05-28-2008 03:10 PM - edited 03-10-2019 03:52 PM
Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
Using 2297 out of 29688 bytes
!
! Last configuration change at 17:20:27 PDT Tue May 20 2008
! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
!
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Tester
!
logging buffered 10000 debugging
aaa new-model
aaa group server radius RadiusServers
server 172.26.0.2 auth-port 1812 acct-port 1813
!
aaa authentication login default group RadiusServers local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6
enable secret xxx
!
username test password xxx
!
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
description To Main Network
ip address X.X.X.X 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
full-duplex
no cdp enable
!
interface Ethernet0/1
description To Internal Network
ip address 172.26.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
load-interval 30
full-duplex
no cdp enable
!
ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
ip nat inside source list 3 pool test overload
ip nat inside destination list 3 pool test
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
no ip http server
!
ip radius source-interface Ethernet0/1
access-list 3 permit 172.26.0.0 0.0.0.255
no cdp run
snmp-server community public RO 15
radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
radius-server retransmit 3
radius-server key secret
!
line con 0
password xxx
logging synchronous
line aux 0
line vty 0 4
access-class 10 in
password 7 1234567890
logging synchronous
!
ntp clock-period 17208108
ntp server 192.43.244.18
end
My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
Thank you for any assistance you may be able to provide.
Solved! Go to Solution.
06-11-2008 07:51 PM
If you explore Authentication Proxy and it works, it might make you forget PPPoE pretty fast.
If you decide to pursue PPPoE further, the following link is probably where you would find most of Cisco's information on PPPoE:
http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html
Cisco's "Service Providers" forums might provide some guidance on whether PPPoE is achievable with your platform and environment?
06-17-2008 02:58 PM
Absolutely, you need to configure the downloadable ACL on the RADIUS server. If you don't configure it, it can not be passed to the router for installation in the interface ACL.
You need to use the vendor specific AV pair: [026/009/001] cisco-av-pair.
The syntax for the [009\001] cisco-av-pair would be:
auth-proxy:priv-lvl-15
auth-proxy:proxyacl#1-permit tcp any any eq 80
auth-proxy:proxyacl#2-permit tcp any any eq 25
auth-proxy:proxyacl#3-permit tcp any any eq 110
.
etc., depending on your specific desired security policy.
Please review the additional notes in my last post pertaining to the use of the keyword "any".
I have attached a Wireshark capture of the Auth Proxy Access-Accept frame so you can see an example of the AV pairs being passed to the AAA client (router).
Although you are not using Cisco Secure ACS, the following document may still provide some clarity:
http://www.cisco.com/application/pdf/paws/17778/auth_intro.pdf
Also, I've attached two other documents in my possession that I had difficulty finding the links for.
05-28-2008 03:37 PM
First i would suggest you to use IP radius source interface command , so that it use a specific interface for sending radius request to server. We should have same IP listed for router in radius server.
Also ensure that secret key is same, on both ends. We also have NAT , so you may need to change ip on radius server.
Check if you are able to ping radius server from your router ? need to rule out routing issue.
If still it is not working, then get the debugs,
debug aaa authentication
debug radius
Also if possible sniff the radius server and see if request from router is hitting radius.
Regards,
~JG
Do rate helpful posts
05-28-2008 03:56 PM
Thank you for your quick response. I have IP radius source-interface Ethernet0/1, which is my internal interface. It should be in the config file I included in my initial post.
And yes, the secret key is the same on both ends, and I can ping the RADIUS server. In fact, the RADIUS server can surf the Internet through the router, although other connected computers cannot.
I have turned on debug aaa authentication and radius, and I do not see any debug messages when a computer tries to authenticate. I do see debug messages when I try to log into the Cisco router using HyperTerm. I get Access-Reject messages (this is fine--I'm not worried about authenticating--as long as I can get an Access-Reject message, then I know the two devices are communicating) and also "Response failed decrypt", as well as "Marking server 172.26.0.2:1812,1813 dead, Tried all servers, No valid server found."
However, using Wireshark, I see PPPoED Active Discovery Initiation broadcasts from the test computer (not server), but nothing from the Cisco router. The RADIUS server does not respond because the test computer is not an authorized client. It appears as though the router is not forwarding the requests to the RADIUS server.
??
05-28-2008 06:30 PM
The few things that stood out for me were the absence of:
aaa authentication enable default group radius local
The redundancy of the key specification in:
radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
radius-server retransmit 3
radius-server key secret
Note: I would specify it one way, and not both. My preference is to specify it in the same command line as the IP.
... and, since I am not familiar with the "aaa processes" command, I am not sure whether "6" is an appropriate setting or not.
I do believe it would be beneficial for you to focus on the AAA Client (router) to AAA Server interaction first.
In Wireshark preferences | Protocols | Radius, there is a "Shared Secret" field where you can enter your RADIUS password. This will enable you to see the content of your RADIUS packets unencrypted. This may help you see what is going on.
The debug messages encountered when logging in to the router suggests to me that there is communication between the router (AAA client) and the RADIUS server.
The "Response failed decrypt" message suggests that there may be a shared password issue despite the fact that you don't believe it. The marking the server dead, and no valid server found "may" be an extension of the decryption failure, but I'm not 100% sure. Worth considering though.
It is not clear to me what the PPPoED in your post is all about. It appears that you are using a PPPoE client on the test computer; that you think the router is some how going to respond to it based on your configuration (but it doesn't).
I suspect there is a disconnect between the configuration of the router, and what you are expecting in interaction between the test computer and router.
I'm not sure what to make of the - "The RADIUS server does not respond because the test computer is not an authorized client." statement. The Radius server should respond to the AAA Client which is the router.
Contrary to your statements, you're not likely an idiot, you're just covering new ground. It's part of getting to where you want to go.
05-29-2008 03:25 PM
I've tried posting this several times today, but it has yet to show up. Please forgive me if this appears multiple times:
Thank you for your response; it was very helpful, and I believe I am making progress.
>> aaa authentication enable default group radius local
The "local" method is not accepted by my router; it will only accept enable, group, line, none, or
I removed the "aaa processes" command since it seemed to not be affecting anything. Not sure about it, but it was in a config I copied from a document I found on the Internet.
Thank you for the tip about Wireshark and RADIUS encryption. I took a look at the user password, and it is listed correctly in the Access-Request packets, except it is appended with a series of eight /000. Howerver, this is the USER password, not the shared secret. I was unable to locate the shared secret anywhere in the packet.
The PPPoED references concern the access authentication attempts from my test workstation. I wanted to see if the router, which is the RADIUS client, is passing the authentication requests to the RADIUS server. It is not, except for local authentication attempts using HyperTerm. I am trying to get it set up so it will pass all authentication requests to the RADIUS server. However, I may be doing this incorrectly as I have never set up network authentication before, other than Windows computers on a workgroup LAN or using ADS. For authentication testing, I set up Dial-Up Networking using Broadband Connection Settings. Should I be using or doing something different?
Lastly, as for my idiot reference, that was an abbreviation of the half-page grovel I usually include in all listserv posts to avoid people flaming me for wasting electrons. Thank you for your kindness and patience.
05-29-2008 05:01 PM
I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
The command I shared:
aaa authentication enable default group radius local
... was erroneous. The keyword should have been "enable", as you have discovered.
Therefore use:
aaa authentication enable default group radius enable
When I view a Wireshark trace I see the following:
AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
Like you, I see the user password appended with the group of \000 grouping's.
Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
However, there are other mainstream authentication methods that I think you should investigate as well.
You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
I think you should:
1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
2. Investigate whether PPPoE support exists on your router's interfaces.
3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
4. Decide which methods appeals to you.
5. Dive in.
I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
Good luck.
06-03-2008 03:01 PM
> I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
This is exactly what I was doing. Thank you.
> 1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
Done. This was a Doh! moment--I'd forgotten to add the IP address of the router to the RADIUS server's client list. A few hours of sleep helped. Once I added the router to the client list, I was able to immediately authenticate against the RADIUS database and log in using HyperTerm. However, the router still does not pass the test workstation's network authentication request packets to the RADIUS server.
> 2. Investigate whether PPPoE support exists on your router's interfaces.
ppp is an unrecognized router Interface command. However, the 'aaa authentication ppp default if-needed group radius local'command is supposed to apply the command to all interfaces.
I've worked through most of the issues. My RADIUS server and router are communicating as far as logging into the router itself, but the router is still not passing network authentication requests (Broadband Connection using the Dial-up and VPN settings) to the RADIUS server. And, I can access the Internet even though my test workstation has not authenticated. These seem to be the last issues I have to resolve.
06-03-2008 03:45 PM
The "ppp authentication" interface configuration mode command is used to enable PPP authentication on an interface. The fact that this command is not available on the interfaces (Ethernet?) that you wish to establish PPP authentication on, suggests that you will not succeed.
With respect to the "aaa authentication ppp default if-needed group radius local" global command, the "if-needed" keyword means the user is not authenticated (if) they have already authenticated on a TTY line.
I'm not sure the client functionality you are using is really a true PPPoE client anyway. Is it not intended for serial interfaces?
06-04-2008 11:40 AM
OK, I upgraded my router to a 2621 running a newer OS and was able to add 'pppoe enable' to the interface to turn on pppoe authentication. I also removed the 'if-needed' method. However, the PPPoE authentication packets are still not being forwarded to the router, and I can still access the Internet without authenticating.
> I'm not sure the client functionality you are using is really a true PPPoE client anyway. Is it not intended for serial interfaces?
I do not know whether this is the appropriate tool to use or not. We offer FTTH Internet service--no DSL, dial-up, or cable--which has been strictly plug and play until recently. All customers had to do was get the fiber box activated at their premises, plug their equipment into the Ethernet ports, and they were on the Internet. However, I now have to find a cost-effective way of enforcing authentication so we can track bandwidth usage. I have never done this before. If this is not the appropriate tool, then what is?
Thank you.
06-04-2008 12:20 PM
Tenacious.
Found the following URL that may have some information worthy of your attention:
http://www.carricksolutions.com/windowsxp.php
I have not read it, but it suggests that there is some native PPPoE support on XP, and provides some info on how to configure/troubleshoot it.
If the native functionality doesn't suit you, perhaps you should identify a freeware PPPoE client for testing purposes.
If you have not done so, I still think you should take a quick look at 802.1x and Authentication Proxy, for comparative purposes, if nothing else.
Authentication Proxy would only require a browser, and would not add additional encapsulation, or complexity (e.g.: software installation).
06-11-2008 02:07 PM
Ignore this...I think I just answered my own question. This document is about PORT based authentication--I'm looking for user authentication.
Just a quick question about this...I've been reading up on 802.1x, and I have a 2950 switch that should be capable of performing this. However, I am not clear on whether the two supported topologies (Point-to-Point or Wireless LAN) would work for my environment. All of my customers come into the switch on a single trunk port. How would either of these topologies work in this situation? According to document 78-11380-02 (Configuring 802.1x Port-Based Authentication), P2P allows only one client to be connected to an 802.1x-enabled switch port. Wireless LAN (which we're not) allows multiple hosts, but the first host enables the port for everyone.
Or am I completely missing this? Unfortunately, I have only one 2950 switch, and it is in production. My test switches are 2912s, which are completely different animals. I have not been able to get the 2912s to accept the commands used to configure a 2950 for authentication to test it.
06-11-2008 02:31 PM
We've used 802.1x on the access ports of our 2950, and you are correct, if one device/user authenticates, the port enters the authorized state which permits access to all devices/users connected through that port.
If all of your users connect through a single trunk port, this is not a solution for you.
How have things progressed with your PPPoE exploration?
06-11-2008 02:57 PM
Re: This document is about PORT based authentication--I'm looking for user authentication.
The port is moved into an "authorized" state as a result of "user authentication".
I.E.: The user uses an 802.1x supplicant on the host to facilitate the exchange of credentials (username and password) with the Authenticator (802.1x enabled switch).
06-11-2008 03:52 PM
As you may have guessed, I'm pretty confused at this point.
If the port is moved into an authorized state as a result of user authentication and all of my users come into the switch on a single trunk port, then am I correct in assuming this will not work for my situation?
06-11-2008 04:11 PM
Correct.
Per my post at 3:31pm PST:
"... if one device/user authenticates, the port enters the authorized state which permits access to all devices/users connected through that port.
If all of your users connect through a single trunk port, this is not a solution for you."
Today's post was the first indication that all your users came through the same trunk port. Had I known previously, I wouldn't have suggested that you read up on 802.1x.
Authentication Proxy would facilitate downloadable per-user ACLs on the same interface for multiple user's. It would be worth investigation.
Presumably, you saw the links I posted earlier with config/troubleshooting guidance for PPPoE. How has that investigation progressed?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide