Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

RADIUS IAS windows 2003 AD and Cisco Login

I must insert my switch 3550 with authentication (login) under Server Radius.

The Radius is a Windows 2003 Server with Active Directory.

Can you post me a documentation , tutorial or a link about this argument ?

Thanks

FCostalunga

21 REPLIES
Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

hi,

i tried to follow the procedure of the link , but not work.

On the switch , what configuration have you insert?

i must insert

aaa new-model

aaa group server radius switch

server 10.3.1.x auth-port 1812 acct-port 1813

!

aaa authentication login default group switch

aaa authentication login Console line

aaa authorization exec default group switch

radius-server host 10.3.1.x auth-port 1812 acct-port 1813 key cisco

line con 0

password xxx

login authentication Console

IT'S all ok?

thanks for your help?

The user create in Windows is fcostalunga

The log of IAS, IS:

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 538

Date: 7/26/2007

Time: 3:31:40 PM

User: MIRW2003FRA\fcostalunga

Computer: MIRAW2K3004

Description:

User Logoff:

User Name: fcostalunga

Domain: MIRW2003FRA

Logon ID: (0x0,0x10DF5F4)

Logon Type: 3

THE NEXT MESSAGE IS

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 540

Date: 7/26/2007

Time: 3:31:40 PM

User: MIRW2003FRA\fcostalunga

Computer: MIRAW2K3004

Description:

Successful Network Logon:

User Name: fcostalunga

Domain: MIRW2003FRA

Logon ID: (0x0,0x10DF5F4)

Logon Type: 3

Logon Process: IAS

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name:

Logon GUID: -

Caller User Name: MIRAW2K3004$

Caller Domain: MIRW2003FRA

Caller Logon ID: (0x0,0x3E7)

Caller Process ID: 844

Transited Services: -

Source Network Address: -

Source Port: -

AND THE NEXT MESSAGE IS:

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 538

Date: 7/26/2007

Time: 3:31:40 PM

User: MIRW2003FRA\fcostalunga

Computer: MIRAW2K3004

Description:

User Logoff:

User Name: fcostalunga

Domain: MIRW2003FRA

Logon ID: (0x0,0x10DF5F4)

Logon Type: 3

i can try to use DEBUG AAA AUTHE on switch:

02:29:44: AAA/AUTHEN/START (2924527030): port='tty1' list='' action=LOGIN servic

e=LOGIN

02:29:44: AAA/AUTHEN/START (2924527030): using "default" list

02:29:44: AAA/AUTHEN/START (2924527030): Method=switch (radius)

02:29:44: AAA/AUTHEN (2924527030): status = GETUSER

02:29:50: AAA/AUTHEN/CONT (2924527030): continue_login (user='(undef)')

02:29:50: AAA/AUTHEN (2924527030): status = GETUSER

02:29:50: AAA/AUTHEN (2924527030): Method=switch (radius)

02:29:50: AAA/AUTHEN (2924527030): status = GETPASS

02:29:55: AAA/AUTHEN/CONT (2924527030): continue_login (user='fcostalunga')

02:29:55: AAA/AUTHEN (2924527030): status = GETPASS

02:29:55: AAA/AUTHEN (2924527030): Method=switch (radius)

02:29:55: AAA/AUTHEN (2924527030): status = FAIL

02:29:57: AAA/MEMORY: free_user (0x80E1EF04) user='fcostalunga' ruser='' port='t

ty1' rem_addr='10.1.76.175' authen_type=ASCII service=LOGIN priv=1

02:29:57: AAA: parse name=tty1 idb type=-1 tty=-1

02:29:57: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 chann

el=0

02:29:57: AAA/MEMORY: create_user (0x80D3E00C) user='' ruser='' port='tty1' rem_

addr='10.1.76.175' authen_type=ASCII service=LOGIN priv=1

02:29:57: AAA/AUTHEN/START (3870046595): port='tty1' list='' action=LOGIN servic

e=LOGIN

02:29:57: AAA/AUTHEN/START (3870046595): using "default" list

02:29:57: AAA/AUTHEN/START (3870046595): Method=switch (radius)

02:29:57: AAA/AUTHEN (3870046595): status = GETUSER

Can you help me?

Thanks

fcostalunga

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

2 Things... 1) I believe you need to send the vsa. 2) Edit your IAS Remote Access policy, go to "edit profile", check the "Advanced" Tab, make sure that your "service-type" is Login and that your Vendor-Spefic code is correct "shell:priv-lvl=15". ~Dwann

aaa new-model

aaa authentication login default group radius local

!

aaa session-id common

radius-server host x.x.x.x auth-port 1612 acct-port 1646

radius-server host x.x.x.x auth-port 1645 acct-port 1618

radius-server source-ports 1645-1646

radius-server deadtime 1

radius-server key xxx

radius-server vsa send accounting

radius-server vsa send authentication

Re: RADIUS IAS windows 2003 AD and Cisco Login

Please remove authorization and see if authentication works fine or not.

