10-10-2007 12:16 AM
Hi
I'm trying to set up a 2811 with SSG as radius proxy.
I followed the instructions from http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hssg_c/ssg_rpxh.htm
but can't get it running.
I always get an error like "received unsolicited RADIUS packet".
Can anyone explain why?
Thanks
Stephan
10-16-2007 06:55 AM
Before you configure SSG, you have to verify the following:
SSD, SSG, and Authentication, Authorization, and Accounting (AAA) are all running, and all network entities can ping one another.
The remote user can ping any host in the default network (SSG, SSD, AAA) before logging on to the SSD server.
The remote client cannot ping the remote service destination network.
After all the SSG commands are configured, you must verify that the next hop table for the user's services has been successfully downloaded. Issue the show ssg binding command.
show ssg binding
show ssg next-hop
show ssg direction
12-14-2007 05:28 AM
Hi Stephan,
Were you able to get any updates on this?
I'm also in need of some information about the SSG functionality on a c2811 with c2800nm-adventerprisek9-mz.124-3f.bin.
Thanks,
Ranil
12-14-2007 06:06 AM
Hi Ranil
Yes, meanwhile it works. I found it out myself. The main problem is, that I configured too much.
Radius Proxy is a very small configuration. If you configure one SSG option too much, it doesn't work any more.
The second problem I stepped in was that I tried to work with "aaa group server" for the Radius servers. SSG Radius Proxy can't work with it. I don't know why, but you have to configure them as global Radius proxies on the Router.
Here are my configuration snippets:
=============================
=== global configurations ===
=============================
aaa new-model
ip cef
ssg enable
ip radius source-interface FastEthernet0/1
radius-server host 172.20.10.10 auth-port 1812 acct-port 1813 key xyz
=============================
=== radius clients that send requests to the SSG, one "client-address..." entry for each ===
=============================
ssg radius-proxy
server-port auth 1812 acct 1813
client-address 10.10.10.10
key abcdefg
session-identifier username
no host-route insert
!
client-address 10.10.10.11
key abcdefg
session-identifier username
no host-route insert
!
client-address 10.10.10.12
key abcdefg
session-identifier username
no host-route insert
.
.
.
=============================
=== interface configuration(s) ===
=============================
interface FastEthernet0/0
no ip address
shutdown
duplex full
speed 100
!
interface FastEthernet0/1
description *** Radius-Proxy ***
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
ssg direction downlink
Greetings
Stephan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide