RADIUS does not not on Cisco ACS SE v4.1 (1)

Hello

I have a CiscoSecure ACS version 4.1 (1) build 23.

I can't configure the Cisco ACS for granular control of access router. I have a Netopia Router that is configured to use RADIUS to authenticate remotely for a telnet connection. The router sends the request to access the Cisco ACS SE RADIUS and a sniff on the side of the ACS shows the application of GBA, but I see no response from the ACS. RADIUS authentication to work with a Windows 2003 server.

I configured an AAA client and a user of the ACS and use the default group. I use IETF RADIUS. Should what attributes I configure. In Windows, I use Service Type framed and Framed-Protocol PPP. This does not work with the Cisco ACS SE. Nothing shows up in the newspapers. It shouldn't be so difficult, but for some reason I can't make it work.

Thanks for any help.

Jutta Kullmann

Jutta,

Good to know it works very well. Please mark this thread as solved so other can benefit from.

Kind regards

~ JG

Tags: Cisco Security

Similar Questions

  • RADIUS does not pray attribute filling 4 (NAS-IP-Address)

    I'm trying to get a Cisco 3120 G configured for RADIUS authentication.  I have a lot of other IOS devices with identical configuration of work lines, however, it gives me a hard time.  The strategy of the RADIUS server is configured by NAS-IP-Address.  The configuration of the AAA and RADIUS is as follows:

    AAA new-model
    AAA authentication login default local radius group
    AAA authorization exec default local radius group

    host 10.x.x.x auth-port 1645 1646 RADIUS server acct-port
    Server RADIUS ports source-1645-1646
    Server RADIUS button 7 XXXXXXXXXXXXXX

    See the Flash following debugging information:

    indrc3120a #.
    000284: 8 Feb 14:05:15.447 PST: RADIUS: Pick NAS IP for you = 0x5992EF4 = 0 cfg_addr = 0.0.0.0 tableid
    000285: 8 Feb 14:05:15.447 PST: RADIUS: ustruct sharecount = 1
    000286: Feb 8 14:05:15.447 PST: RADIUS: success radius_port_info() = 1 radius_nas_port = 1
    000287: Feb 8 14:05:15.447 PST: RADIUS (00000000): send 10.x.x.x:1645 id 1645/8, len 84 access request
    000288: Feb 8 14:05:15.447 PST: RADIUS: authenticator 12 5th 7th DF 01 B5 F1 D8 - 40 07 09 76 88 C1 A4 C5
    000289: 8 Feb 14:05:15.447 PST: RADIUS: NAS-IP-Address [4] 6 0.0.0.0
    000290: 8 Feb 14:05:15.447 PST: RADIUS: NAS-Port [5] 6 2
    000291: Feb 8 14:05:15.447 PST: RADIUS: NAS-Port-Type [61] 6 virtual [5]
    000292: 8 Feb 14:05:15.447 PST: RADIUS: username [1] 13 "admin_user '.
    000293: 8 Feb 14:05:15.447 PST: RADIUS: Calling-Station-Id [31] 15 "10.y.y.y".
    000294: 8 Feb 14:05:15.447 PST: RADIUS: User-Password [2] 18 *.
    000295: 8 Feb 14:05:15.505 PST: RADIUS: receipt id 1645/8 10.x.x.x:1645, Access-Reject, len 20
    000296: 8 Feb 14:05:15.505 PST: RADIUS: authenticator 4th EC 8F AB BB 8th F9 BB - 13 67 56 A3 5F F9 99 94
    000297: Feb 8 14:05:15.505 PST: RADIUS: saved the data of permission for the user 5992EF4 to 0

    Note the NAS-IP-Address populated as 0.0.0.0 attribute

    Another switch with an identical Setup returns the following:

    tritc3120a #.
    350554: 8 Feb 14:11:00.916 PST: RADIUS / ENCODE (000155BC): ask "" user name: ".
    350555: 8 Feb 14:11:10.605 PST: RADIUS / ENCODE (000155BC): ask "" password: ".
    350556: 8 Feb 14:11:14.480 PST: RADIUS/ENCODE (000155BC): orig. component type = EXEC
    350557: 8 Feb 14:11:14.480 PST: RADIUS: AAA Attr not supported: interface [170] 4
    350558: 8 Feb 14:11:14.480 PST: RADIUS: 74 74 [tt]
    350559: 8 Feb 14:11:14.480 PST: RADIUS / ENCODE (000155BC): down the type of service, "radius attribute 6 sur-pour-login-auth server" is disabled
    350560: 8 Feb 14:11:14.480 PST: RADIUS (000155BC): Config NAS IP: 0.0.0.0
    350561: 8 Feb 14:11:14.480 PST: RADIUS / ENCODE (000155BC): acct_session_id: 87482
    350562: 8 Feb 14:11:14.480 PST: RADIUS (000155BC): send
    350563: 8 Feb 14:11:14.480 PST: RADIUS/ENCODE: Best 10.x.x.x address IP Local to the 10.y.y.y Radius Server
    350564: 8 Feb 14:11:14.480 PST: RADIUS (000155BC): send 10.y.y.y:1645 id 1645/222, len 90 access request
    350565: 8 Feb 14:11:14.480 PST: RADIUS: authenticator 5F B1 17 DF 72 4B 3D - B6 D8 5 85 66 B9 8 d 7 c A6
    350566: 8 Feb 14:11:14.480 PST: RADIUS: username [1] 13 "admin_user '.
    350567: 8 Feb 14:11:14.480 PST: RADIUS: User-Password [2] 18 *.
    350568: 8 Feb 14:11:14.480 PST: RADIUS: NAS-Port [5] 6 2
    350569: 8 Feb 14:11:14.480 PST: RADIUS: NAS-Port-Id [87] 6 'tty2 '.
    350570: 8 Feb 14:11:14.480 PST: RADIUS: NAS-Port-Type [61] 6 virtual [5]
    350571: 8 Feb 14:11:14.480 PST: RADIUS: Calling-Station-Id [31] 15 "10.z.z.z".
    350572: 8 Feb 14:11:14.480 PST: RADIUS: NAS-IP-Address [4] 6 1.2.3.4
    350573: 8 Feb 14:11:14.556 PST: RADIUS: receipt id 1645/222 10.y.y.y:1645, Access-Accept, len 83
    350574: 8 Feb 14:11:14.556 PST: RADIUS: authenticator 24 D9 F9 E2 BB A3 66 F6 - 73 E8 5 42 8 A5 17 DA
    350575: 8 Feb 14:11:14.556 PST: RADIUS: Type of Service [6] 6 Administrative [6]
    350576: 8 Feb 14:11:14.556 PST: RADIUS: [25] in class 32
    350577: 8 Feb 14:11:14.556 PST: RADIUS: 59 B1 6 06 00 00 01 37 00 01 0a 1st DC 18 01 CB C7 B8 D7 82 CA E2 00 00 00 00 00 00 00 0b [Ym7]
    350578: 8 Feb 14:11:14.556 PST: RADIUS: seller, Cisco [26] 25
    350579: 8 Feb 14:11:14.556 PST: RADIUS: Cisco-AVpair [1] 19 "shell: priv-lvl = 15.
    350580: 8 Feb 14:11:14.556 PST: RADIUS (000155BC): receipt of id 1645/222

    Note that in the above example, the NAS-IP-Address is feeding properly (I just the changed for security reasons)

    If anyone has any advice, it would be greatly appreciated.  Does the switch need a restart? Blow RADIUS server process?

    Thank you

    CSCdx27019">."

    Seems to be a bug,

    CSCdx27019    Pkt sent by CSS access RADIUS request contains no information NAS

    The feature of Cisco ACS NAR (restricted access network) with RADIUS does not work with CSS. This is because the radius NAS-IP-Address attribute is set to 0.0.0.0 in the Radius authentication request.

    Rgds, jousset

    Note the useful messages

  • System Administration > operations > scheduled backups does not appear in ACS 5.0.0.21

    Hello!

    I want to do the backup schedule. According to the user's guide:

    You can create a backup scheduled for the primary instance. To create, reproduce or modify a regular
    backup:
    Step 1 Choose System Administration > operations > at the request of the backups.

