Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
3
Replies

AAA authentication difference in 12.0 and 12.1

wmollyhorn
Level 1
Level 1

‎09-03-2002 06:30 AM - edited ‎03-02-2019 01:05 AM

Question for those more savvy on the CCO site than myself. I have a Cisco 1750 running 12.1(5) T10 as an L2TP LNS. I am pointing all AAA requests to various RADIUS servers via Virtual IP's on the AAA boxes themselves.

Using 12.0(5), I had no problem with auth-requests sect to the Virtual Interface IP as the destination address and the auth-accepts coming back from the actual IP of the server as source IP.

Using 12.1(5), I am failing authentication because the router is not seeing the auth-accept. Instead of listening by port, it seems to be listening for the auth-accept coming from the IP address the router sent the request to.

I'm not sure if this is correct or a bug. I haven't seen anything about it listed in the release notes for 12.1(5) but then, as I stated before, I'm not real savvy with searching the CCO. I wanted to see if anyone out there had any feedback before opening a case.

Thanks

Labels:
0 Helpful
3 Replies 3

tepatel
Cisco Employee
Cisco Employee

‎09-03-2002 03:27 PM

Router will always listen for that access accept/reject packets from the source ip address to which the resuest was sent..

So if router has a command

radius-server host 1.1.1.1

It will listen to the radius response from the radius server with the same ip address 1.1.1.1

Pl. post "debug radius" and "debug aaa authentication" with 12.1(5) on the router..

0 Helpful

wmollyhorn
Level 1
Level 1
In response to tepatel

‎09-04-2002 05:39 AM

Here is the debug. I replaced the IP address with what the are; either Actual AAA IP or Virtual AAA IP. Thanks for the assist.

Call to LNS with Actual AAA IP in configs:

AAA/MEMORY: free_user (0x811864E0) user='' ruser='' port='tty7' rem_addr='199.0.238.2' authen_type=ASCII service=ENABLE priv=15

Vi3 VPDN: Virtual interface created for 01test@franks.l2tp

Vi3 VPDN: Set to Async interface

Vi3 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking

%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up

Vi3 VPDN: Bind interface direction=2

Vi3 VPDN: PPP LCP accepted rcv CONFACK

Vi3 VPDN: PPP LCP accepted sent CONFACK

AAA: parse name=Virtual-Access3 idb type=21 tty=-1

AAA: name=Virtual-Access3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

AAA/MEMORY: create_user (0x811FBB04) user='01test@franks.l2tp' ruser='' port='Virtual-Access3' rem_addr='/5097140030' authen_type=CHAP service=PPP priv=1

AAA/AUTHEN/START (1740812103): port='Virtual-Access3' list='' action=LOGIN service=PPP

AAA/AUTHEN/START (1740812103): using "default" list

AAA/AUTHEN/START (1740812103): Method=LOCAL

AAA/AUTHEN (1740812103): status = ERROR

AAA/AUTHEN/START (1740812103): Method=radius (radius)

RADIUS: ustruct sharecount=1

RADIUS: Initial Transmit Virtual-Access3 id 30 {Actual AAA IP}:1812, Access-Request, len 101

Attribute 4 6 CF8F7EB2

Attribute 5 6 00000003

Attribute 61 6 00000000

Attribute 1 20 30317465

Attribute 30 12 35303937

Attribute 3 19 016A2DF2

Attribute 6 6 00000002

Attribute 7 6 00000001

RADIUS: Received from id 30 {Actual AAA IP}:1812, Access-Accept, len 40

Attribute 11 8 3130322E

Attribute 27 6 00008CA0

Attribute 28 6 00000E10

AAA/AUTHEN (1740812103): status = PASS

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up

StoreVPN#

%SYS-5-CONFIG_I: Configured from console by sprint on vty1 (199.0.238.2)

