RADIUS issues [resolved]

Answered Question
Jul 29th, 2010
User Badges:

Good afternoon fellow Cisco gods.  =]  I'm trying to configure RADIUS to work in my PacketTracer, and not able to seem to get it to work.  I can telnet to it, but keeps failing on me.  I just have the server (10.10.0.10), a switch with nothing special other than an IP address on VLAN1 and then the router (10.10.0.1) also, nothing special just a basic configuration.


The end goal, is to set up RADIUS to work for telnet, console, and enable.  Yet still retain the local user database, in case network issues prevent communication to the RADIUS server.


Thanks in advance.  My head is hurting from trying to get this working.  Take care!


telnet.png

radius server.png

Here is the running configuration on the router, and its version information:


Router#sho run

Building configuration...


Current configuration : 683 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

aaa new-model

!

aaa authentication login default group radius local

aaa authentication enable default group radius local

!

!

aaa authorization exec default group radius local

!

!

!

!

!

username me privilege 3 password 0 password

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.10.0.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

!

!

!

!

!

line con 0

login

line vty 0 4

login

login authentication default

!

!

!

end





Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Wed 18-Jul-07 06:21 by pt_rel_team


ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

Copyright (c) 2000 by cisco Systems, Inc.


System returned to ROM by power-on

System image file is "c2800nm-advipservicesk9-mz.124-15.T1.bin"


<--omitted-->


cisco 2811 (MPC860) processor (revision 0x200) with 60416K/5120K bytes of memory

Processor board ID JAD05190MTZ (4292891495)

M860 processor: part number 0, mask 49

2 FastEthernet/IEEE 802.3 interface(s)

239K bytes of NVRAM.

62720K bytes of processor board System flash (Read/Write)


Configuration register is 0x2102





Here is the debug AAA:



*Jul 29 12:38:07.455: AAA/BIND(20): Bind i/f


*Jul 29 12:38:07.455: AAA/AUTHEN/LOGIN(20): Pick method list 'default'


*Jul 29 12:38:07.455: AAA/BIND(20): Bind i/f


*Jul 29 12:38:07.455: AAA/AUTHEN/LOGIN(20): Pick method list 'default'


*Jul 29 12:38:07.455: AAA/BIND(20): Bind i/f


*Jul 29 12:38:07.455: AAA/AUTHEN/LOGIN(20): Pick method list 'default'

Correct Answer by pravm about 6 years 10 months ago

Shaun

The configuration on your router looks good. But I couldnt find the radius debugs captured from the router. Also we have to make sure that your router is defined as client on your AAA server. You can also use " ip radius source-interface < interface name>" to explicitly say that a particular ip address would be used to communicate with the AAA server. Until we confirm that these things are perfect, we will not be able to proceed.


Thanks,

Praveen Kumar , M.

Correct Answer by rowshi about 6 years 10 months ago

On the AAA server you need to add "10.10.0.1" (f0-0.router) as a "client."


If your Packet Tracer network is quite large, this can be a pain as you may not always know what IP address the AAA server sees the traffic originating from.  Which means you need to add every single interface's address as radius/tacacs clients on the AAA server.


Would be nice if they add wildcard support for the AAA server in Packet Tracer.


Other than that, your router config looks good.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
pravm Fri, 07/30/2010 - 03:03
User Badges:
  • Cisco Employee,

Hi Shaun,

From the running configuration you have provided in the query, I dont find any radius-server configuration. I hope you missed to paste them. Apart from that you can enable "debug radius" and find out as to why the authentication is failing.

You can use "radius-server host auth-port acct-port non-standard key " for configuring radius-server, if incase you havent configured radius-server.


Regards,

Praveen Kumar , M.

shaun-murray Fri, 07/30/2010 - 06:24
User Badges:

You're right.  It didn't show it.  Here is the "full" running-config.  The enabling of the debug, and the results of trying to telnet to the router.  Thanks for your help!



Router#sho run

Building configuration...


Current configuration : 787 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

aaa new-model

!

aaa authentication login default group radius local

aaa authentication enable default group radius local

!

!

aaa authorization exec default group radius local

!

!

!

!

!

username me privilege 3 password 0 password

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.10.0.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

!

!

radius-server host 10.10.0.10 auth-port 1645 key [email protected]

!

!

!

line con 0

login

line vty 0 4

login

login authentication default

!

!

!

end



Router#debug aaa auth

AAA Authentication debugging is on

Router#

*Jul 30 08:22:38.823: AAA/BIND(5): Bind i/f


*Jul 30 08:22:38.823: AAA/AUTHEN/LOGIN(5): Pick method list 'default'


*Jul 30 08:22:45.515: AAA/BIND(6): Bind i/f


*Jul 30 08:22:45.515: AAA/AUTHEN/LOGIN(6): Pick method list 'default'


*Jul 30 08:22:52.698: AAA/BIND(6): Bind i/f


*Jul 30 08:22:52.698: AAA/AUTHEN/LOGIN(6): Pick method list 'default'






Packet Tracer SERVER Command Line 1.0

SERVER>telnet 10.10.0.1

Trying 10.10.0.1 ...Open



User Access Verification


Username: user

Password:

% Login invalid


Username: user

Password:

% Login invalid


Username: user

Password:


[Connection to 10.10.0.1 closed by foreign host]

SERVER>

Correct Answer
rowshi Sun, 08/01/2010 - 19:06
User Badges:

On the AAA server you need to add "10.10.0.1" (f0-0.router) as a "client."


If your Packet Tracer network is quite large, this can be a pain as you may not always know what IP address the AAA server sees the traffic originating from.  Which means you need to add every single interface's address as radius/tacacs clients on the AAA server.


Would be nice if they add wildcard support for the AAA server in Packet Tracer.


Other than that, your router config looks good.

Correct Answer
pravm Sun, 08/01/2010 - 23:10
User Badges:
  • Cisco Employee,

Shaun

The configuration on your router looks good. But I couldnt find the radius debugs captured from the router. Also we have to make sure that your router is defined as client on your AAA server. You can also use " ip radius source-interface < interface name>" to explicitly say that a particular ip address would be used to communicate with the AAA server. Until we confirm that these things are perfect, we will not be able to proceed.


Thanks,

Praveen Kumar , M.

shaun-murray Mon, 08/02/2010 - 06:55
User Badges:

Michael/pravm -


Got it!  =]  It was a misconfigure on the AAA server.  Thank you so much for helping me out.  Here is a SS of the "correct" configuration, along with the running configuration for the router.  Just wish that packet tracer was more "robust", in that I could load our companies IOS's into there, and use our network equipment, rather then "guessing" that this will work on our production network.


Ah well, 'nother argument for another day.  Cheers!!!



Router#sho run

Building configuration...


Current configuration : 787 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

aaa new-model

!

aaa authentication login default group radius local

aaa authentication enable default group radius local

!

!

aaa authorization exec default group radius local

!

!

!

!

!

username me privilege 3 password 0 password

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.10.0.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

!

!

radius-server host 10.10.0.10 auth-port 1645 key [email protected]

!

!

!

line con 0

login

line vty 0 4

login

login authentication default

!

!

!

end


Router#

*Aug 02 08:51:32.079: AAA/BIND(3): Bind i/f


*Aug 02 08:51:32.079: AAA/AUTHEN/LOGIN(3): Pick method list 'default'


*Aug 02 08:51:40.799: AAA/BIND(3): Bind i/f


*Aug 02 08:51:40.799: AAA/AUTHEN/LOGIN(3): Pick method list 'enable-default'



rowshi Mon, 08/02/2010 - 10:35
User Badges:

shaun-murray wrote:


Michael/pravm -


Got it!  =]  It was a misconfigure on the AAA server.  Thank you so much for helping me out.  Here is a SS of the "correct" configuration, along with the running configuration for the router.  Just wish that packet tracer was more "robust", in that I could load our companies IOS's into there, and use our network equipment, rather then "guessing" that this will work on our production network.


Ah well, 'nother argument for another day.  Cheers!!!




If you want to test using your company's actual IOS images and configuration files you can use a program called GNS3.  It's much more complicated but it runs the actual IOS files.  There's plenty of tutorials on the web for it.  The only really big down-side I can see is that it does not support actual switches.  The switches it does emulate are very basic and don't run any kind of IOS.  Another good thing about GNS3 is that you can have your simulated  network use the computer it's running on to interact with the real  network, connecting it to real servers such as AAA or DNS.


You have to remember that Packet Tracer isn't a simulator as much as it's a training aide.  It's a great training aide yes, but it doesn't work like the real deal.


Like I said, GNS3 is quite complicated.  Read the tutorials and the quick-start guide on the website.


GNS3 is available here: http://www.gns3.net/

shaun-murray Mon, 08/02/2010 - 11:19
User Badges:

rowshi wrote:


shaun-murray wrote:


Michael/pravm -


Got it!  =]  It was a misconfigure on the AAA server.  Thank you so much for helping me out.  Here is a SS of the "correct" configuration, along with the running configuration for the router.  Just wish that packet tracer was more "robust", in that I could load our companies IOS's into there, and use our network equipment, rather then "guessing" that this will work on our production network.


Ah well, 'nother argument for another day.  Cheers!!!




If you want to test using your company's actual IOS images and configuration files you can use a program called GNS3.  It's much more complicated but it runs the actual IOS files.  There's plenty of tutorials on the web for it.  The only really big down-side I can see is that it does not support actual switches.  The switches it does emulate are very basic and don't run any kind of IOS.  Another good thing about GNS3 is that you can have your simulated  network use the computer it's running on to interact with the real  network, connecting it to real servers such as AAA or DNS.


You have to remember that Packet Tracer isn't a simulator as much as it's a training aide.  It's a great training aide yes, but it doesn't work like the real deal.


Like I said, GNS3 is quite complicated.  Read the tutorials and the quick-start guide on the website.


GNS3 is available here: http://www.gns3.net/



Yeah, I've installed GNS3.  And you are right, it does use the IOS's.  The issue still remains, that they don't support Nexus architecture, and unfortunately, we aren't a "Cisco only shop".  Mores the pitty, we have Juniper, some 3COM, F5 and AdTran technologies.  So that just complicates items.  If someone was able to come up with an independent network simulator, to do REAL networking simulations.  They'd make a killing.


Thanks again for all your help sir!

rowshi Mon, 08/02/2010 - 10:19
User Badges:

Unfortunately it doesn't look like Packet Tracer 5.3 supports the "ip radius source-interface" command.


Maybe in the next version.

Actions

This Discussion