Thank you for your quick response. I have IP radius source-interface Ethernet0/1, which is my internal interface. It should be in the config file I included in my initial post.

And yes, the secret key is the same on both ends, and I can ping the RADIUS server. In fact, the RADIUS server can surf the Internet through the router, although other connected computers cannot.

I have turned on debug aaa authentication and radius, and I do not see any debug messages when a computer tries to authenticate. I do see debug messages when I try to log into the Cisco router using HyperTerm. I get Access-Reject messages (this is fine--I'm not worried about authenticating--as long as I can get an Access-Reject message, then I know the two devices are communicating) and also "Response failed decrypt", as well as "Marking server 172.26.0.2:1812,1813 dead, Tried all servers, No valid server found."

However, using Wireshark, I see PPPoED Active Discovery Initiation broadcasts from the test computer (not server), but nothing from the Cisco router. The RADIUS server does not respond because the test computer is not an authorized client. It appears as though the router is not forwarding the requests to the RADIUS server.

??

The few things that stood out for me were the absence of:

aaa authentication enable default group radius local

The redundancy of the key specification in:

radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret

radius-server retransmit 3

radius-server key secret

Note: I would specify it one way, and not both. My preference is to specify it in the same command line as the IP.

... and, since I am not familiar with the "aaa processes" command, I am not sure whether "6" is an appropriate setting or not.

I do believe it would be beneficial for you to focus on the AAA Client (router) to AAA Server interaction first.

In Wireshark preferences | Protocols | Radius, there is a "Shared Secret" field where you can enter your RADIUS password. This will enable you to see the content of your RADIUS packets unencrypted. This may help you see what is going on.

The debug messages encountered when logging in to the router suggests to me that there is communication between the router (AAA client) and the RADIUS server.

The "Response failed decrypt" message suggests that there may be a shared password issue despite the fact that you don't believe it. The marking the server dead, and no valid server found "may" be an extension of the decryption failure, but I'm not 100% sure. Worth considering though.

It is not clear to me what the PPPoED in your post is all about. It appears that you are using a PPPoE client on the test computer; that you think the router is some how going to respond to it based on your configuration (but it doesn't).

I suspect there is a disconnect between the configuration of the router, and what you are expecting in interaction between the test computer and router.

I'm not sure what to make of the - "The RADIUS server does not respond because the test computer is not an authorized client." statement. The Radius server should respond to the AAA Client which is the router.

Contrary to your statements, you're not likely an idiot, you're just covering new ground. It's part of getting to where you want to go.

I've tried posting this several times today, but it has yet to show up. Please forgive me if this appears multiple times:

Thank you for your response; it was very helpful, and I believe I am making progress.

>> aaa authentication enable default group radius local

The "local" method is not accepted by my router; it will only accept enable, group, line, none, or .

I removed the "aaa processes" command since it seemed to not be affecting anything. Not sure about it, but it was in a config I copied from a document I found on the Internet.

Thank you for the tip about Wireshark and RADIUS encryption. I took a look at the user password, and it is listed correctly in the Access-Request packets, except it is appended with a series of eight /000. Howerver, this is the USER password, not the shared secret. I was unable to locate the shared secret anywhere in the packet.

The PPPoED references concern the access authentication attempts from my test workstation. I wanted to see if the router, which is the RADIUS client, is passing the authentication requests to the RADIUS server. It is not, except for local authentication attempts using HyperTerm. I am trying to get it set up so it will pass all authentication requests to the RADIUS server. However, I may be doing this incorrectly as I have never set up network authentication before, other than Windows computers on a workgroup LAN or using ADS. For authentication testing, I set up Dial-Up Networking using Broadband Connection Settings. Should I be using or doing something different?

Lastly, as for my idiot reference, that was an abbreviation of the half-page grovel I usually include in all listserv posts to avoid people flaming me for wasting electrons. Thank you for your kindness and patience.

I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.

The command I shared:

aaa authentication enable default group radius local

... was erroneous. The keyword should have been "enable", as you have discovered.

Therefore use:

aaa authentication enable default group radius enable

When I view a Wireshark trace I see the following:

AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"

Like you, I see the user password appended with the group of \000 grouping's.

Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).

I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.

The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.

My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.

However, there are other mainstream authentication methods that I think you should investigate as well.

You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.

I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.

The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.

I think you should:

1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.

2. Investigate whether PPPoE support exists on your router's interfaces.

3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).

4. Decide which methods appeals to you.

5. Dive in.

I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.

I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.

Good luck.

> I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.

This is exactly what I was doing. Thank you.

> 1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.

Done. This was a Doh! moment--I'd forgotten to add the IP address of the router to the RADIUS server's client list. A few hours of sleep helped. Once I added the router to the client list, I was able to immediately authenticate against the RADIUS database and log in using HyperTerm. However, the router still does not pass the test workstation's network authentication request packets to the RADIUS server.

> 2. Investigate whether PPPoE support exists on your router's interfaces.

ppp is an unrecognized router Interface command. However, the 'aaa authentication ppp default if-needed group radius local'command is supposed to apply the command to all interfaces.

I've worked through most of the issues. My RADIUS server and router are communicating as far as logging into the router itself, but the router is still not passing network authentication requests (Broadband Connection using the Dial-up and VPN settings) to the RADIUS server. And, I can access the Internet even though my test workstation has not authenticated. These seem to be the last issues I have to resolve.

The "ppp authentication" interface configuration mode command is used to enable PPP authentication on an interface. The fact that this command is not available on the interfaces (Ethernet?) that you wish to establish PPP authentication on, suggests that you will not succeed.

With respect to the "aaa authentication ppp default if-needed group radius local" global command, the "if-needed" keyword means the user is not authenticated (if) they have already authenticated on a TTY line.

I'm not sure the client functionality you are using is really a true PPPoE client anyway. Is it not intended for serial interfaces?

OK, I upgraded my router to a 2621 running a newer OS and was able to add 'pppoe enable' to the interface to turn on pppoe authentication. I also removed the 'if-needed' method. However, the PPPoE authentication packets are still not being forwarded to the router, and I can still access the Internet without authenticating.

> I'm not sure the client functionality you are using is really a true PPPoE client anyway. Is it not intended for serial interfaces?

I do not know whether this is the appropriate tool to use or not. We offer FTTH Internet service--no DSL, dial-up, or cable--which has been strictly plug and play until recently. All customers had to do was get the fiber box activated at their premises, plug their equipment into the Ethernet ports, and they were on the Internet. However, I now have to find a cost-effective way of enforcing authentication so we can track bandwidth usage. I have never done this before. If this is not the appropriate tool, then what is?

Thank you.

Tenacious.

Found the following URL that may have some information worthy of your attention:

http://www.carricksolutions.com/windowsxp.php

I have not read it, but it suggests that there is some native PPPoE support on XP, and provides some info on how to configure/troubleshoot it.

If the native functionality doesn't suit you, perhaps you should identify a freeware PPPoE client for testing purposes.

If you have not done so, I still think you should take a quick look at 802.1x and Authentication Proxy, for comparative purposes, if nothing else.

Authentication Proxy would only require a browser, and would not add additional encapsulation, or complexity (e.g.: software installation).

Ignore this...I think I just answered my own question. This document is about PORT based authentication--I'm looking for user authentication.

Just a quick question about this...I've been reading up on 802.1x, and I have a 2950 switch that should be capable of performing this. However, I am not clear on whether the two supported topologies (Point-to-Point or Wireless LAN) would work for my environment. All of my customers come into the switch on a single trunk port. How would either of these topologies work in this situation? According to document 78-11380-02 (Configuring 802.1x Port-Based Authentication), P2P allows only one client to be connected to an 802.1x-enabled switch port. Wireless LAN (which we're not) allows multiple hosts, but the first host enables the port for everyone.

Or am I completely missing this? Unfortunately, I have only one 2950 switch, and it is in production. My test switches are 2912s, which are completely different animals. I have not been able to get the 2912s to accept the commands used to configure a 2950 for authentication to test it.

We've used 802.1x on the access ports of our 2950, and you are correct, if one device/user authenticates, the port enters the authorized state which permits access to all devices/users connected through that port.

If all of your users connect through a single trunk port, this is not a solution for you.

How have things progressed with your PPPoE exploration?

Re: This document is about PORT based authentication--I'm looking for user authentication.

The port is moved into an "authorized" state as a result of "user authentication".

I.E.: The user uses an 802.1x supplicant on the host to facilitate the exchange of credentials (username and password) with the Authenticator (802.1x enabled switch).

As you may have guessed, I'm pretty confused at this point.

If the port is moved into an authorized state as a result of user authentication and all of my users come into the switch on a single trunk port, then am I correct in assuming this will not work for my situation?

Correct.

Per my post at 3:31pm PST:

"... if one device/user authenticates, the port enters the authorized state which permits access to all devices/users connected through that port.

If all of your users connect through a single trunk port, this is not a solution for you."

Today's post was the first indication that all your users came through the same trunk port. Had I known previously, I wouldn't have suggested that you read up on 802.1x.

Authentication Proxy would facilitate downloadable per-user ACLs on the same interface for multiple user's. It would be worth investigation.

Presumably, you saw the links I posted earlier with config/troubleshooting guidance for PPPoE. How has that investigation progressed?