Also do you get authentication failed or authorization failed message ?

Cisco Employee

Re: RADIUS IAS windows 2003 AD and Cisco Login

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

THANKS.

NOW IT WORK VERY WELL.

If i power down the server Radius , i can't connect on the switch.

The switch tell me to insert a username and password. But if the radius is down , how can i to authenticate on my switch, if i can reach this only via IP Address on remote and i can't to connect to him via console?

thanks

FCostalunga

Re: RADIUS IAS windows 2003 AD and Cisco Login

Hi ,

You need to set up fall back method, create one local user on the switch and issue command

aaa authentication login default group switch local

aaa authorization exec default group switch if-authenticated

It will let you in using local username incase radius is down.

Regards,

~JG

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

i tried but not work...........

i attach my conf

username RADIUS password xxx

aaa new-model

aaa group server radius switch

server 10.3.1.203 auth-port 1812 acct-port 1813

!

aaa authentication login default group switch local

aaa authentication login Console line

aaa authorization exec default group switch if-authenticated

radius-server host 10.3.1.203 auth-port 1812 acct-port 1813 key cisco

radius-server retransmit 3

do you see some error in the conf. ?

Thanks for your help

FCostalunga

Re: RADIUS IAS windows 2003 AD and Cisco Login

Config looks ok to me. Also add this command

radius-server dead-criteria time 2

If issue is still there then , get me debugs,

debug radius

debug aaa authentication

Regards,

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

to what extent command authroization works with RADUIS, can we do it or not?

I can only execute:

aaa authorization exec default group TESTR if-authenticated

but this command cause problem:

aaa authorization commands 15 default if-authenticated

shows: command authorization failed, once implement it.

do i have to define commands on the RADIUS Server?

I am using MS IAS as Radius server.

Re: RADIUS IAS windows 2003 AD and Cisco Login

Hi Atif,

In RADIUS command authorization is not supported; this is a limitation of the RADIUS protocol. In order to do command authorization ,the authorization packet has to be sent separately from the authentication packet , which is not done in RADIUS . Authentication and Authorization requests are sent in one packet. In TACACS+ , you have the flexibilty of sending each AAA ( Authentication, Authorization, Accounting) request in separate packets. This is why , command authorization is possible in TACACS .

You need to take out this command,

aaa authorization commands 15 default if-authenticated

Regards,

~JG

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

ok I see.

what about accounting for RADIUS, i get this meesage when i want to enable accouting for commands:

PE2(config)#aaa accounting commands 15 default start-stop group TESTR

PE2(config)#

10w5d: %AAAA-4-SERVNOTACPLUS: The server-group "TESTR" is not a tacacs+ server group. Please define "TESTR" as a tacacs+ server group.

Is accounting only going to work for TACACS not RADIUS,

I have tried the 'archive' feature and it does send the command/config changes to syslog. Is it good enough replacement for AAA accounting.

Thanks

Re: RADIUS IAS windows 2003 AD and Cisco Login

Atif,

Command accounting can only be done via tacacs server. A radius server does not support command

accounting.

Regards,

~JG

Please rate if helps

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

I am seeing following problem:

Configuration

username cisco password xxx

aaa new-model

!

!

aaa group server radius TESTR

server-private 138.218.140.50 auth-port 1812 acct-port 1813 key cisco

server 138.x.x.50 auth-port 1812 acct-port 1813

ip vrf forwarding CORE-MGMT

ip radius source-interface Loopback50

deadtime 2

!

aaa authentication login default group TESTR local

aaa authorization exec default group TESTR if-authenticated

aaa accounting exec default start-stop group TESTR

ERROR:

PE3#test aaa group TESTR atifro nrp2007! new-code

17:27:42: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'

17:27:42: RADIUS/ENCODE(00000000):Orig. component type = INVALID

17:27:42: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

17:27:42: RADIUS(00000000): Config NAS IP: 138.218.138.130

17:27:42: RADIUS(00000000): sending

17:27:42: RADIUS(00000000): Send Access-Request to 138.218.140.50:1812 id 1645/37, len 52

17:27:42: RADIUS: authenticator 11 BE 4B 9B 0C C0 FF 09 - CE 1F AA 17 1E 66 6F A5

17:27:42: RADIUS: User-Password [2] 18 *

17:27:42: RADIUS: User-Name [1] 8 "atifro"

17:27:42: RADIUS: NAS-IP-Address [4] 6 138.218.138.130

17:27:42: RADIUS: Received from id 1645/37 138.218.140.58:1812, Access-Accept, len 83

17:27:42: RADIUS: Response for non-existent request ident

17:27:48: RADIUS: Retransmit to (138.218.140.50:1812,1813) for id 1645/37

17:27:48: RADIUS: Received from id 1645/37 138.218.140.58:1812, Access-Accept, len 83

17:27:48: RADIUS: Response for non-existent request ident

17:27:53: RADIUS: Retransmit to (138.218.140.50:1812,1813) for id 1645/37

17:27:53: RADIUS: Received from id 1645/37 138.218.140.58:1812, Access-Accept, len 83

17:27:53: RADIUS: Response for non-existent request ident

17:27:59: RADIUS: Retransmit to (138.218.140.50:1812,1813) for id 1645/37

17:27:59: RADIUS: Received from id 1645/37 138.218.140.58:1812, Access-Accept, len 83

17:27:59: RADIUS: Response for non-existent request identUser rejected

PE3#

17:28:04: RADIUS: No response from (138.218.140.50:1812,1813) for id 1645/37

17:28:04: RADIUS/DECODE: parse response no app start; FAIL

17:28:04: RADIUS/DECODE: parse response; FAIL

I see on RADIUS server it recieves request, but when it sends back.

help !!

Re: RADIUS IAS windows 2003 AD and Cisco Login

Atif,

Please make sure that shared secret is ok , please change it , do no copy paste.

Also issue command on radius group

no server 138.218.140.50 auth-port 1812 acct-port 1813

Followed by

server 138.218.140.50 (Dont define any port)

Then issue command

ip radius source port 1645

Do you see any hits on acs/radius ?

Regards,

~JG

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

I am using:

server-private, I removed it issued the commands, it does not take ip radius source port 1645 under the group I think:

PE3(config)#aaa group server radius TESTR

PE3(config-sg-radius)#$.218.140.50 auth-port 1812 acct-port 1813 key cisco

PE3(config-sg-radius)#server

PE3(config-sg-radius)#server ?

Hostname or A.B.C.D IP address of RADIUS server

PE3(config-sg-radius)#server 138.x.x.50 ?

acct-port UDP port for RADIUS accounting server (default is 1646)

auth-port UDP port for RADIUS authentication server (default is 1645)

PE3(config-sg-radius)#server 138.x.x.50

PE3(config-sg-radius)#

22:12:26: %RADIUS-4-NOSERV: Warning: Server 138.x.x.50:1645,1646 is not defined.

PE3(config-sg-radius)#end

PE3#

22:12:53: %SYS-5-CONFIG_I: Configured from console by cisco on console

PE3#ip radius source port 1645

^

% Invalid input detected at '^' marker.

PE3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

PE3(config)#aaa group server radius TESTR

PE3(config-sg-radius)#ip radius source-interface ?

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

I have changed the config:

aaa group server radius TESTR

server 138.218.140.50 auth-port 1645 acct-port 1646

ip vrf forwarding CORE-MGMT

ip radius source-interface GigabitEthernet1/45

deadtime 2

now different result, i think we need to specify server-private, only then I see some response form the RADUIS:

Config:aaa group server radius TESTR

server 138.218.140.50 auth-port 1645 acct-port 1646

ip vrf forwarding CORE-MGMT

ip radius source-interface GigabitEthernet1/45

deadtime 2

aaa authentication login default group TESTR local

aaa authorization exec default group TESTR if-authenticated

aaa accounting exec default start-stop group TESTR

aaa accounting system default vrf CORE-MGMT start-stop group TESTR

Test:

PE3#test aaa group TESTR atifro nrp2007! new-code

User rejected

PE3#

22:25:17: RADIUS/ENCODE(00000000):Orig. component type = INVALID

22:25:17: RADIUS(00000000): Config NAS IP: 138.218.138.121

22:25:17: %RADIUS-3-NOSERVERS: No Radius hosts configured or no valid server present in the server group TESTR

PE3#

22:25:17: RADIUS/DECODE: parse response no app start; FAIL

22:25:17: RADIUS/DECODE: parse response; FAIL

Re: RADIUS IAS windows 2003 AD and Cisco Login

Atif,

Which device and IOS is it ? Can you disable system accounting,

no aaa accounting system default vrf CORE-MGMT start-stop group TESTR

and see if that makes any change.

Regards,

~JG

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

the problem is fixed it was the wrong IP replying back to the router, there were two interfaces on the radius server. So i put both Ips as server, and it worked.

thanks for the help..!

it is a 7606. 12.2(33)SRB

I guess i dont need accounting system command I have disabled it.

Re: RADIUS IAS windows 2003 AD and Cisco Login

Atif,

Nice to know that. Please mark this thread resolved , so other can benefit from it.

Regards,

~JG

Community Member

Re: RADIUS IAS windows 2003 AD and Cisco Login

how do I mark it resolved? i did not start this thread, does it make a difference?

1281
Views
17
Helpful
21
Replies
CreatePlease to create content