Re: help me about the problem of "radius server&access server"

jeff.lee · ‎08-20-2003

I want to config a 2501(use the aux port to connect a MODEM) as the access server with radius server authen(I use the WIN2K's IAS as the radius server,I have added a client whose ip address is 192.168.1.102,and share key is "cisco123"),but I failed,why?

1.IOS is c2500-jos56i-l.121-20.bin

2.config is:

cimic#sho run

Building configuration...

Current configuration : 1880 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname cimic

!

aaa new-model

aaa authentication login default local

aaa authentication ppp default if-needed group radius local

aaa authorization exec default group radius if-authenticated

aaa authorization network default group radius if-authenticated

enable secret xxxxxx

!

username xxx password xxxxx

!

ip subnet-zero

no ip domain-lookup

!

interface Ethernet0

ip address 192.168.1.102 255.255.255.0

!

interface Serial0

no ip address

shutdown

!

interface Serial1

no ip address

shutdown

!

interface Async1

ip unnumbered Ethernet0

encapsulation ppp

async mode dedicated

peer default ip address pool async

ppp authentication pap

!

ip local pool async 192.168.1.70 192.168.1.80

ip classless

no ip http server

!

radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key cisco123

radius-server retransmit 3

radius-server key xxxx

!

line con 0

line aux 0

session-timeout 20

modem InOut

modem autoconfigure discovery

transport input all

autoselect during-login

autoselect ppp

speed 38400

password xxxx

!

end

* and I have tested the 1645&1646 port as the authen and acct port,but also failed

3.debug aaa authen,debug radius,debug ppp neg,debug ppp auth:

cimic#ter mon

cimic#

00:17:21: As1 LCP: I CONFREQ [Closed] id 1 len 23

00:17:21: As1 LCP: ACCM 0x00000000 (0x020600000000)

00:17:21: As1 LCP: MagicNumber 0x374654AF (0x0506374654AF)

00:17:21: As1 LCP: PFC (0x0702)

00:17:21: As1 LCP: ACFC (0x0802)

00:17:21: As1 LCP: Callback 6 (0x0D0306)

00:17:21: As1 LCP: Lower layer not up, Fast Starting

00:17:21: As1 PPP: Treating connection as a dedicated line

00:17:21: As1 PPP: Phase is ESTABLISHING, Active Open

00:17:21: As1 LCP: O CONFREQ [Closed] id 14 len 24

00:17:21: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)

00:17:21: As1 LCP: AuthProto PAP (0x0304C023)

00:17:21: As1 LCP: MagicNumber 0xE02E4D84 (0x0506E02E4D84)

00:17:21: As1 LCP: PFC (0x0702)

00:17:21: As1 LCP: ACFC (0x0802)

00:17:21: As1 LCP: O CONFREJ [REQsent] id 1 len 7

00:17:21: As1 LCP: Callback 6 (0x0D0306)

00:17:21: %LINK-3-UPDOWN: Interface Async1, changed state to up

00:17:21: As1 LCP: I CONFACK [REQsent] id 14 len 24

00:17:21: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)

00:17:21: As1 LCP: AuthProto PAP (0x0304C023)

00:17:21: As1 LCP: MagicNumber 0xE02E4D84 (0x0506E02E4D84)

00:17:21: As1 LCP: PFC (0x0702)

00:17:21: As1 LCP: ACFC (0x0802)

00:17:21: As1 LCP: I CONFREQ [ACKrcvd] id 2 len 20

00:17:21: As1 LCP: ACCM 0x00000000 (0x020600000000)

00:17:21: As1 LCP: MagicNumber 0x374654AF (0x0506374654AF)

00:17:21: As1 LCP: PFC (0x0702)

00:17:21: As1 LCP: ACFC (0x0802)

00:17:21: As1 LCP: O CONFACK [ACKrcvd] id 2 len 20

00:17:21: As1 LCP: ACCM 0x00000000 (0x020600000000)

00:17:21: As1 LCP: MagicNumber 0x374654AF (0x0506374654AF)

00:17:22: As1 LCP: PFC (0x0702)

00:17:22: As1 LCP: ACFC (0x0802)

00:17:22: As1 LCP: State is Open

00:17:22: As1 PPP: Phase is AUTHENTICATING, by this end

00:17:22: As1 LCP: I IDENTIFY [Open] id 3 len 18 magic 0x374654AF MSRASV5.10

00:17:22: As1 LCP: I IDENTIFY [Open] id 4 len 25 magic 0x374654AF MSRAS-0-XIEGUO

HUA

00:17:22: As1 PAP: I AUTH-REQ id 55 len 12 from "web"

00:17:22: As1 PAP: Authenticating peer web

00:17:22: AAA: parse name=Async1 idb type=10 tty=1

00:17:22: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=1 cha

nnel=0

00:17:22: AAA/MEMORY: create_user (0x3068D8) user='web' ruser='' port='Async1' r

em_addr='async' authen_type=PAP service=PPP priv=1

00:17:22: AAA/AUTHEN/START (15642053): port='Async1' list='' action=LOGIN servic

e=PPP

00:17:22: AAA/AUTHEN/START (15642053): using "default" list

00:17:22: AAA/AUTHEN (15642053): status = UNKNOWN

00:17:22: AAA/AUTHEN/START (15642053): Method=radius (radius)

00:17:22: RADIUS: ustruct sharecount=1

00:17:22: RADIUS: Initial Transmit Async1 id 3 192.168.1.2:1812, Access-Request,

len 73

00:17:22: Attribute 4 6 C0A80166

00:17:22: Attribute 5 6 00000001

00:17:22: Attribute 61 6 00000000

00:17:22: Attribute 1 5 77656202

00:17:22: Attribute 2 18 1DADB70C

00:17:22: Attribute 6 6 00000002

00:17:22: Attribute 7 6 00000001

00:17:24: As1 PAP: I AUTH-REQ id 56 len 12 from "web"

00:17:24: As1 AUTH: Duplicate authentication request id=56 already in progress

00:17:27: RADIUS: Retransmit id 3

00:17:27: As1 PAP: I AUTH-REQ id 57 len 12 from "web"

00:17:27: As1 AUTH: Duplicate authentication request id=57 already in progress

00:17:30: As1 PAP: I AUTH-REQ id 58 len 12 from "web"

00:17:30: As1 AUTH: Duplicate authentication request id=58 already in progress

00:17:32: RADIUS: Retransmit id 3

00:17:33: As1 PAP: I AUTH-REQ id 59 len 12 from "web"

00:17:33: As1 AUTH: Duplicate authentication request id=59 already in progress

00:17:36: As1 PAP: I AUTH-REQ id 60 len 12 from "web"

00:17:36: As1 AUTH: Duplicate authentication request id=60 already in progress

00:17:37: RADIUS: Retransmit id 3

00:17:39: As1 PAP: I AUTH-REQ id 61 len 12 from "web"

00:17:39: As1 AUTH: Duplicate authentication request id=61 already in progress

00:17:42: RADIUS: Marking server 192.168.1.2:1812,1813 dead

00:17:42: RADIUS: Tried all servers.

00:17:42: RADIUS: No valid server found. Trying any viable server

00:17:42: RADIUS: Tried all servers.

00:17:42: RADIUS: No response for id 3

00:17:42: RADIUS: No response from server

00:17:42: AAA/AUTHEN (15642053): status = ERROR

00:17:42: AAA/AUTHEN/START (15642053): Method=LOCAL

00:17:42: AAA/AUTHEN (15642053): User not found, end of method list

00:17:42: AAA/AUTHEN (15642053): status = FAIL

00:17:42: As1 PAP: O AUTH-NAK id 61 len 32 msg is "Password validation failure"

00:17:42: As1 PPP: Phase is TERMINATING

00:17:42: As1 LCP: O TERMREQ [Open] id 15 len 4

00:17:42: AAA/MEMORY: free_user (0x3068D8) user='web' ruser='' port='Async1' rem

_addr='async' authen_type=PAP service=PPP priv=1

00:17:42: As1 LCP: I TERMACK [TERMsent] id 15 len 4

00:17:42: As1 LCP: State is Closed

00:17:42: As1 PPP: Phase is DOWN

00:17:42: As1 PPP: Phase is ESTABLISHING, Passive Open

00:17:42: As1 LCP: State is Listen

00:17:44: %LINK-5-CHANGED: Interface Async1, changed state to reset

00:17:44: As1 LCP: State is Closed

00:17:44: As1 PPP: Phase is DOWN

00:17:49: %LINK-3-UPDOWN: Interface Async1, changed state to down

00:17:49: As1 LCP: State is Closed

the web is the username

help me ASSP,thanks

hbaerten · ‎08-22-2003

Hi,

it seems clear that the router is configured well and everything works ok up to the point where we should get a reply from the radius server, but we never get one:

RADIUS: No response from server

So the questions to ask are:

- is the network connectivity OK between the router and the IAS?

- is there a firewall or other filtering device in between? if so, does it permit radius packets in both directions?

- is the IAS properly configured? Personally I don't know IAS but here's a link that might be helpful:

http://www.cisco.com/warp/public/471/vpn5k-msias.shtml#topic2

(It describes configuration of IAS for a VPN concentrator, but at least some parts should apply to your case as well).

hth

Herbert

jeff.lee · ‎08-23-2003

thanks for your friendly answer,the IAS Server and the router is in the same LAN,so,there is no problem of the connection between them.maybe because of the configuration of the IAS,I will check it later,thanks

dbellazetin · ‎08-22-2003

I would agree with verifying IP connectivity to the IAS. We can see that we aren't getting a response from the IAS, are you seeing the request's in the IAS logs ?

Make sure the IAS is reachable via ping's for example to ensure a good IP path with good response time. You can also reference this link on troubleshooting RADIUS connections.

If it gets to hectic and your sure everything is set up right I would suggest opening a case.

http://www.cisco.com/en/US/tech/tk583/tk547/technologies_tech_note09186a0080093f4b.shtml

Daniel