Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Please help trouble shooting RADIUS

I could telnet in to my Cisco 2620 using RADIUS authentication

"telnet 192.168.4.10 2033" (provide username/pass)

and then type AT which My modem reply with OK.

I could also dial-in to the NAS with local user

But I could not dial-in using RADIUS user.

Please help me trouble shoot the problem.

I enclose the debug information and also the configuration I used.

Thank you,

Nguyen Nhat Binh

Username: test

Password:

Cisco2620>ena

Password:

Cisco2620#

Cisco2620#

Cisco2620#

Cisco2620#terminal monitor

Cisco2620#

02:28:00: %LINK-3-UPDOWN: Interface Async33, changed state to up

02:28:00: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

02:28:24: %LINK-5-CHANGED: Interface Async33, changed state to reset

02:28:29: %LINK-3-UPDOWN: Interface Async33, changed state to down

02:28:35: %LINK-3-UPDOWN: Interface Async33, changed state to up

02:28:35: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

02:28:46: %LINK-5-CHANGED: Interface Async33, changed state to reset

02:28:51: %LINK-3-UPDOWN: Interface Async33, changed state to down

02:29:15: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

02:29:15: %LINK-3-UPDOWN: Interface Async33, changed state to up

02:29:16: AAA: parse name=Async33 idb type=10 tty=33

02:29:16: AAA: name=Async33 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=33 c

hannel=0

02:29:16: AAA/MEMORY: create_user (0x80CD711C) user='test' ruser='' port='Async3

3' rem_addr='async' authen_type=CHAP service=PPP priv=1

02:29:16: AAA/AUTHEN/START (327574709): port='Async33' list='' action=LOGIN serv

ice=PPP

02:29:16: AAA/AUTHEN/START (327574709): using "default" list

02:29:16: AAA/AUTHEN (327574709): status = UNKNOWN

02:29:16: AAA/AUTHEN/START (327574709): Method=radius (radius)

02:29:16: RADIUS: ustruct sharecount=1

02:29:16: RADIUS: Initial Transmit Async33 id 89 192.168.4.141:1645, Access-Requ

est, len 75

02:29:16: Attribute 4 6 C0A8040A

02:29:16: Attribute 5 6 00000021

02:29:16: Attribute 61 6 00000000

02:29:16: Attribute 1 6 74657374

02:29:16: Attribute 3 19 27440611

02:29:16: Attribute 6 6 00000002

02:29:16: Attribute 7 6 00000001

02:29:16: RADIUS: Received from id 89 192.168.4.141:1645, Access-Accept, len 44

02:29:16: Attribute 6 6 00000002

02:29:16: Attribute 7 6 00000001

02:29:16: Attribute 27 6 0098967F

02:29:16: Attribute 28 6 0000000A

02:29:16: AAA/AUTHEN (327574709): status = PASS

02:29:16: As33 AAA/AUTHOR/LCP: Authorize LCP

02:29:16: As33 AAA/AUTHOR/LCP (1939832978): Port='Async33' list='' service=NET

02:29:16: AAA/AUTHOR/LCP: As33 (1939832978) user='test'

02:29:16: As33 AAA/AUTHOR/LCP (1939832978): send AV service=ppp

02:29:16: As33 AAA/AUTHOR/LCP (1939832978): send AV protocol=lcp

02:29:16: As33 AAA/AUTHOR/LCP (1939832978): found list "default"

02:29:16: As33 AAA/AUTHOR/LCP (1939832978): Method=radius (radius)

02:29:16: As33 AAA/AUTHOR (1939832978): Post authorization status = PASS_REPL

02:29:16: As33 AAA/AUTHOR/LCP: Processing AV service=ppp

02:29:16: As33 AAA/AUTHOR/LCP: Processing AV timeout=9999999

02:29:16: As33 AAA/AUTHOR/LCP: timeout failed

02:29:16: As33 AAA/AUTHOR/LCP: Denied

02:29:16: AAA/MEMORY: free_user (0x80CD711C) user='test' ruser='' port='Async33'

rem_addr='async' authen_type=CHAP service=PPP priv=1

02:29:18: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

02:29:20: %LINK-5-CHANGED: Interface Async33, changed state to reset

02:29:25: %LINK-3-UPDOWN: Interface Async33, changed state to down

*************************************************************

! Cisco2620.cfg - Cisco router configuration file

! Automatically created by Cisco ConfigMaker v2.6 Build 6

! Wednesday, December 31, 2003, 01:58:10 PM

!

! Hostname: Cisco2620

! Model: 2620

! *************************************************************

!

service timestamps debug uptime

service timestamps log uptime

service password-encryption

no service tcp-small-servers

no service udp-small-servers

!

hostname Cisco2620

!

enable password xxxxx

username dong password xxxx

!

no ip name-server

!

ip subnet-zero

no ip domain-lookup

ip routing

!

interface FastEthernet 0/0

no shutdown

description connected to EthernetLAN

ip address 192.168.4.10 255.255.255.0

no keepalive

!

interface Async 33

no shutdown

description connected to Dial-inPCs(modem)

ip unnumbered FastEthernet 0/0

ip tcp header-compression passive

encapsulation ppp

async mode dedicated

! group-range 33 33

ppp authentication chap pap

no cdp enable

peer default ip address pool Cisco2620-Group-1

!

router rip

version 2

network 192.168.4.0

no auto-summary

!

!

ip local pool Cisco2620-Group-1 10.10.10.10 10.10.10.10

ip classless

no ip http server

snmp-server community public RO

no snmp-server location

no snmp-server contact

!

line console 0

exec-timeout 0 0

password a

login

!

line vty 0 4

password xxxx

login

!

line 33

exec

autoselect ppp

autoselect during-login

login local

modem InOut

transport input all

stopbits 1

speed 38400

flowcontrol hardware

!

aaa new-model

aaa authentication login default radius local

aaa authentication login no_radius enable

aaa authentication ppp default if-needed radius

aaa authorization network radius

aaa accounting exec start-stop radius

aaa accounting network start-stop radius

radius-server host 192.168.4.11 auth-port 1645 acct-port 1646

radius-server key ubtq

2 REPLIES
Cisco Employee

Re: Please help trouble shooting RADIUS

This looks to be the problem:

02:29:16: As33 AAA/AUTHOR/LCP: Processing AV timeout=9999999

02:29:16: As33 AAA/AUTHOR/LCP: timeout failed

02:29:16: As33 AAA/AUTHOR/LCP: Denied

You're doing authorization (not just authentication) on your dialup users, not sure if you really want that or not. If so, then you will have a session-timeout set in the Radius users profile, you can see the radius server replying with this:

02:29:16: Attribute 6 6 00000002

02:29:16: Attribute 7 6 00000001

02:29:16: Attribute 27 6 0098967F

02:29:16: Attribute 28 6 0000000A

which when decoded becomes:

02:29:16: Service-Type Framed

02:29:16: Framed-Protocol PPP

02:29:16: Session-Timeout 9999999

02:29:16: Idle-Timeout 10

I would say the NAS/router doesn't like the Session-Timeout being so high, try lowering it and see what happens.

Alternatively, if you don't really want to do authorization for your dialup users, then remove the line:

aaa authorization network radius

and the problem should also go away.

New Member

Re: Please help trouble shooting RADIUS

Thank you alot for your support, I resolved the problem. Actually, I do not need authorization.

Wish you all the best for a new year.

276
Views
0
Helpful
2
Replies
CreatePlease login to create content