RADIUS password "cisco"

Answered Question
Dec 30th, 2007

I authenticate users establishing a ppp connection into a 12.4(17a) 2811 router. They have a password, however the router always sends "cisco" as password string to the freeradius server. Any ideas?

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 11 months ago

Mat

I see an issue and am not sure if it is really an issue in the config or just an issue with getting data into the posting. In the authentication statement for ppp:

aaa authentication ppp AAA-CLIENT-VPN2-GROUP group radius local

the group name AAA-CLIENT-VPN2-GROUP appears as the method name and not as the radius group. I wonder what would happen if you replace it with this:

aaa authentication ppp group AAA-CLIENT-VPN2-GROUP local

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Sun, 12/30/2007 - 18:35

MATTHIAS

The 2811 will communicate with the Radius server to establish a connection using a shared key and then will send the authentication request to the Radius server which will include the user password. I am not clear from your post whether it is the first communication to establish the connection or the user authentication request which is sending the "cisco" password. Can you clarify?

Also how are you determining what password the 2811 is sending?

It might be helpful if you would post the config of the 2811.

HTH

Rick

MATTHIAS SCHAERER Mon, 12/31/2007 - 03:32

Hi Rick,

it is the password in the authentication request that I am referring to. We can see it on the freeradius server and although it is set to something different in the clients the 2811 transfers "cisco". The clients are non cisco devices so it is very likely that they are not the source of this string.

Here's the RADIUS part of my config:

aaa new-model

!

aaa group server radius AAA-CLIENT-VPN2-GROUP

server 10.10.10.1 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication ppp AAA-CLIENT-VPN2-GROUP group radius local

aaa authorization network default group AAA-CLIENT-VPN2-GROUP local

aaa accounting update periodic 2

aaa accounting network default start-stop group AAA-CLIENT-VPN2-GROUP

!

aaa pod server auth-type any server-key

aaa session-id common

!

!

!

interface FastEthernet0/0

ip address 10.10.10.254 255.255.255.0

!

interface FastEthernet0/1

ip address x.x.x.114 255.255.255.248

!

interface Virtual-Template1

ip unnumbered FastEthernet0/0

peer default ip address dhcp-pool DHCP-POOL-CLIENT-VPN2

ppp authentication pap chap ms-chap

!

!

ip radius source-interface FastEthernet0/0

!

radius-server attribute 44 include-in-access-req

radius-server host 10.10.10.1 auth-port 1812 acct-port 1813 key

radius-server unique-ident 2

Thanks,

Mat

Correct Answer
Richard Burts Tue, 01/01/2008 - 17:43

Mat

I see an issue and am not sure if it is really an issue in the config or just an issue with getting data into the posting. In the authentication statement for ppp:

aaa authentication ppp AAA-CLIENT-VPN2-GROUP group radius local

the group name AAA-CLIENT-VPN2-GROUP appears as the method name and not as the radius group. I wonder what would happen if you replace it with this:

aaa authentication ppp group AAA-CLIENT-VPN2-GROUP local

HTH

Rick

MATTHIAS SCHAERER Wed, 01/02/2008 - 01:43

Hi Rick,

Thanks for your reply. You are right, I sort of mixed up the two lists. As soon as I can contact my peer on the RADIUS server side I'll check if this changes the behavior.

Regards,

Mat

vpn-03(config)#aaa authentication ppp ?

WORD Named authentication list.

default The default authentication list.

vpn-03(config)#aaa authentication ppp AAA-CLIENT-VPN2-GROUP group ?

WORD Server-group name

radius Use list of all Radius hosts.

tacacs+ Use list of all Tacacs+ hosts.

MATTHIAS SCHAERER Wed, 01/02/2008 - 03:47

Rick,

I tested it now with the syntax you proposed and it was successful. Thanks for your idea. I previously thought that not entering the list would default to any configured RADIUS server (which partly is the case). But for the password sending apparently there is a different mechanism with or without the right group name.

Thanks again. That's a good start for this year!

Regards,

Mat

Richard Burts Wed, 01/02/2008 - 04:26

Mat

I am glad that my suggestion was able to resolve your issue. I believe that the issue has less to do with whether you supply the group name or not and was the fact that you had created a named method list. So ppp authentication had no default method configured, had a named method configured, but had nothing to tell ppp to use the named method.

Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can read what was successful in resolving the issue.

I encourage you to continue your participation in the forum.

HTH

Rick

Actions

This Discussion