    But the Administration of the system > operations > scheduled backups does not appear in ACS 5.0.0.21.

    How can I save?

    Hi Alexander,.

    Could you please confirm which link you found these instructions?

    It seems that these are the instructions of the ACS 5.1 user's guide, but we do not have a similar option on ACS 5.0.

    Kind regards

    Fede

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • The CPL Script works does not on Cisco E Highway

    Hello

    I am trying to download the script to block all the RTC call hit on the highway E in order to avoid any misuse, however the script does not come into force.

    Attached the script and please let me know if something is missing.

    It is downloaded manually until highway E

    I check several post in CSC and it seems a necessity to download manually create rather than through GUI.

    For me the two does not work and call crosses ExpresswayC and CUCM.

    I want to block call to highway E itself, when not authenticated or unknown user sends the RTC call from 9 and +.

    Kind regards

    RACLOT

    You need to have something in the original section, leave empty will only match calls that actually have an empty source field.

    An alternative to using a source address which is supposed to be mapped is to specify the area that runs through the call, in this case because it is an external call entering the highway-E, the appeal will also come from the default Zone.

    Replace:

    unauthenticated-origin=""
    With:
    originating-zone="DefaultZone"

  • 'Case' service does not start on ACS 4.2.1

    Hello

    I recently installed a 4.2.1 with 4.2.1.15.1 and 4.2.1.15.2 patch GBA the on a Win 2003 R2 Std SP2 edition

    Can't sart service case

    Whenever I have to resart, I have the following message is displayed in the Viewer window:

    (Note that I have the same problem on another edition of WIN 2003 Std SP1 machine)

    Could you please help me?

    Thank you

    Michel Misonne

    Event type: error
    Event source: ACECLIENT
    Event category: (1).
    Event ID: 1001
    Date: 11/04/2010
    Time: 18:10:38
    User: n/a
    Computer: FP9S00180048
    Description:
    The description for event ID (1001) in Source (ACECLIENT) cannot be found. The local computer may not have the information necessary registry or message DLL files to display messages from a remote computer. You may be able to use the option/auxsource = flag to retrieve this description; For more information, see Help and Support. The following information is part of the event: C:\WINNT\system32\sdconf.rec.
    Data:
    0000: 00 00 00 00...

    This is a known issue with 4.2.1, if you are not using RSA feature you can ignore this message.
    
However, if CSLOG cannot be started, could you try restarting the ACS,
    
also see if reboot of the windows server helps

  • Skinning-Border Radius does not not in IE8 / IE7

    Hello

    Jdev Version: 11.1.1.5.

    I drew my command button with border-radius. The curved edges are not appear in Internet Explorer 7 / 8.

    IE9, chrome and firefox that make them properly.

    my CSS code...

    af|commandButton.testButton
{
    background-color: Black;
    color: White;    
    width: 85px;
    height: 30px;
    font-family: Calibri;
    font-size: larger;
    border-radius: 10px;
    behavior: url(PIE.htc);    
}

    I had line num # 10 http://css3pie.com/about/

    But no luck. Can someone help me?

    Thank you

    SAIF.

    Question: have you installed PIE on EI?

    Or have you just copied line 10?

    You need to install the extension of the PIE and hope it works, see in road & #8211; CSS3 PIE: decorations of CSS3 for IE

    Timo.

  • Cisco suggested cable does not? (Cisco Air-Br1310g-a-k9-R and Ant24120)

    Hello

    But the antenna cable is very short (1 ft.). so I need a cable extra. I read the newspapers and they said AIR-CAB020LL-R is suggested by cable for ant24120. But when I look at the pictures of this cable I saw this cable has two side RP - TNC female.

    The access point has the male Ant. side and the next female ANT24120. So, how can I connect this side 2 (MF) with a wire from the female side 2 (FF)? I'm so confused.
    Please can you suggest me a cable to connect this access point to this antenna.
    Thank you very much.

    Hi Bulent,

    This cable has 1 female and 1 male connector

    Intake AIR-CAB020LL-R of interconnection cable low loss of 20 feet, a RP - TNC,.
    one outlet RP - TNC

    http://www.Cisco.com/en/us/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.PDF

    AIR-CAB020LL-R / AIR-CAB050LL-R

    Here are the cables RMT 400 Style with TNC reverse polarity of the connectors at one end and TNC female connector reverse polarity on the other end.

    http://www.coaxplanet.com/CrossReferences/CiscoCrossReference/AIRCAB020LLRAIRCAB050LLR/tabid/265/default.aspx

    See you soon!

    Rob

  • Why are some layers does not give me the options of blending Mode?

    Screen Shot 2015-08-19 at 4.57.35 PM.png

    As you can see, my layers Null and the film have the ability to change the blending mode, but none of the other layers which have. What is the problem?

    You have duplicate messages so I'll only answer this one. It is very likely that you use traced to the rendered RADIUS in the composition settings. We would know if you had included a full screenshot. Drawn to the rendered RADIUS does not support on 3D layers blending modes.

  • Cisco ACS 4.1 - user profile changes

    There is no option in Cisco ACS 4.1 Solution where we can specify the option that "user must change password on the next logon" as it used to be in Cisco ACS 3.X ".

    Is it possible same functionality can be enabled on Cisco ACS 4.1

    Concerning

    Sohail Sarwar

    Hello

    That option does not exist in ACS 4.x.

    HTH,

    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • RADIUS authorization does not not for Nortel by ACS 5.3 switches

    Hello

    RADIUS authorization does not work on the Nortel switches, I configured the access policies relevant for the attributes RADIUS (attached screenshot)

    Order get not executed due to the failure of authorization:

    config cli password rwa

    I do not see RADIUS authorization reports option, just to check if someone has understood how to set up these reports?

    I made a capture of packages for packages of AAA of the nortel switch and found that the accounting request contains the cli command sent for authorization. (pcap file attached)

    Kind regards

    Akhtar

    Akhtar,

    This isn't how the authorization of RADIUS. Accept access and the av-pairs that are sent in the response is the permission for the session of the user. This isn't like Ganymede where each command is permitted with an authentication request separate with the command that the client is running.

    When it comes to radius account management isn't too late in the process.

    Thank you

    Tarik admani

  • ACS database does not not after having changed the secondary ip of acs.

    Hello.. Im having 2 ACS 3.1 server. ACS01 (primary) & ACS02 (secondary). We recently moved ACS02 to another site and has changed its ip address.

    When we of database replication from ACS01, we received the error message saying ACS02 has refused the request of replication.

    Any idea what can be the problem?

    Consider these elements when you implement the database replication feature Cisco Secure:

    (1) ACS supports only supported replication of database to other ACS servers. All ACS servers participating in the Cisco Secure database replication must run the same version and patch to FAC level.

    (2) the principal server copy compressed and encrypted the database on the secondary server components. This transmission is done via a connection TCP, Port 2000. The TCP session is authenticated and using an encrypted protocol, Cisco-owners.

    (3) only hosts properly configured, valid ACS can be secondary servers. To add a secondary server, configure it in the AAA servers table in the section of this document Network Configuration. When a server is added to the AAA servers table, the server is displayed for selection as a secondary server in the list of AAA servers as replication partners, on the Cisco Secure database replication page.

    (4) the principal server must be configured as an AAA server and must have a key. The secondary server must have a primary server configured as an AAA server and its key for the primary server must match the key primary servers.

    (5) secondary servers replication takes place sequentially in the order listed in the replication list under replication partners, on the Cisco Secure database replication page. (6) the secondary server that receives the replicated components must be configured to accept replication of database from the primary server. To configure a secondary server for database replication, refer to configuring a secondary Cisco Secure ACS Server of this document section.

    (7) ACS does not support two-way replication of database. The secondary server, which receives the replicated components, check that the primary server is not on its list of replication. If this is not the case, the secondary server accepts replicated components. If so, it rejects the components.

    (8) to replicate the seller of RADIUS defined by the user and the configurations of the specific attribute (VSA) provider successfully, definitions have to be replicated must be identical on the primary and secondary servers. This includes seller RADIUS slots occupy sellers RADIUS defined by the user. For more information on the sellers of the RADIUS and the VSA attributes defined by the user, see section User-Defined RADIUS vendors and VSA sets the document Cisco Secure ACS database command-line Utility.

  • ACS secondary server does not authenticate users through 3850 WLC

    HI - I have a question that my secondary ACS server does not authenticate users when the primary is taken offline.  My configuration is:

    3850 WLC by using the code version 03.07.00E

    ACS Version 5.6 (primary/secondary)

    The two ACS servers added to WLC (ACS-NLBP-01 (primary) / HEN-ACS-01 (secondary)), defined in the Group server (ACS_AUTH) and also the method list (ACS_AUTH).  List of the ACS_AUTH method is then applied to the SSID.

    A 'test of ACS_AUTH aaa server group' command for the two outcomes of ACS server as a result of access.  Communication IP/Radius is operational between WLC and two ACS servers.

    configuration of 3850 also attached for reference.

    Any help would be appreciated.

    Thank you

    Scott

    Please add the below listed orders and test again when you can.

    Server radius # deadtime $min$
    retransmission of radius-# 1 Server
    # Server radius-dead-criteria times 5 tent 1

    Configuring settings for all RADIUS servers

    HTH

    ~ Jousset

  • Generate ACS V 4.1.1 23 aging via SSH password does not work.

    Hello, my name is Elias and I have problems with ACS via SSH password aging does not work and there is no meseges password sent by ACS console when I use SSH from aging. I know that there are problems with this, but I can't find any workaround or documentation that says that there is no workaroun. Can you help me with this?

    Greetings from the King.

    Hey Elias,.

    SSHv1 does not support the password as you can do in telnet. You must be

    running a version of the IOS which supports SSHv2.

    The following site explains which versions support this:

    http://www.Cisco.com/en/us/partner/products/SW/iosswrel/ps5207/products_feat

    ure_guide09186a00802045dc.html

    Rgds,

    somishra

  • Cisco forwarding port does not

    Dear experts, I got a production Firewall (Cisco Pix 515e 6.3 (1)) and I have set up to allow access to the outside on a server (SSH only).

    The server is 10.0.5.200.

    External IP is a.b.c.d. (should I use the FW outside the IP address of the interface?)

    Here's the sanitized output:

    6.3 (1) version PIX

    interface ethernet0 100full

    interface ethernet1 100full

    Auto interface ethernet2

    interface ethernet3 100full

    Automatic stop of interface ethernet4

    Automatic stop of interface ethernet5

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    nameif ethernet2 provider interieure4

    nameif dmz security99 ethernet3

    nameif ethernet4 intf4 security8

    ethernet5 intf5 security10 nameif

    activate the encrypted password of XXXXXXXXXXXXXXXX

    passwd encrypted XXXXXXXXXXXXXXXXXX

    IP address outside a.b.c.d 255.255.255.240

    IP address inside 10.0.1.254 255.255.255.0

    provider address IP X.X.X.X 255.255.255.0

    dmz X.X.X.X 255.255.255.0 IP address

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0 access-list sheep

    NAT (inside) 1 10.0.1.0 255.255.255.0 0 0

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    the ssh LOCAL console AAA authentication

    NTP server 192.43.244.18 prefer external source

    NTP server 128.102.16.2 source outdoors

    Enable http server

    6.3 (1) version PIX

    interface ethernet0 100full

    interface ethernet1 100full

    Auto interface ethernet2

    interface ethernet3 100full

    Automatic stop of interface ethernet4

    Automatic stop of interface ethernet5

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    nameif ethernet2 provider interieure4

    nameif dmz security99 ethernet3

    nameif ethernet4 intf4 security8

    ethernet5 intf5 security10 nameif

    activate pnxJXWf9kU.x7YfY encrypted password

    WL6KtWnsAjAQS2yI encrypted passwd

    outside_access_in ip access list allow a whole

    access list outside-access enable icmp a whole

    access-list DMZ_access_in allow icmp a whole

    IP address outside a.b.c.d 255.255.255.240
    IP address inside 10.0.1.254 255.255.255.0
    provider address IP X.X.X.X 255.255.255.0
    dmz X.X.X.X 255.255.255.0 IP address

    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0 access-list sheep
    NAT (inside) 1 10.0.1.0 255.255.255.0 0 0

    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
    Timeout, uauth 0:05:00 absolute
    GANYMEDE + Protocol Ganymede + AAA-server
    RADIUS Protocol RADIUS AAA server
    AAA-server local LOCAL Protocol
    the ssh LOCAL console AAA authentication
    NTP server 192.43.244.18 prefer external source
    NTP server 128.102.16.2 source outdoors
    Enable http server

    Those in bold are the commands that I added:

    static (inside, outside) tcp a.b.c.d 2022 10.0.5.200 ssh netmask 255.255.255.255 0.0

    access-list 100 permit tcp any host a.b.c.d eq 2022

    Allow Access - list 101 tcp 10.0.5.200 eq 22 a

    Access-group 100 in external interface

    Access-group 101 in the interface inside

    When you access from the Wan, I used putty SSH port 2022 a.b.c.d IP in and he gave me of waiting times. I used the:

    Capture interface capo outside access-group 100

    The results were (that I can remember that I am not on site):

    My WAN IP-> a.b.c.d (R)

    My WAN IP-> a.b.c.d (S)

    My WAN IP-> a.b.c.d (S)

    My WAN IP-> a.b.c.d (S)

    The server on the internal LAN access is great and I can access port 22 on the server on the local network (Note: there is a L3 switch in the environment and inside the IP segments are 10.0.1.0/24 and 10.0.5.0/24 routable both.)

    This is what I did so far and would like more ideas on this subject that I am currently facing to. thanks!

    Hello

    Configuring static PAT (Port Forward) seemed correct to me.

    If you use the IP address of ' outside ' interface you would generally configure the parameter "interface" , and not the IP address.

    public static interface 2022 22 netmask 255.255.255.255 tcp (indoor, outdoor) 10.0.5.200

    Of course if you can/want to save a public IP address for this server only you could configure static NAT

    public static 10.0.5.200 (inside, outside) subnet mask 255.255.255.255

    That would bind essentially those 2 IP addresses, and you can allow services that are needed for the current server. Naturally, you will also need to allow traffic in the external ACL to the new public IP address.

    But it should also work with your configurations. If you want to use the IP address or a separate public IP's to you.

    If you are missing the 'road' to the 10.0.5.0/24 subnet in your PIX configuration so it is an obvious problem in why the server is inaccessible from the Internet. So, I would start by adding the "itinerary" necessary and retest. If it does not then would be good to verify that the routing between the server and the PIX is fine. For example, there is a route to the PIX server, and the server has a default route takes traffic to the PIX.

    Hope this helps

    -Jouni

  • ACS 5.1 - command line filters does not not in Config Mode

    Hello

    I am trying to set up filters to deny command line sniffer commands being entered. I have set up a command set and applied to an authorization policy. The command filter works great for commands in privileged mode. However, the filter does not work for any order that is entered in configuration mode.

    I have a set of commands that will deny for a test installation:

    display the clock

    terminal length

    display monitor

    duration of the distance

    the monitor session

    The first three commands are entered from the initial mode of privilege and they are omitted by the AEC. The last two commands can be entered in config mode and the ACS does not stop their entry.

    I have attached two screenshots that show configuration commands on GBA game and a Terminal session which commands are filtered and which are rented by the intermediary.

    Has anyone encountered this problem? Is there something else I should be adding to the command Set? Is this a bug?

    There is a bug on the Cisco site that relates to the command filters:

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf08567

    I don't know if this bug applies to this question because there is so little information on this subject. In addition, if it does not I don't understand workaround to apply it to this situation.

    Any advice would be greatly appreciated. -(ACS Version 5.1.0.44.2)

    Dave was soon

    You have authorization for the configuration on the router mode?

    If this isn't the case, add:

    AAA authorization config-commands

Maybe you are looking for