Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
3
Replies

AAA Authentincation Failed

CSCO11702470
Level 1
Level 1

‎09-22-2010 01:58 AM - edited ‎03-10-2019 05:25 PM

Hi Experts,

I face some problem when try to login router using AAA authentication. Then the router get the local password to login.

I paste below the result after debugging AAA authentication:

*Sep 22 15:43:32.194: AAA/BIND(000115D0): Bind i/f 
*Sep 22 15:43:32.198: AAA/AUTHEN/LOGIN (000115D0): Pick method list 'default'
*Sep 22 15:43:56.010: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.3.251:1645,1646 is not responding.
*Sep 22 15:43:56.010: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.3.251:1645,1646 is being marked alive.
*Sep 22 15:43:56.010: AAA/AUTHEN/LINE(000115D0): GET_PASSWORD   ----> authentication failed then router find local password
*Sep 22 15:44:19.330: AAA/AUTHEN/LINE(000115D0): PASS

I need your expertise.

Thanks.

Labels:
0 Helpful
3 Replies 3

padatta
Level 1
Level 1

‎09-22-2010 03:15 AM

Hi,

  Please paste the 'show run | in aaa' output and obtain the following debugs again.

debug aaa authentication

debug radius authentication

  Also make sure the network path between router and AAA server is 'clean'. Do you see any drops while running a continuous ping (say repeat 1000) to AAA server from the router?

Thanks,

Paps

0 Helpful

CSCO11702470
Level 1
Level 1
In response to padatta

‎09-23-2010 02:11 AM

Below my AAA config:

aaa new-model
!
!
aaa authentication login default group radius local line
aaa authentication enable default group radius enable
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
!
aaa session-id common

!

!

radius-server host 192.168.3.251 auth-port 1645 acct-port 1646 key *******

!

If I PING to radius server, it not have any drops. Means router to radius are reacheable.

Thanks

0 Helpful

amitaaga
Cisco Employee
Cisco Employee
In response to CSCO11702470

‎09-24-2010 01:50 PM

Hi Muhammad,

From the debugs it seems that the router does not get any response from the radius server, marks it as dead and then falls back to the local authentication.

Also, is the radius server actually listening on ports 1645 and 1646 for authentication and accounting? You may try changing the ports to 1812 and 1813 respectively in the radius server command?

If it is a windows server please try disabling windows firewall and see if it helps.

If the issue still persists, please provide the following info:

What radius server do we have? Is it an ACS server or Microsoft IAS?

Is there any other device in between the router and the ACS server which could be blocking UDP traffic on 1645/1812,1646/1813?

Are we seeing any hits on the radius server when the user tries to authenticate?

Thanks,

Amitashwa

0 Helpful
Customers Also Viewed These Support Documents