04-14-2003 02:28 PM - edited 03-02-2019 06:39 AM
I am trying to set up my routers with Radius authentication to a Windows 2000 server running IAS and Routing and Remote Access. I thought I had everything set up but it is not working. Here is my router config:
sh run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname radius-router
!
logging buffered 8000 debugging
no logging console
aaa new-model
aaa authentication login default group radius local
aaa authentication login no_radius none
enable secret xxxx
!
!
!
!
!
ip subnet-zero
ip domain-name infosys.monterey
ip name-server 172.25.4.8
!
!
!
!
interface FastEthernet0/0
ip address 172.30.17.205 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.17.200
no ip http server
!
radius-server host 172.30.25.4 auth-port 1645 acct-port 1646
radius-server key chivo
!
line con 0
login authentication no_radius
transport input none
line aux 0
line vty 0 4
no scheduler allocate
end
radius-router#
Is it this simple? Obviously not since it is not working.
Any help will be appreciated.
04-14-2003 04:42 PM
The router is not configured for remote-access yet. Also i don't see ports on the router other then AUX port (as per show run posted) which can be used for dialin remote-access. So only you can use aux port for exec dialin or PPP dialin and authentication via radius.
Pl. explain what exactly you want use this router for rempte-access. Also explain what is not working at this point so that we can help you to get it going.
04-15-2003 07:08 AM
All I want to do is have telnet sessions to my routers be authenticated by a Radius server. We have set up a Windows 2000 server with ISA and RAS with a NT user group that includes all the people that are allowed to access the routers. The NT user group is named Router-Admins.
We only want telnet sessions authenticated because most of our equipment is locked up so we are not worried about anyone gaining physical access. People are not actually 'dialing in' per se, we are just telnetting from workstations throughout the infrastructure.
My debug aaa authentication log looks like this:
Log Buffer (8000 bytes):
3d21h: AAA: parse name=tty66 idb type=-1 tty=-1
3d21h: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channe
l=0
3d21h: AAA/MEMORY: create_user (0x80D6ADF0) user='' ruser='' port='tty66' rem_ad
dr='172.30.17.93' authen_type=ASCII service=LOGIN priv=1
3d21h: AAA/AUTHEN/START (3015089804): port='tty66' list='' action=LOGIN service=
LOGIN
3d21h: AAA/AUTHEN/START (3015089804): using "default" list
3d21h: AAA/AUTHEN/START (3015089804): Method=radius (radius)
3d21h: AAA/AUTHEN (3015089804): status = GETUSER
3d21h: AAA/AUTHEN/CONT (3015089804): continue_login (user='(undef)')
3d21h: AAA/AUTHEN (3015089804): status = GETUSER
3d21h: AAA/AUTHEN (3015089804): Method=radius (radius)
3d21h: AAA/AUTHEN (3015089804): status = GETPASS
3d21h: AAA/AUTHEN/CONT (3015089804): continue_login (user='fraaschjm')
3d21h: AAA/AUTHEN (3015089804): status = GETPASS
3d21h: AAA/AUTHEN (3015089804): Method=radius (radius)
3d21h: AAA/AUTHEN (3015089804): status = FAIL
3d21h: AAA/MEMORY: free_user (0x80D6ADF0) user='fraaschjm' ruser='' port='tty66'
rem_addr='172.30.17.93' authen_type=ASCII service=LOGIN priv=1
3d21h: AAA: parse name=tty66 idb type=-1 tty=-1
3d21h: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channe
l=0
3d21h: AAA/MEMORY: create_user (0x80D6ADF0) user='' ruser='' port='tty66' rem_ad
dr='172.30.17.93' authen_type=ASCII service=LOGIN priv=1
3d21h: AAA/AUTHEN/START (1232340484): port='tty66' list='' action=LOGIN service=
LOGIN
3d21h: AAA/AUTHEN/START (1232340484): using "default" list
3d21h: AAA/AUTHEN/START (1232340484): Method=radius (radius)
3d21h: AAA/AUTHEN (1232340484): status = GETUSER
Thanks again for the post. Hopefully this will help.
04-15-2003 08:15 AM
For telnet access to the router authenticated by radius, router is configured correctly.
As per debug, you can see that the router is sending the authentication request to radius server for user "fraaschjm" but i think the radius server is rejecting a users authentication as we see status=FAIL. So i think the radius server is not configured to authenticate user "fraaschjm" OR the username or password is wrong. So i think you need to fix the radius server for that.
"Debug radius" with "debug aaa authentication" will show the exact cause of failure from radius.
04-15-2003 08:34 AM
I'm having the same problem and can't figure it out-
21:37:05: RADIUS(0000002E): Config NAS IP: 10.51.9.1
21:37:05: RADIUS/ENCODE(0000002E): acct_session_id: 39
21:37:05: RADIUS(0000002E): sending
21:37:05: RADIUS(0000002E): Send Access-Request to 10.51.9.82:1645 id 21645/35,
len 77
21:37:05: RADIUS: authenticator 16 59 10 A8 48 76 A4 08 - 98 7F AA D3 BE 5E F3
FE
21:37:05: RADIUS: User-Name [1] 8 "cworks"
21:37:05: RADIUS: User-Password [2] 18 *
21:37:05: RADIUS: NAS-Port [5] 6 227
21:37:05: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
21:37:05: RADIUS: Calling-Station-Id [31] 13 "10.51.9.157"
21:37:05: RADIUS: NAS-IP-Address [4] 6 10.51.9.1
21:37:05: RADIUS: Received from id 21645/35 10.51.9.82:1645, Access-Reject, len
20
21:37:05: RADIUS: authenticator 79 D6 A6 7D F7 48 22 0C - 55 FC FD 02 59 6B CC
D2
21:37:05: RADIUS(0000002E): Received from id 21645/35
21:37:05: RADIUS: not a valid author-type 0!!
04-15-2003 01:40 PM
Well, I finally got it to work and it was a Homer (DUH!).
My NT user dialin properties were not set. I finally went to the event viewer on my Radius NT server and saw that I did not have dial-in capabilities to the network. Needless to say, a few mouse clicks later I had configured myself to be a remote access user and things have gone smoothly ever since.
Thanks for all the input here.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: