01-02-2004 05:58 AM - edited 03-10-2019 07:37 AM
Does anyone know how to configure a cisco 3524 to authenticate against Internet Authentication Service running on a Windows 2003 server? I have tried different combinations on the server but no luck. This is what I have in my switch (and in my routers)
aaa new-model
aaa authentication username-prompt Username:
aaa authentication login connect group radius line
aaa accounting exec default start-stop group radius
radius-server host 10.80.140.30 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key mykey
I set up the IAS server with a local user and allowed dial-in access.
Thanks,
Steve
01-02-2004 09:58 PM
If you have:
aaa authentication login connect group radius line
do you also have:
line vty 0 4
login authentication connect
If not then add that or change the aaa line to:
aaa authentication login default group radius line
and try again. Failing that, enable the following debugs, try a connection then send us the output:
debug radius
debug aaa authen
01-05-2004 06:42 AM
I did have in my vty login authentication connect. Here is the output from the debug.
Jan 5 08:39:24.797: AAA: parse name=tty2 idb type=-1 tty=-1
Jan 5 08:39:24.800: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 p
ort=2 channel=0
Jan 5 08:39:24.800: AAA/MEMORY: create_user (0x736410) user='' ruser='' port='t
ty2' rem_addr='172.26.103.69' authen_type=ASCII service=LOGIN priv=1
Jan 5 08:39:24.800: AAA/AUTHEN/START (1984554745): port='tty2' list='connect' a
ction=LOGIN service=LOGIN
Jan 5 08:39:24.800: AAA/AUTHEN/START (1984554745): found list connect
Jan 5 08:39:24.800: AAA/AUTHEN/START (1984554745): Method=radius (radius)
Jan 5 08:39:24.802: AAA/AUTHEN (1984554745): status = GETUSER
Jan 5 08:39:32.530: AAA/AUTHEN/CONT (1984554745): continue_login (user='(undef)
')
Jan 5 08:39:32.530: AAA/AUTHEN (1984554745): status = GETUSER
Jan 5 08:39:32.530: AAA/AUTHEN (1984554745): Method=radius (radius)
Jan 5 08:39:32.530: AAA/AUTHEN (1984554745): status = GETPASS
Jan 5 08:39:36.596: AAA/AUTHEN/CONT (1984554745): continue_login (user='ts06938
')
Jan 5 08:39:36.596: AAA/AUTHEN (1984554745): status = GETPASS
Jan 5 08:39:36.599: AAA/AUTHEN (1984554745): Method=radius (radius)
Jan 5 08:39:36.599: RADIUS: ustruct sharecount=1
Jan 5 08:39:36.599: RADIUS: Initial Transmit tty2 id 3 172.26.78.176:1645, Acce
ss-Request, len 80
Jan 5 08:39:36.599: Attribute 4 6 0AA081A5
Jan 5 08:39:36.601: Attribute 5 6 00000002
Jan 5 08:39:36.601: Attribute 61 6 00000005
Jan 5 08:39:36.601: Attribute 1 9 74733036
Jan 5 08:39:36.601: Attribute 31 15 3137322E
Jan 5 08:39:36.601: Attribute 2 18 B78FD82A
Jan 5 08:39:36.622: RADIUS: Received from id 3 172.26.78.176:1645, Access-Rejec
t, len 20
Jan 5 08:39:36.622: AAA/AUTHEN (1984554745): status = FAIL
Jan 5 08:39:38.625: AAA/MEMORY: free_user (0x736410) user='ts06938' ruser='' po
rt='tty2' rem_addr='172.26.103.69' authen_type=ASCII service=LOGIN priv=1
Jan 5 08:39:38.628: AAA: parse name=tty2 idb type=-1 tty=-1
Jan 5 08:39:38.628: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 p
ort=2 channel=0
Jan 5 08:39:38.628: AAA/MEMORY: create_user (0x736410) user='' ruser='' port='t
ty2' rem_addr='172.26.103.69' authen_type=ASCII service=LOGIN priv=1
Jan 5 08:39:38.628: AAA/AUTHEN/START (1749441203): port='tty2' list='connect' a
ction=LOGIN service=LOGIN
Jan 5 08:39:38.628: AAA/AUTHEN/START (1749441203): found list connect
Jan 5 08:39:38.630: AAA/AUTHEN/START (1749441203): Method=radius (radius)
Jan 5 08:39:38.630: AAA/AUTHEN (1749441203): status = GETUSER
On the IAS Server I am using a policy that should fire if the NAS port is ethernet and the user name falls into a MS Domain group but the event log on the IAS serve says that not policy was matched.
Thanks,
Steve
01-05-2004 03:41 PM
This line in the debug output:
Jan 5 08:39:36.622: RADIUS: Received from id 3 172.26.78.176:1645, Access-Reject, len 20
shows that the IAS server is saying that the username/password is invalid, therefore the NAS denies access. You need to look at why the IAS server is rejecting this user, probably around the "policy" you said you have set up. If the IAS server log is saying the user is rejected there's not much you can do about it on the router/switch.
03-03-2004 09:54 AM
I have found that for enable pass functionality to work when using IAS with Radius, you define a user account in Active Directory called $enab15$ and whatever password you give that account is the enable password used by Cisco devices (i.e. IOS) when authenticating for the enable pass.
All aaa authentication enable default requests sent by the router to a RADIUS server include the username "$enab15$." Requests sent to a TACACS+ server will include the username that is entered for login authentication.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: