I have a problem that I think some people probably have run into. I am running Windows 2000 server and am configuring all my routers as clients to authenticate to my Radius server. From trial and error I found out that the client IP address needs to be the source address of the packet. This is typically the WAN interface of most of our routers.
However, we have many routers that have multiple links back to the site that houses the Radius server. This means that packets can go out through any of three interfaces of the router to get to the Radius server. Since the server is looking for only the address of one of the interfaces, my authentication fails.
This is a problem because we are running OSPF and we have equal cost paths to our Radius server location. Some of the lines are failover lines as well. I guess my question is how can I get around adding every IP address from every router that has multiple connections back to the server to my client list in IAS? Or is there a way around it at all?
Solved! Go to Solution.
The problem you've described is one of the reasons loopback interfaces exist. Loopback interfaces won't go down and give you reachability to the router at all time (well, this depends on the correct working of the routing protocol in question).
Combine the "ip radius source-interface
You are exactly right. I didn't realize that Cisco would not send the interface IP address if that interface was down. The only way to solve this is to create loopback addresses on all my router. It will be a lot of administrative hassle but well worth the time.
Thanks for all the responses!
This is a total pain with Windows IAS. What I did as a work-around was add all of the IP addresses a router could use to the IAS server's local hosts file. Each IP has the same name (allcisco in my case). IAS is happy with it.
i m planning to configure IAS and point my routers to that server.can i hve any case study or link so that i can go thru before i start that ??
thks in advace
Please be sure to read the posts in this forum about this issue.
I found out the hard way that Cisco will not send the IP address of an interface to your Radius server if that interface is down. That is a big deal in an environment like mine where we have a good deal of redundancy. The best way to implement Radius is to use loopback interfaces.
Here is a sample config (note that some routers need the word 'group' in the command, and others do not. I ALWAYS have to do a question mark where I would have to put group in as a command to see if it is available, if it is, you need to add it):
From global config:
aaa authentication login default group radius local
aaa authentication ppp default group radius local
aaa authentication login no_radius none
radius-server host 172.30.x.x (address of radius server)
radius-server key xxxxx
line console 0
ip radius source interface loopback0
login authentication no_radius
I have my routers configured to use radius when telnetting in but have configured a no-radius group that doesnt use authentication for the console port. This was just because if I have to troubleshoot a down router I will not be able to authenticate to Radius when my serial link is down. If I am on site, I need to get access to the router so I didnt add the console port to the Radius mix. Our routers are locked up pretty well anyway.
If you have any questions about setting up IAS and RAS on 2000 server, let me know. I was the guinea pig over here and figured it all out with trial and error!
Best of luck!
I have a question about Win2k IAS.
Can IAS implement different authentication policy based on radius client's IP address ? For example, I have defined user-a and user-b in IAS and I have router-a and router-b with aaa-enabled. Can I configure IAS in such way that only user-a can login to router-a and only user-b can login to router-b.
Try using NAR and putting each device into a NDG, restrict each user to only login to devices within a particular NDG. Good luck.
I noticed that you had a lot of experience getting IAS and aaa to be nice to each other using Windows 2000. I don't suppose you've had much experience getting it going in Windows 2003 IAS. Currently, I have a very simple project that I'm working on. I have a PIX firewall that is serving as a VPN termination point, it's using RADIUS for authentication. this exact configuration works great using Windows 2000 IAS, but making the same modifications to Windows 2003 IAS doesn't help. I keep getting rejected. Don't suppose you have any ideas why that might be happening?