Vi3 VPDN: Cleanup

Vi3 VPDN: Reset

Vi3 VPDN: Reset

Vi3 VPDN: Unbind interface

Vi3 VPDN: Unbind interface

Vi3 VPDN: Reset

Vi3 VPDN: Unbind interface

AAA/MEMORY: free_user (0x811FBB04) user='01test@franks.l2tp' ruser='' port='Virtual-Access3' rem_addr='/5097140030' authen_type=CHAP service=PPP priv=1

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down

Call to LNS with Virtual AAA IP in configs:

Vi3 VPDN: Virtual interface created for 01test@franks.l2tp

Vi3 VPDN: Set to Async interface

Vi3 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking

%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up

Vi3 VPDN: Bind interface direction=2

Vi3 VPDN: PPP LCP accepted rcv CONFACK

Vi3 VPDN: PPP LCP accepted sent CONFACK

AAA: parse name=Virtual-Access3 idb type=21 tty=-1

AAA: name=Virtual-Access3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

AAA/MEMORY: create_user (0x811F8CD8) user='01test@franks.l2tp' ruser='' port='Virtual-Access3' rem_addr='/5097140030' authen_type=CHAP service=PPP priv=1

AAA/AUTHEN/START (514094351): port='Virtual-Access3' list='' action=LOGIN service=PPP

AAA/AUTHEN/START (514094351): using "default" list

AAA/AUTHEN/START (514094351): Method=LOCAL

AAA/AUTHEN (514094351): status = ERROR

AAA/AUTHEN/START (514094351): Method=radius (radius)

RADIUS: ustruct sharecount=1

RADIUS: Initial Transmit Virtual-Access3 id 31 {Virtual AAA IP}:1812, Access-Request, len 101

Attribute 4 6 CF8F7EB2

Attribute 5 6 00000003

Attribute 61 6 00000000

Attribute 1 20 30317465

Attribute 30 12 35303937

Attribute 3 19 017BD98B

Attribute 6 6 00000002

Attribute 7 6 00000001

RADIUS: Received from id 31 {Actual AAA IP}:1812, Access-Accept, len 40

Attribute 11 8 3130322E

Attribute 27 6 00008CA0

Attribute 28 6 00000E10

RADIUS: Response for non-existent request ident

RADIUS: Retransmit id 31

RADIUS: Retransmit id 31

RADIUS: Retransmit id 31

RADIUS: Trying next server ({Secondary Virtual AAA IP}:1812,1813) for id31

RADIUS: Retransmit id 31

RADIUS: Retransmit id 31

RADIUS: Retransmit id 31

RADIUS: Retransmit id 31

RADIUS: Tried all servers.

RADIUS: No valid server found. Trying any viable server

RADIUS: Tried all servers.

RADIUS: No response for id 31

RADIUS: No response from server

AAA/AUTHEN (514094351): status = ERROR

AAA/AUTHEN/START (514094351): no methods left to try

AAA/AUTHEN (514094351): status = ERROR

AAA/AUTHEN/START (514094351): failed to authenticate

AAA/MEMORY: free_user (0x811F8CD8) user='01test@franks.l2tp' ruser='' port='Virtual-Access3' rem_addr='/5097140030' authen_type=CHAP service=PPP priv=1

Vi3 VPDN: Cleanup

Vi3 VPDN: Reset

Vi3 VPDN: Reset

Vi3 VPDN: Unbind interface

Vi3 VPDN: Unbind interface

Vi3 VPDN: Reset

Vi3 VPDN: Unbind interface

0 Helpful

mljohnson
Level 4
Level 4
In response to wmollyhorn

‎09-18-2002 03:08 PM

Interesting. It looks like CSCdm77323 added code to check the address fields for the RADIUS packets; this came in 12.0(6.3)T. However, we then saw that this was not the right thing to do, and so removed that portion of code with CSCdp17083 in 12.0(7.2). I see no indication that this "dance" effected 12.1 at all, so 12.1 should be fine. You may want to open a case with the TAC to have this problem purused further.

0 Helpful
Customers Also Viewed These Support Documents