09-22-2010 01:58 AM - edited 03-10-2019 05:25 PM
Hi Experts,
I face some problem when try to login router using AAA authentication. Then the router get the local password to login.
I paste below the result after debugging AAA authentication:
*Sep 22 15:43:32.194: AAA/BIND(000115D0): Bind i/f
*Sep 22 15:43:32.198: AAA/AUTHEN/LOGIN (000115D0): Pick method list 'default'
*Sep 22 15:43:56.010: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.3.251:1645,1646 is not responding.
*Sep 22 15:43:56.010: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.3.251:1645,1646 is being marked alive.
*Sep 22 15:43:56.010: AAA/AUTHEN/LINE(000115D0): GET_PASSWORD ----> authentication failed then router find local password
*Sep 22 15:44:19.330: AAA/AUTHEN/LINE(000115D0): PASS
I need your expertise.
Thanks.
09-22-2010 03:15 AM
Hi,
Please paste the 'show run | in aaa' output and obtain the following debugs again.
debug aaa authentication
debug radius authentication
Also make sure the network path between router and AAA server is 'clean'. Do you see any drops while running a continuous ping (say repeat 1000) to AAA server from the router?
Thanks,
Paps
09-23-2010 02:11 AM
Below my AAA config:
aaa new-model
!
!
aaa authentication login default group radius local line
aaa authentication enable default group radius enable
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
!
aaa session-id common
!
!
radius-server host 192.168.3.251 auth-port 1645 acct-port 1646 key *******
!
If I PING to radius server, it not have any drops. Means router to radius are reacheable.
Thanks
09-24-2010 01:50 PM
Hi Muhammad,
From the debugs it seems that the router does not get any response from the radius server, marks it as dead and then falls back to the local authentication.
Also, is the radius server actually listening on ports 1645 and 1646 for authentication and accounting? You may try changing the ports to 1812 and 1813 respectively in the radius server command?
If it is a windows server please try disabling windows firewall and see if it helps.
If the issue still persists, please provide the following info:
What radius server do we have? Is it an ACS server or Microsoft IAS?
Is there any other device in between the router and the ACS server which could be blocking UDP traffic on 1645/1812,1646/1813?
Are we seeing any hits on the radius server when the user tries to authenticate?
Thanks,
Amitashwa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide