Radius Authentication Problems

jfraasch · ‎04-14-2003

I am trying to set up my routers with Radius authentication to a Windows 2000 server running IAS and Routing and Remote Access. I thought I had everything set up but it is not working. Here is my router config:

sh run

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname radius-router

!

logging buffered 8000 debugging

no logging console

aaa new-model

aaa authentication login default group radius local

aaa authentication login no_radius none

enable secret xxxx

!

ip subnet-zero

ip domain-name infosys.monterey

ip name-server 172.25.4.8

!

interface FastEthernet0/0

ip address 172.30.17.205 255.255.255.0

no ip directed-broadcast

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.30.17.200

no ip http server

!

radius-server host 172.30.25.4 auth-port 1645 acct-port 1646

radius-server key chivo

!

line con 0

login authentication no_radius

transport input none

line aux 0

line vty 0 4

no scheduler allocate

end

radius-router#

Is it this simple? Obviously not since it is not working.

Any help will be appreciated.

tepatel · ‎04-14-2003

The router is not configured for remote-access yet. Also i don't see ports on the router other then AUX port (as per show run posted) which can be used for dialin remote-access. So only you can use aux port for exec dialin or PPP dialin and authentication via radius.

Pl. explain what exactly you want use this router for rempte-access. Also explain what is not working at this point so that we can help you to get it going.

jfraasch · ‎04-15-2003

All I want to do is have telnet sessions to my routers be authenticated by a Radius server. We have set up a Windows 2000 server with ISA and RAS with a NT user group that includes all the people that are allowed to access the routers. The NT user group is named Router-Admins.

We only want telnet sessions authenticated because most of our equipment is locked up so we are not worried about anyone gaining physical access. People are not actually 'dialing in' per se, we are just telnetting from workstations throughout the infrastructure.

My debug aaa authentication log looks like this:

Log Buffer (8000 bytes):

3d21h: AAA: parse name=tty66 idb type=-1 tty=-1

3d21h: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channe

l=0

3d21h: AAA/MEMORY: create_user (0x80D6ADF0) user='' ruser='' port='tty66' rem_ad

dr='172.30.17.93' authen_type=ASCII service=LOGIN priv=1

3d21h: AAA/AUTHEN/START (3015089804): port='tty66' list='' action=LOGIN service=

LOGIN

3d21h: AAA/AUTHEN/START (3015089804): using "default" list

3d21h: AAA/AUTHEN/START (3015089804): Method=radius (radius)

3d21h: AAA/AUTHEN (3015089804): status = GETUSER

3d21h: AAA/AUTHEN/CONT (3015089804): continue_login (user='(undef)')

3d21h: AAA/AUTHEN (3015089804): status = GETUSER

3d21h: AAA/AUTHEN (3015089804): Method=radius (radius)

3d21h: AAA/AUTHEN (3015089804): status = GETPASS

3d21h: AAA/AUTHEN/CONT (3015089804): continue_login (user='fraaschjm')

3d21h: AAA/AUTHEN (3015089804): status = GETPASS

3d21h: AAA/AUTHEN (3015089804): Method=radius (radius)

3d21h: AAA/AUTHEN (3015089804): status = FAIL

3d21h: AAA/MEMORY: free_user (0x80D6ADF0) user='fraaschjm' ruser='' port='tty66'

rem_addr='172.30.17.93' authen_type=ASCII service=LOGIN priv=1

3d21h: AAA: parse name=tty66 idb type=-1 tty=-1

3d21h: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channe

l=0

3d21h: AAA/MEMORY: create_user (0x80D6ADF0) user='' ruser='' port='tty66' rem_ad

dr='172.30.17.93' authen_type=ASCII service=LOGIN priv=1

3d21h: AAA/AUTHEN/START (1232340484): port='tty66' list='' action=LOGIN service=

LOGIN

3d21h: AAA/AUTHEN/START (1232340484): using "default" list

3d21h: AAA/AUTHEN/START (1232340484): Method=radius (radius)

3d21h: AAA/AUTHEN (1232340484): status = GETUSER

Thanks again for the post. Hopefully this will help.

tepatel · ‎04-15-2003

For telnet access to the router authenticated by radius, router is configured correctly.

As per debug, you can see that the router is sending the authentication request to radius server for user "fraaschjm" but i think the radius server is rejecting a users authentication as we see status=FAIL. So i think the radius server is not configured to authenticate user "fraaschjm" OR the username or password is wrong. So i think you need to fix the radius server for that.

"Debug radius" with "debug aaa authentication" will show the exact cause of failure from radius.

Aaron D · ‎04-15-2003

I'm having the same problem and can't figure it out-

21:37:05: RADIUS(0000002E): Config NAS IP: 10.51.9.1

21:37:05: RADIUS/ENCODE(0000002E): acct_session_id: 39

21:37:05: RADIUS(0000002E): sending

21:37:05: RADIUS(0000002E): Send Access-Request to 10.51.9.82:1645 id 21645/35,

len 77

21:37:05: RADIUS: authenticator 16 59 10 A8 48 76 A4 08 - 98 7F AA D3 BE 5E F3

FE

21:37:05: RADIUS: User-Name [1] 8 "cworks"

21:37:05: RADIUS: User-Password [2] 18 *

21:37:05: RADIUS: NAS-Port [5] 6 227

21:37:05: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

21:37:05: RADIUS: Calling-Station-Id [31] 13 "10.51.9.157"

21:37:05: RADIUS: NAS-IP-Address [4] 6 10.51.9.1

21:37:05: RADIUS: Received from id 21645/35 10.51.9.82:1645, Access-Reject, len

20

21:37:05: RADIUS: authenticator 79 D6 A6 7D F7 48 22 0C - 55 FC FD 02 59 6B CC

D2

21:37:05: RADIUS(0000002E): Received from id 21645/35

21:37:05: RADIUS: not a valid author-type 0!!

jfraasch · ‎04-15-2003

Well, I finally got it to work and it was a Homer (DUH!).

My NT user dialin properties were not set. I finally went to the event viewer on my Radius NT server and saw that I did not have dial-in capabilities to the network. Needless to say, a few mouse clicks later I had configured myself to be a remote access user and things have gone smoothly ever since.

Thanks for all the input here.