Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Where to declare Telnet password in ACS 3.1 or 3.2 ?

Hello,

I need to authenticate telnet access to a Cisco 3600 Router with radius on an ACS, but I do not find the field to declare the telnet password in ACS... If I use the field for PAP password, I see a failed attempt, reason : CS password invalid.

Extract of the 3640 config :

line vty 0 4

exec-timeout 6 0

login authentication admin

I thank you by advance,

Patrice

2 REPLIES
Silver

Re: Where to declare Telnet password in ACS 3.1 or 3.2 ?

Hello Patrice,

Telnet password is defined as the PAP password on ACS. If its not working then I would run the following debug on the router to see whats happening -

debug aaa authen

debug aaa autho

debug radius

Thanks,

Mynul

New Member

Re: Where to declare Telnet password in ACS 3.1 or 3.2 ?

Hello Mynul,

I have entered as the PAP password, but ACS says : CS password invalid in the failed attempts log. Here are the trace and the config.

I thank you

Patrice

router#sh deb

General OS:

AAA Authentication debugging is on

AAA Authorization debugging is on

Radius protocol debugging is on

router#172.28.1.240

Trying 172.28.1.240 ... Open

User Access Verification

entrez votre nom : test

1d15h: AAA: parse name=tty66 idb type=-1 tty=-1

1d15h: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channe

l=0

1d15h: AAA/MEMORY: create_user (0x80ED9D20) user='' ruser='' port='tty66' rem_ad

dr='172.28.1.240' authen_type=ASCII service=LOGIN priv=1

1d15h: AAA/AUTHEN/START (1188287811): port='tty66' list='admin' action=LOGIN ser

vice=LOGIN

1d15h: AAA/AUTHEN/START (1188287811): found list admin

1d15h: AAA/AUTHEN/START (1188287811): Method=radius (radius)

1d15h: AAA/AUTHEN (1188287811): status = GETUSER

entrez le password :

1d15h: AAA/AUTHEN/CONT (1188287811): continue_login (user='(undef)')

1d15h: AAA/AUTHEN (1188287811): status = GETUSER

1d15h: AAA/AUTHEN (1188287811): Method=radius (radius)

1d15h: AAA/AUTHEN (1188287811): status = GETPASS

1d15h: AAA/AUTHEN/CONT (1188287811): continue_login (user='test')

1d15h: AAA/AUTHEN (1188287811): status = GETPASS

1d15h: AAA/AUTHEN (1188287811): Method=radius (radius)

1d15h: RADIUS: ustruct sharecount=1

1d15h: RADIUS: Initial Transmit tty66 id 37 172.28.33.33:1645, Access-Request, l

en 76

1d15h: Attribute 4 6 AC1C01F0

1d15h: Attribute 5 6 00000042

1d15h: Attribute 61 6 00000005

1d15h: Attribute 1 6 74657374

1d15h: Attribute 31 14 3137322E

1d15h: Attribute 2 18 2C79B578

1d15h: RADIUS: Received from id 37 172.28.33.33:1645, Access-Reject, len 20

1d15h: RADIUS: Response (37) failed decrypt

1d15h: AAA/AUTHEN (1188287811): status = ERROR

1d15h: AAA/AUTHEN/START (3182806992): port='tty66' list='' action=LOGIN service=

LOGIN

1d15h: AAA/AUTHEN/START (3182806992): Restart

1d15h: AAA/AUTHEN/START (3182806992): Method=LOCAL

1d15h: AAA/AUTHEN (3182806992): status = GETPASS

1d15h: AAA/AUTHEN/CONT (3182806992): continue_login (user='test')

1d15h: AAA/AUTHEN (3182806992): status = GETPASS

1d15h: AAA/AUTHEN/CONT (3182806992): Method=LOCAL

1d15h: AAA/AUTHEN (3182806992): password incorrect

1d15h: AAA/AUTHEN (3182806992): status = FAIL

% Authentication failed.

router#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-D-M), Version 12.1(14), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2002 by cisco Systems, Inc.

Compiled Mon 25-Mar-02 20:51 by kellythw

Image text-base: 0x80008088, data-base: 0x80953560

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

router uptime is 1 day, 15 hours, 45 minutes

System returned to ROM by power-on

System image file is "flash:c2600-d-mz.121-14.bin"

cisco 2612 (MPC860) processor (revision 0x101) with 22528K/2048K bytes of memory

.

Processor board ID JAB030303TN (2379696465)

M860 processor: part number 0, mask 49

Bridging software.

X.25 software, Version 3.0.0.

Basic Rate ISDN software, Version 1.1.

1 Ethernet/IEEE 802.3 interface(s)

1 Token Ring/IEEE 802.5 interface(s)

1 Serial network interface(s)

4 Low-speed serial(sync/async) network interface(s)

1 ISDN Basic Rate interface(s)

32K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

router#sh run

Building configuration...

Current configuration : 1658 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router

!

aaa new-model

aaa authentication password-prompt "entrez le password : "

aaa authentication username-prompt "entrez votre nom : "

aaa authentication login admin group radius local

aaa authentication ppp default group radius local

aaa accounting network default start-stop group radius

!

username test password 0 test

username franck password 0 cisco

!

!

!

!

memory-size iomem 10

ip subnet-zero

!

isdn switch-type basic-net3

isdn tei-negotiation first-call

!

!

!

interface Ethernet0/0

ip address 172.28.1.240 255.255.0.0

no cdp enable

!

interface Serial0/0

no ip address

shutdown

no cdp enable

!

interface TokenRing0/0

no ip address

shutdown

ring-speed 16

no cdp enable

!

interface BRI0/0

ip unnumbered Ethernet0/0

encapsulation ppp

no ip mroute-cache

dialer-group 1

isdn switch-type basic-net3

peer default ip address pool test

compress mppc

no cdp enable

ppp authentication pap

!

interface Serial1/0

no ip address

shutdown

no cdp enable

!

interface Serial1/1

no ip address

shutdown

no cdp enable

!

interface Serial1/2

no ip address

shutdown

no cdp enable

!

interface Serial1/3

no ip address

shutdown

no cdp enable

!

ip local pool test 172.28.50.100 172.28.50.110

ip classless

ip http server

!

logging 172.28.50.200

dialer-list 1 protocol ip permit

no cdp run

radius-server host 172.28.33.33 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key cisco

!

line con 0

line aux 0

line vty 0 4

exec-timeout 6 0

login authentication admin

!

end

router#

175
Views
0
Helpful
2
Replies