+ Reply to Thread
Results 1 to 7 of 7
  1. Member
    Join Date
    Oct 2012
    Location
    Portugal
    Posts
    46

    Certifications
    CCNA, CCNP
    #1

    Default AAA with RADIUS server not working

    Hi,

    I'm trying to get one of my routers to authenticate the telnet connections with a machine with FreeRadius installed.

    R2#show run | inc aaa
    aaa new-model
    aaa authentication login CISCO group radius local
    aaa session-id common

    R2#show run | inc radius
    aaa authentication login CISCO group radius local
    radius-server host 192.168.10.1 auth-port 1645 acct-port 1646 key cisco

    R2#show run | section line vty
    line vty 0 4
    login authentication CISCO
    transport input telnet ssh

    I downloaded FreeRadius and after a little bit of search online it seems only client and user must be added from config point of view:

    clients.conf:
    client 172.23.0.1 {
    secret = cisco
    shortname = R2
    }

    users.conf:
    andre User-Password == "teste"

    Anyway, this is not working. I got "Authentication failed" when I telnet to R2

    Sniffing the interface with wireshark I can actually see Access-Request packets coming to laptop, so I would say that something is missing on Radius side.
    Anyone has this working that can help here?

    Thanks.
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    May 2011
    Location
    Pittsburgh, Pa
    Posts
    75

    Certifications
    CCNA:R&S/S, CCNP:R&S, Security+, Palo Alto ACE v7.0
    #2
    Did you verify if the FreeRadius server is listening on those ports?
    Reply With Quote Quote  

  4. Member
    Join Date
    Apr 2004
    Location
    Michigan
    Posts
    63

    Certifications
    MCSE in Server 2012, VMware VCAP, CISSP, Security+, CCNA
    #3
    To verify that this is a problem with Radius, all you'd need to change is the lines below and then try logging in using local authentication. If that works then you know the problem is somehow Radius related.

    no aaa authentication login CISCO group radius local
    aaa authentication login CISCO group local

    You could also just run a "debug radius" and see what is going on with authentication
    Reply With Quote Quote  

  5. DCD
    DCD is offline
    Senior Member DCD's Avatar
    Join Date
    Jan 2013
    Location
    San Francisco , Ca
    Posts
    437

    Certifications
    CCNA
    #4
    Is you firewall on or open to those port numbers?
    Reply With Quote Quote  

  6. Member
    Join Date
    Oct 2012
    Location
    Portugal
    Posts
    46

    Certifications
    CCNA, CCNP
    #5
    According to debug messages, it seems definetely RADIUS problem.. I've been trying but can't make it work:

    *Feb 19 00:14:35.066: AAA/AUTHEN/LOGIN (00000063): Pick method list 'RADIUSAUTH'
    *Feb 19 00:14:35.066: RADIUS/ENCODE(00000063): ask "Password: "
    *Feb 19 00:14:35.066: RADIUS/ENCODE(00000063): send packet; GET_PASSWORD
    *Feb 19 00:14:51.126: RADIUS/ENCODE(00000063):Orig. component type = EXEC
    *Feb 19 00:14:51.126: RADIUS: AAA Unsupported Attr: interface [174] 6
    *Feb 19 00:14:51.126: RADIUS: 74 74 79 31 [tty1]
    *Feb 19 00:14:51.126: RADIUS/ENCODE(00000063): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
    *Feb 19 00:14:51.126: RADIUS(00000063): Config NAS IP: 0.0.0.0
    *Feb 19 00:14:51.126: RADIUS/ENCODE(00000063): acct_session_id: 99
    *Feb 19 00:14:51.126: RADIUS(00000063): sending
    *Feb 19 00:14:51.130: RADIUS/ENCODE: Best Local IP-Address 172.12.0.2 for Radius-Server 192.168.10.1
    *Feb 19 00:14:51.130: RADIUS(00000063): Send Access-Request to 192.168.10.1:1812 id 1645/16, len 87
    *Feb 19 00:14:51.130: RADIUS: authenticator CF E2 4B BE 68 13 FC 4B - 14 22 A2 B6 63 61 B2 AF
    *Feb 19 00:14:51.130: RADIUS: User-Name [1] 11 "aferreira"
    *Feb 19 00:14:51.130: RADIUS: User-Password [2] 18 *
    *Feb 19 00:14:51.130: RADIUS: NAS-Port [5] 6 194
    *Feb 19 00:14:51.130: RADIUS: NAS-Port-Id [87] 8 "tty194"
    *Feb 19 00:14:51.130: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
    *Feb 19 00:14:51.130: RADIUS: Calling-Station-Id [31] 12 "172.13.0.2"
    *Feb 19 00:14:51.130: RADIUS: NAS-IP-Address [4] 6 172.12.0.2
    *Feb 19 00:14:55.398: RADIUS: Retransmit to (192.168.10.1:1812,1812) for id 1645/16
    *Feb 19 00:14:59.974: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.10.1:1812,1812 is not responding.
    *Feb 19 00:14:59.974: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.10.1:1812,1812 is being marked alive.
    *Feb 19 00:14:59.974: RADIUS: Retransmit to (192.168.10.1:1812,1812) for id 1645/16
    *Feb 19 00:15:04.390: RADIUS: Retransmit to (192.168.10.1:1812,1812) for id 1645/16
    *Feb 19 00:15:09.254: RADIUS: No response from (192.168.10.1:1812,1812) for id 1645/16
    *Feb 19 00:15:09.254: RADIUS/DECODE: No response from radius-server; parse response; FAIL
    *Feb 19 00:15:09.254: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

    *Feb 19 00:15:11.258: AAA/AUTHEN/LOGIN (00000063): Pick method list 'RADIUSAUTH'
    *Feb 19 00:15:11.262: RADIUS/ENCODE(00000063): ask "Password: "
    *Feb 19 00:15:11.262: RADIUS/ENCODE(00000063): send packet; GET_PASSWORD
    Reply With Quote Quote  

  7. DCD
    DCD is offline
    Senior Member DCD's Avatar
    Join Date
    Jan 2013
    Location
    San Francisco , Ca
    Posts
    437

    Certifications
    CCNA
    #6
    I don't know how you have this set up but you have your radius-serve set to 192.168.10.1 but the client is at 172.23.0.1. Can both devices ping each other?
    Reply With Quote Quote  

  8. Member
    Join Date
    Apr 2004
    Location
    Michigan
    Posts
    63

    Certifications
    MCSE in Server 2012, VMware VCAP, CISSP, Security+, CCNA
    #7
    If you can't ping the RADIUS server from the router then check for routing issues. If you can't ping the router from the RADIUS server then make sure the gateway is configured properly on the RADIUS server and that an ACL isn't blocking traffic on the router. If both of those are working then I'd check to make sure the RADIUS server is configured to use port 1812 for RADIUS and again look to make sure no ACLs are negatively affecting this traffic.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks