Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco and MS IAS?

Does anyone know how to configure a cisco 3524 to authenticate against Internet Authentication Service running on a Windows 2003 server? I have tried different combinations on the server but no luck. This is what I have in my switch (and in my routers)

aaa new-model

aaa authentication username-prompt Username:

aaa authentication login connect group radius line

aaa accounting exec default start-stop group radius

radius-server host 10.80.140.30 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key mykey

I set up the IAS server with a local user and allowed dial-in access.

Thanks,

Steve

4 REPLIES
Cisco Employee

Re: Cisco and MS IAS?

If you have:

aaa authentication login connect group radius line

do you also have:

line vty 0 4

    login authentication connect

If not then add that or change the aaa line to:

aaa authentication login default group radius line

and try again. Failing that, enable the following debugs, try a connection then send us the output:

debug radius

debug aaa authen

Community Member

Re: Cisco and MS IAS?

I did have in my vty login authentication connect. Here is the output from the debug.

Jan 5 08:39:24.797: AAA: parse name=tty2 idb type=-1 tty=-1

Jan 5 08:39:24.800: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 p

ort=2 channel=0

Jan 5 08:39:24.800: AAA/MEMORY: create_user (0x736410) user='' ruser='' port='t

ty2' rem_addr='172.26.103.69' authen_type=ASCII service=LOGIN priv=1

Jan 5 08:39:24.800: AAA/AUTHEN/START (1984554745): port='tty2' list='connect' a

ction=LOGIN service=LOGIN

Jan 5 08:39:24.800: AAA/AUTHEN/START (1984554745): found list connect

Jan 5 08:39:24.800: AAA/AUTHEN/START (1984554745): Method=radius (radius)

Jan 5 08:39:24.802: AAA/AUTHEN (1984554745): status = GETUSER

Jan 5 08:39:32.530: AAA/AUTHEN/CONT (1984554745): continue_login (user='(undef)

')

Jan 5 08:39:32.530: AAA/AUTHEN (1984554745): status = GETUSER

Jan 5 08:39:32.530: AAA/AUTHEN (1984554745): Method=radius (radius)

Jan 5 08:39:32.530: AAA/AUTHEN (1984554745): status = GETPASS

Jan 5 08:39:36.596: AAA/AUTHEN/CONT (1984554745): continue_login (user='ts06938

')

Jan 5 08:39:36.596: AAA/AUTHEN (1984554745): status = GETPASS

Jan 5 08:39:36.599: AAA/AUTHEN (1984554745): Method=radius (radius)

Jan 5 08:39:36.599: RADIUS: ustruct sharecount=1

Jan 5 08:39:36.599: RADIUS: Initial Transmit tty2 id 3 172.26.78.176:1645, Acce

ss-Request, len 80

Jan 5 08:39:36.599: Attribute 4 6 0AA081A5

Jan 5 08:39:36.601: Attribute 5 6 00000002

Jan 5 08:39:36.601: Attribute 61 6 00000005

Jan 5 08:39:36.601: Attribute 1 9 74733036

Jan 5 08:39:36.601: Attribute 31 15 3137322E

Jan 5 08:39:36.601: Attribute 2 18 B78FD82A

Jan 5 08:39:36.622: RADIUS: Received from id 3 172.26.78.176:1645, Access-Rejec

t, len 20

Jan 5 08:39:36.622: AAA/AUTHEN (1984554745): status = FAIL

Jan 5 08:39:38.625: AAA/MEMORY: free_user (0x736410) user='ts06938' ruser='' po

rt='tty2' rem_addr='172.26.103.69' authen_type=ASCII service=LOGIN priv=1

Jan 5 08:39:38.628: AAA: parse name=tty2 idb type=-1 tty=-1

Jan 5 08:39:38.628: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 p

ort=2 channel=0

Jan 5 08:39:38.628: AAA/MEMORY: create_user (0x736410) user='' ruser='' port='t

ty2' rem_addr='172.26.103.69' authen_type=ASCII service=LOGIN priv=1

Jan 5 08:39:38.628: AAA/AUTHEN/START (1749441203): port='tty2' list='connect' a

ction=LOGIN service=LOGIN

Jan 5 08:39:38.628: AAA/AUTHEN/START (1749441203): found list connect

Jan 5 08:39:38.630: AAA/AUTHEN/START (1749441203): Method=radius (radius)

Jan 5 08:39:38.630: AAA/AUTHEN (1749441203): status = GETUSER

On the IAS Server I am using a policy that should fire if the NAS port is ethernet and the user name falls into a MS Domain group but the event log on the IAS serve says that not policy was matched.

Thanks,

Steve

Cisco Employee

Re: Cisco and MS IAS?

This line in the debug output:

Jan 5 08:39:36.622: RADIUS: Received from id 3 172.26.78.176:1645, Access-Reject, len 20

shows that the IAS server is saying that the username/password is invalid, therefore the NAS denies access. You need to look at why the IAS server is rejecting this user, probably around the "policy" you said you have set up. If the IAS server log is saying the user is rejected there's not much you can do about it on the router/switch.

Community Member

Re: Cisco and MS IAS?

I have found that for enable pass functionality to work when using IAS with Radius, you define a user account in Active Directory called $enab15$ and whatever password you give that account is the enable password used by Cisco devices (i.e. IOS) when authenticating for the enable pass.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008010a7b1.html

All aaa authentication enable default requests sent by the router to a RADIUS server include the username "$enab15$." Requests sent to a TACACS+ server will include the username that is entered for login authentication.

309
Views
0
Helpful
4
Replies
CreatePlease to create content