RADIUS-error on 3640 using MS IAS

Unanswered Question

Hi everyone,


I'm having trouble with MS IAS and a 3640 for dial-in. The user is

authenticated fine - but authorizatin fails with:


"RADIUS: unrecognized Microsoft VSA type 10"

"RADIUS: no appropriate authorization type for user"


From what I've found these would be the case when the attributes

Service-Type=Framed and Framed-Protocol=PPP are missing from the

RADIUS-server. These setting are however there in the default dial-in

profile in MS IAS.



Any thoughts??


Config and debug below.


Thanks !


Johan


3w6d: %ISDN-6-CONNECT: Interface Serial1/0:2 is now connected to 858714800

3w6d: %LINK-3-UPDOWN: Interface Async30, changed state to up

3w6d: As30 PPP: Treating connection as a dedicated line

3w6d: As30 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

3w6d: AAA/ACCT/DS0: channel=2, ds1=0, t3=0, slot=1, ds0=16777218

3w6d: As30 MS-CHAP: O CHALLENGE id 6 len 22 from "Cisco-RAS"

3w6d: As30 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

3w6d: AAA/ACCT/DS0: channel=2, ds1=0, t3=0, slot=1, ds0=16777218

3w6d: As30 MS-CHAP: O CHALLENGE id 7 len 22 from "Cisco-RAS"

3w6d: As30 MS-CHAP: I RESPONSE id 7 len 70 from "INSIDE\rasdialin"

3w6d: AAA: parse name=Async30 idb type=10 tty=30

3w6d: AAA: name=Async30 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=30

chann

el=0

3w6d: AAA: parse name=Serial1/0:2 idb type=13 tty=-1

3w6d: AAA: name=Serial1/0:2 flags=0x55 type=1 shelf=0 slot=1 adapter=0

port=0 ch

annel=2

3w6d: AAA/ACCT/DS0: channel=2, ds1=0, t3=0, slot=1, ds0=16777218

3w6d: AAA/MEMORY: create_user (0x615B78A0) user='INSIDE\rasdialin'

ruser='NULL'

port='Async30' rem_addr='858714800/0858765920' authen_type=MSCHAP

service=PPP pr

iv=1 initial_task_id='0'

3w6d: RADIUS: ustruct sharecount=0

3w6d: Radius: radius_port_info() success=1 radius_nas_port=1

3w6d: RADIUS: Initial Transmit Async30 id 43 172.16.16.252:1645,

Access-Request,

len 165

3w6d: Attribute 4 6 AC1010FB

3w6d: Attribute 5 6 0000001E

3w6d: Attribute 61 6 00000000

3w6d: Attribute 1 18 494E5349

3w6d: Attribute 30 12 30383538

3w6d: Attribute 31 11 38353837

3w6d: Attribute 26 16 000001370B0A64BA

3w6d: Attribute 26 58 0000013701340701

3w6d: Attribute 6 6 00000002

3w6d: Attribute 7 6 00000001

3w6d: RADIUS: Received from id 43 172.16.16.252:1645, Access-Accept, len 119

3w6d: Attribute 7 6 00000001

3w6d: Attribute 6 6 00000004

3w6d: Attribute 25 32 5F1B06C0

3w6d: Attribute 26 40 000001370C224097

3w6d: Attribute 26 15 000001370A090749

3w6d: As30 AAA/AUTHOR/LCP: Authorize LCP

3w6d: As30 AAA/AUTHOR/LCP (548968306): Port='Async30' list='' service=NET

3w6d: AAA/AUTHOR/LCP: As30 (548968306) user='INSIDE\rasdialin'

3w6d: As30 AAA/AUTHOR/LCP (548968306): send AV service=ppp

3w6d: As30 AAA/AUTHOR/LCP (548968306): send AV protocol=lcp

3w6d: As30 AAA/AUTHOR/LCP (548968306): found list "default"

3w6d: As30 AAA/AUTHOR/LCP (548968306): Method=radius (radius)

3w6d: RADIUS: unrecognized Microsoft VSA type 10

3w6d: RADIUS: no appropriate authorization type for user.

3w6d: As30 AAA/AUTHOR (548968306): Post authorization status = FAIL

3w6d: As30 AAA/AUTHOR/LCP: Denied

3w6d: As30 MS-CHAP: O FAILURE id 7 len 24 msg is "Authorization failed"

3w6d: AAA/MEMORY: free_user (0x615B78A0) user='INSIDE\rasdialin'

ruser='NULL' po

rt='Async30' rem_addr='858714800/0858765920' authen_type=MSCHAP service=PPP

priv

=1

3w6d: As30 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

3w6d: AAA/ACCT/DS0: channel=2, ds1=0, t3=0, slot=1, ds0=16777218

3w6d: %ISDN-6-DISCONNECT: Interface Serial1/0:2 disconnected from 858714800

, c

all lasted 25 seconds


version 12.2

no parser cache

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Cisco-RAS

!

no logging rate-limit

aaa new-model

aaa authentication login default group radius local

aaa authentication login NO_AUTHEN none

aaa authentication ppp default if-needed group radius local

aaa authorization network default group radius

enable secret xxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxxxxxxxx

!

modem country mica sweden

ip subnet-zero

!

!

no ip domain-lookup

!

no ip dhcp-client network-discovery

isdn switch-type primary-net5


!

controller E1 1/0

framing NO-CRC4

pri-group timeslots 1-31

!

controller E1 1/1

!

!

interface FastEthernet1/0

ip address 172.16.16.251 255.255.240.0

duplex auto

speed auto

!

interface Serial1/0:15

ip unnumbered FastEthernet1/0

encapsulation ppp

dialer pool-member 1

isdn switch-type primary-net5

isdn incoming-voice modem

no fair-queue

ppp callback accept

ppp authentication pap

ppp multilink

!

interface Group-Async1

ip unnumbered FastEthernet1/0

encapsulation ppp

async mode interactive

peer default ip address dhcp

ppp callback accept

ppp authentication ms-chap chap

group-range 1 30

!

interface Dialer1

ip unnumbered FastEthernet1/0

encapsulation ppp

dialer pool 1

dialer-group 1

peer default ip address dhcp

ppp callback accept

ppp authentication ms-chap chap

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.16.254

no ip http server

!

dialer-list 1 protocol ip permit

radius-server host 172.16.16.252 auth-port 1645 acct-port 1646 key 7

121A0C04110

402013E3C2B3A383C2C14

radius-server retransmit 3

!

line con 0

exec-timeout 0 0

password xxxxxxxxxx

logging synchronous

login authentication NO_AUTHEN

line 1 30

no exec

modem InOut

modem autoconfigure type mica

rotary 1

transport preferred telnet

transport input all

autoselect ppp

line aux 0

password xxxxxx

line vty 0 4

exec-timeout 0 0

password xxxxxxxx

!

!

end



isco Internetwork Operating System Software

IOS (tm) 3600 Software (C3620-I-M), Version 12.2(2)T, RELEASE SOFTWARE

(fc1)

TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support

Copyright (c) 1986-2001 by cisco Systems, Inc.

Compiled Sat 02-Jun-01 14:56 by ccai

Image text-base: 0x600089A8, data-base: 0x60AA0000


ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE

SOFTWARE (f

c1)

ROM: 3600 Software (C3620-I-M), Version 12.2(2)T, RELEASE SOFTWARE (fc1)


Cisco-RAS uptime is 3 weeks, 6 days, 17 minutes

System returned to ROM by reload

System image file is "flash:c3620-i-mz.122-2.t.bin"


cisco 3620 (R4700) processor (revision 0x81) with 26624K/6144K bytes of

memory.

Processor board ID 26387501

R4700 CPU at 80Mhz, Implementation 33, Rev 1.0

MICA-6DM Firmware: CP ver 2720 - 5/30/2000, SP ver 2720 - 5/30/2000.

Channelized E1, Version 1.0.

Bridging software.

X.25 software, Version 3.0.0.

Primary Rate ISDN software, Version 1.1.

1 FastEthernet/IEEE 802.3 interface(s)

31 Serial network interface(s)

30 terminal line(s)

2 Channelized E1/PRI port(s)

DRAM configuration is 32 bits wide with parity disabled.

29K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)


Configuration register is 0x2102






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tepatel Fri, 04/19/2002 - 16:02
User Badges:
  • Cisco Employee,

Looks like the service-type configured for this user is "callback" (service-type=4)..Now router didn't like the attribute number 25 and 28


Do you want to do callbcak for this user?


So you need to investigate in the RADIUS server (under the user/group profile) about attribute 25 (class) and Vendor Specific Attribute (VSA) which may have configured for this user. You need to configure the VSA for cisco..

Try to gather the profile for this user from radius server.


Here is the link which may be helpful for callback using cisco router, thru radius

http://cco/warp/public/480/pppcallback_rad.html


Actions

This Discussion