05-10-2010 03:20 AM - edited 03-10-2019 05:07 PM
I have an AS5300 IOS (tm) 5300 Software (C5300-I-M), Version 12.2(16) using it as RAS.
I am using FreeRADIUS Version 2.1.8 for accounting puposes
The problem I am facing is that when opening a ppp dial up connection to the as5300, it is not sending the username. I need the as5300 to send the username so that a realm can be matched.
Below is snippet of debug output from FreeRadius
rad_recv: Accounting-Request packet from host 192.168.0.57 port 1646, id=211, length=97
NAS-IP-Address = 192.168.0.57
NAS-Port = 182
NAS-Port-Type = Async
Called-Station-Id = "02081131234"
Calling-Station-Id = "2075176623"
Acct-Status-Type = Start
Service-Type = Framed-User
Acct-Session-Id = "0000006E"
Framed-Protocol = PPP
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 182,Client-IP-Address = 192.168.0.57,NAS-IP-Address = 217.73.64.57,Acct-Session-Id = "0000006E",'
[acct_unique] Acct-Unique-Session-ID = "93340c227b9a5bca".
++[acct_unique] returns ok
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
++[files] returns noop
Below is my AAA config from my cisco
aaa new-model
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization network default none
aaa accounting send stop-record authentication failure
aaa accounting network default start-stop group radius
I have tested with radtest with username testing@secureroot and i get the following output which does ffind the username and thus the realm. this indicates to me that there is nothing wrong with my freeradius config
rad_recv: Access-Request packet from host 127.0.0.1 port 37443, id=212, length=67
User-Name = "testing@secureroot"
User-Password = "mypassword"
NAS-IP-Address = 217.73.64.75
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "secureroot" for User-Name = "testing@secureroot"
[suffix] Found realm "secureroot"
[suffix] Adding Stripped-User-Name = "testing"
[suffix] Adding Realm = "secureroot"
[suffix] Authentication realm is LOCAL.
i have done tcpdump of my successful radtest and it looks like
15:12:42.183076 IP 87.102.106.147.43340 > 217.73.64.75.1812: RADIUS, Access Request (1), id: 0x64 length: 67
15:12:42.183079 IP 217.73.64.75.1812 > 87.102.106.147.43340: RADIUS, Access Accept (2), id: 0x64 length: 62
below is the tcpdump of the cisco communicating with the radius
14:29:59.998964 IP 217.73.64.57.1646 > 217.73.64.75.1813: RADIUS, Accounting Request (4), id: 0xe3 length: 97
14:30:00.003907 IP 217.73.64.75.1813 > 217.73.64.57.1646: RADIUS, Accounting Response (5), id: 0xe3 length: 20
14:30:12.061861 IP 217.73.64.57.1646 > 217.73.64.75.1813: RADIUS, Accounting Request (4), id: 0xe4 length: 150
14:30:12.063124 IP 217.73.64.75.1813 > 217.73.64.57.1646: RADIUS, Accounting Response (5), id: 0xe4 length: 20
The tcpdump shows that when opening ppp connection to the cisco it is not sending any access requests to port 1812, only accounting packets. Somethinge definitely wrong with the config on the cisco.
I am thinking i have missed something simple
Thanks
05-16-2010 12:32 AM
Athiqur,
Consider, if you haven't recievded any solution on this.
If you are not seeing radius access request coming from the AS5300 that means its not trying to communicate over UDP port 1812 that what we have configured on the free radius server.
Could you please issue the below listed command and see if that helps;
radius-server host
Command refrence;
http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_r1gt.html#wp1173811
Also if that doesn't help, please provide me the o/p of the following debugs;
debug aaa authentication
debug radius
term mon
Also send me the "Sh Run" from the IOS.
Regds,
JK
Do rate helpul posts-
05-17-2010 01:14 AM
Thanks, but I have solved the problem. The cisco was not sending requests to radius becuase I was missing the line
ppp authentication chap pap
in the Dialer interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide