 10.1.1.133.
MSW's IP 10.1.1.50.
Important parts of the Cisco 2821 configuration:

!
cisco-ca hostname
!
................
AAA new-model
!
AAA authentication login default local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization sdm_vpn_group_ml_1 LAN
!
...............
IP domain name firm.com
host IP company-cu 10.1.1.50
host to IP cisco-vpn1 10.1.1.133
name of the IP-server 10.1.1.33
!
Authenticated MultiLink bundle-name Panel
!
Crypto pki trustpoint TP-self-signed-4097309259
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 4097309259
revocation checking no
rsakeypair TP-self-signed-4097309259
!
Crypto pki trustpoint company-cu
registration mode ra
Enrollment url http://10.1.1.50:80/certsrv/mscep/mscep.dll
use of ike
Serial number no
IP address no
password 7 005C31272503535729701A1B5E40523647
revocation checking no
!
TP-self-signed-4097309259 crypto pki certificate chain
certificate self-signed 01
30820249 308201B 2 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
.............
FEDDCCEA 8FD14836 24CDD736 34
quit smoking
company-cu pki encryption certificate chain
certificate 1150A66F000100000013
30820509 308203F1 A0030201 02020 HAS 11 092A 8648 01000000 13300 06 50A66F00
...............
9E417C44 2062BFD5 F4FB9C0B AA
quit smoking
certificate ca 51BAC7C822D1F6A3469D1ADC32D0EB8C
30820489 30820371 A0030201 BAC7C822 02021051 D1F6A346 9D1ADC32 D0EB8C30
...............
C379F382 36E0A54E 0A6278A7 46
quit smoking
!
...................
crypto ISAKMP policy 30
BA 3des
md5 hash
authentication rsa-BA
Group 2
ISAKMP crypto identity hostname
!
Configuration group customer isakmp crypto Group159
key Key159Key
pool SDM_POOL_1
ACL 100
!
the crypto isakmp client configuration group them
domain firm.com
pool SDM_POOL_1
ACL 100
!
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DES-MD5
!
crypto dynamic-map SDM_DYNMAP_1 1
the transform-set 3DES-MD5 value
market arriere-route
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
................
!
end

status company-cu of Cisco-ca #show cryptographic pki trustpoints
Trustpoint company-cu:
Issuing CA certificate configured:
Name of the object:
CN = firm-cu, dc = company, dc = local
Fingerprint MD5: 5026582F 8CF455F8 56151047 2FFAC0D6
Fingerprint SHA1: 47B 74974 7C85EA48 760516DE AAC84C5D 4427E829
Universal router configured certificate:
Name of the object:
host name = cisco - ca.firm.com
Fingerprint MD5: E78702ED 47D5D36F B732CC4C BA97A4ED
Fingerprint SHA1: 78DEAE7E ACC12F15 1DFB4EB8 7FC DC6F3B7E 00138
State:
Generated keys... Yes (general purpose, not exportable)
Authenticated issuing certification authority... Yes
Request certificate (s)... Yes

Cisco-ca #sh crypto pubkey-door-key rsa
Code: M - configured manually, C - excerpt from certificate

Name of code use IP-address/VRF Keyring
C Signature name of X.500 DN default:
CN = firm-cu
DC = company
DC = local

C signature by default cisco-vpn1

IMPORTANT: I don't have a Cisco IOS Software: 12.4 (5), 12.3 (11) T08, 12.4 (4.7) PI03c,.
12.4 (4.7) T - there is error in the cryptographic module.

Hey guys, it's weird that the router is not find cert after IKE is the cert and validates, it is certainly not reason, but I would go ahead and set up the mapping of certificate on this router to force the client to associate with Group of IKE, for that matter, that you need to change your config a bit for use iskamp profiles :

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t8/feature/guide/gt_isakp.html

The AAA authentication and VRF-Lite

Hello!

I encountered a strange problem, when you use authentication Radius AAA and VRF-Lite.

The setting is as follows. A/31 linknet is configured between PE and THIS (7206/g1 and C1812), where the EP sub-si is part of a MPLS VPN and VRF-Lite CE uses to maintain separate local services (where more than one VPN is used..).

Access to the this, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following configuration:

--> Config start<>

AAA new-model

!

!

Group AA radius RADIUS-auth server

Server x.x.4.23 auth-port 1645 acct-port 1646

Server x.x.7.139 auth-port 1645 acct-port 1646

!

AAA authentication login default group auth radius local

enable AAA, enable authentication by default group RADIUS-auth

...

touch of 1646-Server RADIUS host x.x.4.23 auth-port 1645 acct-port

touch of 1646-Server RADIUS host x.x.7.139 auth-port 1645 acct-port

...

source-interface IP vrf 10 RADIUS

---> Config ends<>

The VRF-Lite instance is configured like this:

---> Config start<>

VRF IP-10

RD 65001:10

---> Config ends<>

Now - if I remove the configuration VRF-Lite and use global routing on the CE (which is OK for a simple vpn installation), AAA/RADIUS authentication works very well. "" When I activate transfer ip vrf "10" on the interface of the outside and inside, AAA/RADIUS service is unable to reach the two defined servers.

I compared the routing table when using VRF-Lite and global routing, and they are identical. All roads are correctly imported via BGP, and the service as a whole operates without problem, in other words, the AAA/RADIUS part is the only service does not.

It may be necessary to include a vrf-transfer command in the config of Group server as follows:

AAA radius RADIUS-auth server group

Server-private x.x.x.x auth-port 1645 acct-port

1646 key ww

IP vrf forwarding 10

See the document below for more details:

http://www.Cisco.com/en/us/partner/docs/iOS/12_4/secure/configuration/guide/hvrfaaa.html

The incomplete 1941W Cisco router configuration

Good day all.

I was running a business of small ecommerce for the last 5 years on a Linksys wireless router. Now that I have more than 14 posts and 6 networked printers, it was time to take a step towards the top.

I bought a 1941W SRI CISCO to take us to the Gigabit speed in the next decade with a CISCO switch. I assume that the 1941W, although robust with scalability, would provide the installation of it, simple as the product Linksys (Cisco) or at least a simple 1-2-3 How to get basic connections made. I was wrong and now I find that I have some difficulty to negotiate Internet on the router again.

Included below is my config NVRAM. I hope someone could tell where I can have a few gaps in my config.

Please note: this config is derived from an example on the net that seemed simple enough, so if you find yourself asking, "why did do that?", I hope that this provides the perspective.

TEST router configuration
28/07/2010

Objective: Complete the basic configuration to connect (and ping) to the internet
Problem: Cannot conect to the internet; Incomplete suspected configuration; Maybe bad config NAT or DNS issue
Comments: In the process.

TEXT OF HYPERTERMINAL CONNECTION TO THE CONSOLE:

User access audit

User name: admin
Password:

TESTROUTER > activate
Password:
TESTROUTER #ping 8.8.8.8

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 8.8.8.8, time-out is 2 seconds:
.....
Success rate is 0% (0/5)

TESTROUTER #show config
With the help of 2615 off 262136 bytes
!
! 01:33:34 CST configuration was last modified Thursday, July 29, 2010 by admin
!
version 15.0
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec show-time zone
horodateurs service log datetime msec show-time zone
encryption password service
!
hostname TESTROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
recording console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXX
!
AAA new-model
!
!
AAA authentication login default local
the AAA authentication enable default
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone CST - 6
Service-module wlan-ap 0 autonomous bootimage
!
No ipv6 cef
no ip source route
inaccessible 2000 IP icmp rate-limit
IP icmp rate-limit unreachable DF 2000
IP cef
!
!
!
!
no ip bootp Server
no ip domain search
8.8.8.8 IP name-server
IP-server names 8.8.4.4
name of the IP-server 209.18.47.61
name of the IP-server 209.18.47.62
Authenticated MultiLink bundle-name Panel
!
!
!
license udi pid CISCO1941W-A/K9 sn XXXXXXXXXXX
ISM HW-module 0
!
!
!
admin password username 7 XXXXXXXXXXXX
!
!
!
!
!
!
interface GigabitEthernet0/Wlan-0
Description interface connecting to the AP the switch embedded internal
Shutdown
!
interface GigabitEthernet0/0
Description of connection to the internet to transfer Ethernet/fiber TWC (ISP)
address IP AA. BB. CC.149 255.255.255.0
IP access-group 115 to
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
No cdp enable
!
wlan-ap0 interface
description of the Service interface module to manage the embedded AP
no ip address
ARP timeout 0
No mop enabled
No mop sysid
!
interface GigabitEthernet0/1
Internal description of the connection to the local network
IP 10.10.10.1 255.255.255.0
IP access-group 116 to
no ip proxy-arp
IP nat inside
IP virtual-reassembly
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
No cdp enable
No mop enabled
!
interface Vlan1
no ip address
Shutdown
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
IP nat inside source list 1 interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 AA. ABM CC.1
IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 115 deny ip 127.0.0.0 0.255.255.255 everything
!
not run cdp

!
!
control plan
!
!
Line con 0
line to 0
line 67
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
line vty 0 4
password 7 XXXXXXXXXXXXXX
!
Scheduler allocate 20000 1000
end

TESTROUTER #.

END OF HYPERTERMIAL TO THE TEXT OF THE CONSOLE

Thanks in advance to those who consider a response.

Daniel

Daniel

You have a LCD 115 on the external interface and it is just a line in this acl which is a refusal. Be aware that an acl has implicit deny all the end anyway so basically that this acl blocking all incoming which responses return icmp (ping) traffic. Because you run the command ping to the router using an IP address not not a DNS then NAT or DNS name is a problem at present.

I suggest that rewrite you the acl - 115

access-list 115 permit icmp host 8.8.8.8 entire echo response

and test again with your ping. If it works then it's the acl that is the problem and you need to write your acl so that is what you want to allow before that you want to deny.

Jon

Controller of domain and DNS behind RRAS without VPN connected directly to the internet with a Cisco router

I hava a ME Cisco 3400 with physical single port available for a cable connection.

The ISP give me an IP address interface = 89.120.29.89 to act as a gateway to the IP Address of the host, which is provided for in the order 89.120.29.90.

The host computer is a dual Xeon computer with two NICs for LAN and WAN.

Fields of application: to install a windows 2008 R2 between public and private network server.

Even though I know it's not recomanded, I put the DNS role and directories Active Directory roles installed on the same computer, the computer above, (I do not have enough computer for roles different place on different computers)

The desired configuration:

To have installed with his roles behind a WS2008R2 has RRAS. without a VPN.

b with VPN

and for WAN access for the client computers of the private LAN Windows 7 OS. (The basin of LAN address 192.168.0.1 - 255).

First step : to have internet access in the browser (I use Google chrome) (without taking into account the DNS and AD)

Network configuration:

Map NETWORK WAN, at the top of the stack of liaison in the Control Panel/network connections and sharing:

Host IP: 89.120.29.90

Mask: 255.255.255.252

Gateway: 89.120.29.89

DNS: 193.231.100.130 my ISP name server address.

OK, I can browse the internet.

Second stage. (Consider DNS and Active Directories)

DNS instaled role for this computer.

AD installed as a global catalog.

NETWORK WAN server that is directly connected to the Cisco router:

Conection area 3

Properties:

Client for Microsoft Netwaork: not verified

Network Load Balancing: not verified

File and shared printer: not verified

QoSPacketScheduler: not verified;

Microsoft Network Monitor 3 pilot: not verified

IPv4 ; checked

Pilot a Link Layer Topology Mapper i/o: checked

Link layer Discover responder: checked

IPv4 tab

Host IP: 89.120.29.90

Mask: 255.255.255.252

Gateway: 89.120.29.89

DNS: 193.231.100.130 my ISP name server address.

under the tab advanced

IP settings : even that, tab IPV4 with automatic metric check;

DNS tab :

Add primary and connection suffixes DNS specific: not verified

Add suffixes primary DNS suffixes parents: not verified

Add this DNS suffixes: no

Registry deals with this connection in DNS: not verified;

Use this connection DNS suffix in DNS registration: not verified;

WINS tab : enable search LMHOST: not verified

Enable NetBios over TCP IP: don't check;

Disable NetBios on TCP IP: checked;

Connection to the local network 2

Properties :

Client for Microsoft Netwaork: checked

Network Load Balancing: no

File and shared printer: checked

QoS Packet Scheduler: not verified;

Microsoft Network Monitor 3 pilot: not verified

IPv4 checked

Pilot a Link Layer Topology Mapper i/o: checked

Link layer Discover responder: checked

IPv4 tab

NETWORK LAN CARD: 192.168.0.101

Mask: 255.255.255.0

Gateway: 192.168.0.1

under Advanced tab:

IP settings : even that, tab IPV4 with automatic metric check;

DNS tab :

Add primary and connection suffixes DNS specific: checked

Add suffixes primary DNS suffixes parents: not verified

Add this DNS suffixes: no

Registry deals with this connection in DNS: checked;

Use this connection DNS suffix in DNS registration: checked;

WINS tab : enable search LMHOST: not verified

Enable NetBios over TCP IP: check;

Disable NetBios on TCP IP: not verified;

Install RRAS as NAT (NAT) under any condition imposed by DHCP(not installed) in ideea that RRAS will generate the private IP address of the DHCP allocator.

In any case, for the beginning, I have a fix IP, do not get IP automatically.

At this point, it gets the configuration simple posible for RRAS follows:

3, LAN connection that corespond to the WAN interface IP:

"NAT configured for the following Internet interface: Local Area Connection 3.
The clients on the local network will assign the IP addresses of the following range:

network address: 192.168.0.0. netmask 255.255.0.0.

After Windows RRAS are open:

The Network Interfaces tab:

NICs are enabled and connected;

UAL remotely & policies:

Launch NPS,

on the NPS server tab:

Allow access to successful Active Directory directories:

Properties: authentication: port 1812,1645

kept port 1813,1646;

on the accounting tab: nothing;

under NPS policies:

Grant permission for the RRAS server under builin\Administrator of the accounts;

On strategy and the type of server unspecified (NAT do not exist as an entry in the drop-down list server dwn)

under the static road: nothing;

under the IPv4 tab or both are there(there IP) and are up

under NAT

Connection to the local network 3: public interface connected to the internet

enable NAT on this interface:

under the address pool: ISP addresses public;(two addresses)

under the terms of service and the ports: Web server: http 80.

(I have I have a static IP address for the client computer in mind, I set up a single customer).

At the client computer :

configured as domain customer and added to the users AD and computer AD

logon to the domain:

Local Area Connection

Properties:

Client for Microsoft Netwaork: checked

Network Load Balancing: not verified

File sharing and printer: checked

QoS Packet Scheduler: checked;

Microsoft Network Monitor 3 pilot: not verified

IPv4 ; checked

Pilot a Link Layer Topology Mapper i/o: checked

Link layer Discover responder: checked

IPv4 tab

Host IP: 192.168.0.101

Mask: 255.255.0.0

Gateway: 192.168.0.1

DNS: (auto-add the same to the local machine).

under the tab advanced

IP settings : even that, tab IPV4 with automatic metric check;

DNS tab :

Add primary and connection suffixes DNS specific: checked

Add suffixes primary DNS suffixes parents: not verified

Add this DNS suffixes: no

Registry deals with this connection in DNS: checked;

Use this connection DNS suffix in DNS registration: checked;

WINS tab : enable search LMHOST: not verified

Enable NetBios over TCP IP: checked;

Disable NetBios on TCP IP: not verified;

right now the 192.168.0.101 client cannot connect to internet through RRAS.

;

This issue is beyond the scope of this site and must be placed on Technet or MSDN

http://social.technet.Microsoft.com/forums/en-us/home

http://social.msdn.Microsoft.com/forums/en-us/home

AAA authentication in Cisco router

Similar Questions

capture.jpg

Maybe you are looking for