Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need help for PPPoE server authenticating

Hi,

I set up my Cisco R-3745 as PPPoE access server, My radius requires clients to send MAC as Calling-Station-ID (attribute 31) to authenticate. But router had never sent Calling-Station-ID to radius. Do I have to change something in the router's config or update IOS ?

thanks.

Luan.

  • Other Network Infrastructure Subjects
2 REPLIES
Bronze

Re: Need help for PPPoE server authenticating

Have you enabled authorization and accounting on your router , because even though you are using it for authentication router usually uses for authorizing, try enable it . I have heard of some similar bug in version 12.x , so checking in the bug tool kit will also help you

New Member

Re: Need help for PPPoE server authenticating

Yes, I enabled auth & acct . But the problem here is that the router does not send Calling-Station-ID (attribute 31) to radius so clients cannot login (my radius server requires MAC address as Calling-Station-ID to authenticate)

Here below is my router configuration :

=============================

FHCM-C3745-1#sh run

Building configuration...

Current configuration : 5175 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname FHCM-C3745-1

!

enable secret xxxxxx

enable password xxxxx

!

aaa new-model

!

no aaa authentication login default group radius local

no aaa authentication login no_radius enable

no aaa authentication login dialins group radius

no aaa authentication ppp default local group radius

no aaa authorization exec default group radius

no aaa authorization exec console none

no aaa authorization network default local group radius

no aaa accounting exec default start-stop group radius

no aaa accounting network default start-stop group radius

no aaa session-id common

!

username luan password xxxxx

ip subnet-zero

ip wccp version 1

ip cef

!

!

ip name-server x.x.x.x

ip name-server x.x.x.x

!

vpdn-group pppoe-test

accept-dialin

protocol pppoe

virtual-template 1

pppoe limit per-vlan 10

pppoe limit max-sessions 1

!

subscriber access pppoe pre-authorize nas-port-id calling-station-id

subscriber authorization enable

!

interface FastEthernet0/0

ip address x.x.x.x x.x.255.224

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address x.x.x.x x.255.255.248

ip access-group 112 in

no ip unreachables

no ip mroute-cache

no keepalive

shutdown

duplex auto

speed auto

no cdp enable

!

interface Virtual-Template1

mtu 1492

ip unnumbered FastEthernet0/1

no peer default ip address

ppp authentication pap

!

ip classless

ip route 0.0.0.0 0.0.0.0 210.245.31.1

no cdp run

!

snmp-server community FPTHCM123 RO 51

snmp-server enable traps tty

!

radius-server configure-nas

radius-server host x.x.x.142 auth-port 1645 acct-port 1646 key 7

xxxxx

radius-server authorization default Framed-Protocol ppp

radius-server vsa send accounting

radius-server vsa send authentication

!

line con 0

line aux 0

line vty 0 4

password xxxx

login authentication no_radius

login

line vty 5 15

password xxxxx

login

!

end

FHCM-C3745-1#

========================

FHCM-C3745-1#sh ver

Cisco Internetwork Operating System Software

IOS (tm) 3700 Software (C3745-IS-M), Version 12.2(11)T9, RELEASE SOFTWARE

(fc1)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Mon 23-Jun-03 11:19 by cmong

Image text-base: 0x60008940, data-base: 0x617C0000

ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)

FHCM-C3745-1 uptime is 48 minutes

System returned to ROM by power-on

System image file is "flash:c3745-is-mz.122-11.T9.bin"

cisco 3745 (R7000) processor (revision 53.51) with 131072K/12288K bytes of

memor

y.

Processor board ID JPE072610FH

R7000 CPU at 350Mhz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache

Channelized E1, Version 1.0.

Bridging software.

X.25 software, Version 3.0.0.

SuperLAT software (copyright 1990 by Meridian Technology Corp).

Primary Rate ISDN software, Version 1.1.

2 FastEthernet/IEEE 802.3 interface(s)

8 Low-speed serial(sync/async) network interface(s)

2 Channelized E1/PRI port(s)

2 Voice FXS interface(s)

DRAM configuration is 64 bits wide with parity disabled.

151K bytes of non-volatile configuration memory.

31744K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102

FHCM-C3745-1#

==========================

debug radius

3w0d: RADIUS/ENCODE(00001371): acct_session_id: 4207

3w0d: RADIUS(00001371): sending

3w0d: RADIUS(00001371): Send Access-Request to 210.245.31.142:1645 id

21661/30, len 108

3w0d: RADIUS: authenticator 9E 81 2A C3 82 00 8A 4D - 5D EA 7B 88 CF 20 26

BF

3w0d: RADIUS: User-Name [1] 31 "nas-port:210.245.31.4:0/0/1/0"

3w0d: RADIUS: User-Password [2] 18 *

3w0d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

3w0d: RADIUS: Vendor, Cisco [26] 15

3w0d: RADIUS: cisco-nas-port [2] 9 "0/0/1/0"

3w0d: RADIUS: NAS-Port [5] 6 0

3w0d: RADIUS: Service-Type [6] 6 Outbound [5]

3w0d: RADIUS: NAS-IP-Address [4] 6 210.245.31.4

3w0d: RADIUS: Received from id 21661/30 210.245.31.142:1645, Access-Reject,

len 20

3w0d: RADIUS: authenticator 74 C4 F9 43 DC 4C B6 2F - FA B2 BD A9 03 80 08

0E

3w0d: RADIUS: response-authenticator decrypt fail, pak len 20

3w0d: RADIUS: packet dump: 031E001474C4F943DC4CB62FFAB2BDA90380080E

3w0d: RADIUS: expected digest: C1BF9EDA99B52F0ABD68F4F972FC8F48

3w0d: RADIUS: response authen: 74C4F943DC4CB62FFAB2BDA90380080E

3w0d: RADIUS: request authen: 9E812AC382008A4D5DEA7B88CF2026BF

3w0d: RADIUS: Response (30) failed decrypt

3w0d: RADIUS: Retransmit to (210.245.31.142:1645,1646) for id 21661/30

3w0d: RADIUS(00001371): Retransmit id 21661/30

3w0d: RADIUS: Received from id 21661/30 210.245.31.142:1645, Access-Reject,

len 20

3w0d: RADIUS: authenticator 74 C4 F9 43 DC 4C B6 2F - FA B2 BD A9 03 80 08

0E

3w0d: RADIUS: response-authenticator decrypt fail, pak len 20

3w0d: RADIUS: packet dump: 031E001474C4F943DC4CB62FFAB2BDA90380080E

3w0d: RADIUS: expected digest: C1BF9EDA99B52F0ABD68F4F972FC8F48

3w0d: RADIUS: response authen: 74C4F943DC4CB62FFAB2BDA90380080E

3w0d: RADIUS: request authen: 9E812AC382008A4D5DEA7B88CF2026BF

3w0d: RADIUS: Response (30) failed decrypt

3w0d: RADIUS: Retransmit to (210.245.31.142:1645,1646) for id 21661/30

3w0d: RADIUS(00001371): Retransmit id 21661/30

3w0d: RADIUS: Received from id 21661/30 210.245.31.142:1645, Access-Reject,

len 20

3w0d: RADIUS: authenticator 74 C4 F9 43 DC 4C B6 2F - FA B2 BD A9 03 80 08

0E

3w0d: RADIUS: response-authenticator decrypt fail, pak len 20

3w0d: RADIUS: packet dump: 031E001474C4F943DC4CB62FFAB2BDA90380080E

3w0d: RADIUS: expected digest: C1BF9EDA99B52F0ABD68F4F972FC8F48

3w0d: RADIUS: response authen: 74C4F943DC4CB62FFAB2BDA90380080E

3w0d: RADIUS: request authen: 9E812AC382008A4D5DEA7B88CF2026BF

3w0d: RADIUS: Response (30) failed decrypt

3w0d: RADIUS: Retransmit to (210.245.31.142:1645,1646) for id 21661/30

3w0d: RADIUS(00001371): Retransmit id 21661/30

3w0d: RADIUS: Received from id 21661/30 210.245.31.142:1645, Access-Reject,

len 20

3w0d: RADIUS: authenticator 74 C4 F9 43 DC 4C B6 2F - FA B2 BD A9 03 80 08

0E

3w0d: RADIUS: response-authenticator decrypt fail, pak len 20

3w0d: RADIUS: packet dump: 031E001474C4F943DC4CB62FFAB2BDA90380080E

3w0d: RADIUS: expected digest: C1BF9EDA99B52F0ABD68F4F972FC8F48

3w0d: RADIUS: response authen: 74C4F943DC4CB62FFAB2BDA90380080E

3w0d: RADIUS: request authen: 9E812AC382008A4D5DEA7B88CF2026BF

3w0d: RADIUS: Response (30) failed decrypt

3w0d: RADIUS: Tried all servers.

3w0d: RADIUS: No valid server found. Trying any viable server

3w0d: RADIUS: Tried all servers.

3w0d: RADIUS: No response from (210.245.31.142:1645,1646) for id 21661/30

3w0d: RADIUS/DECODE: parse response no app start; FAIL

3w0d: RADIUS/DECODE: parse response; FAIL

3w0d: RADIUS(00001371): Using existing nas_port 0

3w0d: RADIUS: Pick NAS IP for uid=4977 tableid=0 cfg_addr=0.0.0.0

best_addr=210.245.31.4

3w0d: RADIUS/ENCODE(00001371): acct_session_id: 4207

3w0d: RADIUS(00001371): sending

3w0d: RADIUS(00001371): Send Access-Request to 210.245.31.142:1645 id

21661/31, len 95

3w0d: RADIUS: authenticator 45 44 E6 CD 63 E2 61 54 - 65 31 25 37 21 9D 61

22

3w0d: RADIUS: Framed-Protocol [7] 6 PPP [1]

3w0d: RADIUS: User-Name [1] 12 "dsl-liempc"

3w0d: RADIUS: User-Password [2] 18 *

3w0d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

3w0d: RADIUS: Vendor, Cisco [26] 15

3w0d: RADIUS: cisco-nas-port [2] 9 "0/0/1/0"

3w0d: RADIUS: NAS-Port [5] 6 0

3w0d: RADIUS: Service-Type [6] 6 Framed [2]

3w0d: RADIUS: NAS-IP-Address [4] 6 210.245.31.4

3w0d: RADIUS: Received from id 21661/31 210.245.31.142:1645, Access-Reject,

len 20

3w0d: RADIUS: authenticator A7 6A 6E 13 AB 77 A4 2D - 78 B9 19 AA AB 36 22

2A

3w0d: RADIUS(00001371): Received from id 21661/31

=================================

regards

258
Views
0
Helpful
2
Replies
This widget could not be displayed.