Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1641
Views
0
Helpful
4
Replies

Cisco and MS IAS?

steve.carlson
Level 1
Level 1

‎01-02-2004 05:58 AM - edited ‎03-10-2019 07:37 AM

Does anyone know how to configure a cisco 3524 to authenticate against Internet Authentication Service running on a Windows 2003 server? I have tried different combinations on the server but no luck. This is what I have in my switch (and in my routers)

aaa new-model

aaa authentication username-prompt Username:

aaa authentication login connect group radius line

aaa accounting exec default start-stop group radius

radius-server host 10.80.140.30 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key mykey

I set up the IAS server with a local user and allowed dial-in access.

Thanks,

Steve

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎01-02-2004 09:58 PM

If you have:

aaa authentication login connect group radius line

do you also have:

line vty 0 4

    login authentication connect

If not then add that or change the aaa line to:

aaa authentication login default group radius line

and try again. Failing that, enable the following debugs, try a connection then send us the output:

debug radius

debug aaa authen

0 Helpful

steve.carlson
Level 1
Level 1
In response to gfullage

‎01-05-2004 06:42 AM

I did have in my vty login authentication connect. Here is the output from the debug.

Jan 5 08:39:24.797: AAA: parse name=tty2 idb type=-1 tty=-1

Jan 5 08:39:24.800: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 p

ort=2 channel=0

Jan 5 08:39:24.800: AAA/MEMORY: create_user (0x736410) user='' ruser='' port='t

ty2' rem_addr='172.26.103.69' authen_type=ASCII service=LOGIN priv=1

Jan 5 08:39:24.800: AAA/AUTHEN/START (1984554745): port='tty2' list='connect' a

ction=LOGIN service=LOGIN

Jan 5 08:39:24.800: AAA/AUTHEN/START (1984554745): found list connect

Jan 5 08:39:24.800: AAA/AUTHEN/START (1984554745): Method=radius (radius)

Jan 5 08:39:24.802: AAA/AUTHEN (1984554745): status = GETUSER

Jan 5 08:39:32.530: AAA/AUTHEN/CONT (1984554745): continue_login (user='(undef)

')

Jan 5 08:39:32.530: AAA/AUTHEN (1984554745): status = GETUSER

Jan 5 08:39:32.530: AAA/AUTHEN (1984554745): Method=radius (radius)

Jan 5 08:39:32.530: AAA/AUTHEN (1984554745): status = GETPASS

Jan 5 08:39:36.596: AAA/AUTHEN/CONT (1984554745): continue_login (user='ts06938

')

Jan 5 08:39:36.596: AAA/AUTHEN (1984554745): status = GETPASS

Jan 5 08:39:36.599: AAA/AUTHEN (1984554745): Method=radius (radius)

Jan 5 08:39:36.599: RADIUS: ustruct sharecount=1

Jan 5 08:39:36.599: RADIUS: Initial Transmit tty2 id 3 172.26.78.176:1645, Acce

ss-Request, len 80

Jan 5 08:39:36.599: Attribute 4 6 0AA081A5

Jan 5 08:39:36.601: Attribute 5 6 00000002

Jan 5 08:39:36.601: Attribute 61 6 00000005

Jan 5 08:39:36.601: Attribute 1 9 74733036

Jan 5 08:39:36.601: Attribute 31 15 3137322E

Jan 5 08:39:36.601: Attribute 2 18 B78FD82A

Jan 5 08:39:36.622: RADIUS: Received from id 3 172.26.78.176:1645, Access-Rejec

t, len 20

Jan 5 08:39:36.622: AAA/AUTHEN (1984554745): status = FAIL

Jan 5 08:39:38.625: AAA/MEMORY: free_user (0x736410) user='ts06938' ruser='' po

rt='tty2' rem_addr='172.26.103.69' authen_type=ASCII service=LOGIN priv=1

Jan 5 08:39:38.628: AAA: parse name=tty2 idb type=-1 tty=-1

Jan 5 08:39:38.628: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 p

ort=2 channel=0

Jan 5 08:39:38.628: AAA/MEMORY: create_user (0x736410) user='' ruser='' port='t

ty2' rem_addr='172.26.103.69' authen_type=ASCII service=LOGIN priv=1

Jan 5 08:39:38.628: AAA/AUTHEN/START (1749441203): port='tty2' list='connect' a

ction=LOGIN service=LOGIN

Jan 5 08:39:38.628: AAA/AUTHEN/START (1749441203): found list connect

Jan 5 08:39:38.630: AAA/AUTHEN/START (1749441203): Method=radius (radius)

Jan 5 08:39:38.630: AAA/AUTHEN (1749441203): status = GETUSER

On the IAS Server I am using a policy that should fire if the NAS port is ethernet and the user name falls into a MS Domain group but the event log on the IAS serve says that not policy was matched.

Thanks,

Steve

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to steve.carlson

‎01-05-2004 03:41 PM

This line in the debug output:

Jan 5 08:39:36.622: RADIUS: Received from id 3 172.26.78.176:1645, Access-Reject, len 20

shows that the IAS server is saying that the username/password is invalid, therefore the NAS denies access. You need to look at why the IAS server is rejecting this user, probably around the "policy" you said you have set up. If the IAS server log is saying the user is rejected there's not much you can do about it on the router/switch.

0 Helpful

m.chase
Level 1
Level 1
In response to gfullage

‎03-03-2004 09:54 AM

I have found that for enable pass functionality to work when using IAS with Radius, you define a user account in Active Directory called $enab15$ and whatever password you give that account is the enable password used by Cisco devices (i.e. IOS) when authenticating for the enable pass.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008010a7b1.html

All aaa authentication enable default requests sent by the router to a RADIUS server include the username "$enab15$." Requests sent to a TACACS+ server will include the username that is entered for login authentication.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents