09-03-2002 06:30 AM - edited 03-02-2019 01:05 AM
Question for those more savvy on the CCO site than myself. I have a Cisco 1750 running 12.1(5) T10 as an L2TP LNS. I am pointing all AAA requests to various RADIUS servers via Virtual IP's on the AAA boxes themselves.
Using 12.0(5), I had no problem with auth-requests sect to the Virtual Interface IP as the destination address and the auth-accepts coming back from the actual IP of the server as source IP.
Using 12.1(5), I am failing authentication because the router is not seeing the auth-accept. Instead of listening by port, it seems to be listening for the auth-accept coming from the IP address the router sent the request to.
I'm not sure if this is correct or a bug. I haven't seen anything about it listed in the release notes for 12.1(5) but then, as I stated before, I'm not real savvy with searching the CCO. I wanted to see if anyone out there had any feedback before opening a case.
Thanks
09-03-2002 03:27 PM
Router will always listen for that access accept/reject packets from the source ip address to which the resuest was sent..
So if router has a command
radius-server host 1.1.1.1
It will listen to the radius response from the radius server with the same ip address 1.1.1.1
Pl. post "debug radius" and "debug aaa authentication" with 12.1(5) on the router..
09-04-2002 05:39 AM
Here is the debug. I replaced the IP address with what the are; either Actual AAA IP or Virtual AAA IP. Thanks for the assist.
Call to LNS with Actual AAA IP in configs:
AAA/MEMORY: free_user (0x811864E0) user='' ruser='' port='tty7' rem_addr='199.0.238.2' authen_type=ASCII service=ENABLE priv=15
Vi3 VPDN: Virtual interface created for 01test@franks.l2tp
Vi3 VPDN: Set to Async interface
Vi3 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking
%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Vi3 VPDN: Bind interface direction=2
Vi3 VPDN: PPP LCP accepted rcv CONFACK
Vi3 VPDN: PPP LCP accepted sent CONFACK
AAA: parse name=Virtual-Access3 idb type=21 tty=-1
AAA: name=Virtual-Access3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
AAA/MEMORY: create_user (0x811FBB04) user='01test@franks.l2tp' ruser='' port='Virtual-Access3' rem_addr='/5097140030' authen_type=CHAP service=PPP priv=1
AAA/AUTHEN/START (1740812103): port='Virtual-Access3' list='' action=LOGIN service=PPP
AAA/AUTHEN/START (1740812103): using "default" list
AAA/AUTHEN/START (1740812103): Method=LOCAL
AAA/AUTHEN (1740812103): status = ERROR
AAA/AUTHEN/START (1740812103): Method=radius (radius)
RADIUS: ustruct sharecount=1
RADIUS: Initial Transmit Virtual-Access3 id 30 {Actual AAA IP}:1812, Access-Request, len 101
Attribute 4 6 CF8F7EB2
Attribute 5 6 00000003
Attribute 61 6 00000000
Attribute 1 20 30317465
Attribute 30 12 35303937
Attribute 3 19 016A2DF2
Attribute 6 6 00000002
Attribute 7 6 00000001
RADIUS: Received from id 30 {Actual AAA IP}:1812, Access-Accept, len 40
Attribute 11 8 3130322E
Attribute 27 6 00008CA0
Attribute 28 6 00000E10
AAA/AUTHEN (1740812103): status = PASS
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
StoreVPN#
%SYS-5-CONFIG_I: Configured from console by sprint on vty1 (199.0.238.2)
Vi3 VPDN: Cleanup
Vi3 VPDN: Reset
Vi3 VPDN: Reset
Vi3 VPDN: Unbind interface
Vi3 VPDN: Unbind interface
Vi3 VPDN: Reset
Vi3 VPDN: Unbind interface
AAA/MEMORY: free_user (0x811FBB04) user='01test@franks.l2tp' ruser='' port='Virtual-Access3' rem_addr='/5097140030' authen_type=CHAP service=PPP priv=1
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
Call to LNS with Virtual AAA IP in configs:
Vi3 VPDN: Virtual interface created for 01test@franks.l2tp
Vi3 VPDN: Set to Async interface
Vi3 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking
%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Vi3 VPDN: Bind interface direction=2
Vi3 VPDN: PPP LCP accepted rcv CONFACK
Vi3 VPDN: PPP LCP accepted sent CONFACK
AAA: parse name=Virtual-Access3 idb type=21 tty=-1
AAA: name=Virtual-Access3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
AAA/MEMORY: create_user (0x811F8CD8) user='01test@franks.l2tp' ruser='' port='Virtual-Access3' rem_addr='/5097140030' authen_type=CHAP service=PPP priv=1
AAA/AUTHEN/START (514094351): port='Virtual-Access3' list='' action=LOGIN service=PPP
AAA/AUTHEN/START (514094351): using "default" list
AAA/AUTHEN/START (514094351): Method=LOCAL
AAA/AUTHEN (514094351): status = ERROR
AAA/AUTHEN/START (514094351): Method=radius (radius)
RADIUS: ustruct sharecount=1
RADIUS: Initial Transmit Virtual-Access3 id 31 {Virtual AAA IP}:1812, Access-Request, len 101
Attribute 4 6 CF8F7EB2
Attribute 5 6 00000003
Attribute 61 6 00000000
Attribute 1 20 30317465
Attribute 30 12 35303937
Attribute 3 19 017BD98B
Attribute 6 6 00000002
Attribute 7 6 00000001
RADIUS: Received from id 31 {Actual AAA IP}:1812, Access-Accept, len 40
Attribute 11 8 3130322E
Attribute 27 6 00008CA0
Attribute 28 6 00000E10
RADIUS: Response for non-existent request ident
RADIUS: Retransmit id 31
RADIUS: Retransmit id 31
RADIUS: Retransmit id 31
RADIUS: Trying next server ({Secondary Virtual AAA IP}:1812,1813) for id31
RADIUS: Retransmit id 31
RADIUS: Retransmit id 31
RADIUS: Retransmit id 31
RADIUS: Retransmit id 31
RADIUS: Tried all servers.
RADIUS: No valid server found. Trying any viable server
RADIUS: Tried all servers.
RADIUS: No response for id 31
RADIUS: No response from server
AAA/AUTHEN (514094351): status = ERROR
AAA/AUTHEN/START (514094351): no methods left to try
AAA/AUTHEN (514094351): status = ERROR
AAA/AUTHEN/START (514094351): failed to authenticate
AAA/MEMORY: free_user (0x811F8CD8) user='01test@franks.l2tp' ruser='' port='Virtual-Access3' rem_addr='/5097140030' authen_type=CHAP service=PPP priv=1
Vi3 VPDN: Cleanup
Vi3 VPDN: Reset
Vi3 VPDN: Reset
Vi3 VPDN: Unbind interface
Vi3 VPDN: Unbind interface
Vi3 VPDN: Reset
Vi3 VPDN: Unbind interface
09-18-2002 03:08 PM
Interesting. It looks like CSCdm77323 added code to check the address fields for the RADIUS packets; this came in 12.0(6.3)T. However, we then saw that this was not the right thing to do, and so removed that portion of code with CSCdp17083 in 12.0(7.2). I see no indication that this "dance" effected 12.1 at all, so 12.1 should be fine. You may want to open a case with the TAC to have this problem purused further.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide