Options
AAA with RADIUS server not working
aocferreira
Member Posts: 50 ■■■□□□□□□□
Hi,
I'm trying to get one of my routers to authenticate the telnet connections with a machine with FreeRadius installed.
R2#show run | inc aaa
aaa new-model
aaa authentication login CISCO group radius local
aaa session-id common
R2#show run | inc radius
aaa authentication login CISCO group radius local
radius-server host 192.168.10.1 auth-port 1645 acct-port 1646 key cisco
R2#show run | section line vty
line vty 0 4
login authentication CISCO
transport input telnet ssh
I downloaded FreeRadius and after a little bit of search online it seems only client and user must be added from config point of view:
clients.conf:
client 172.23.0.1 {
secret = cisco
shortname = R2
}
users.conf:
andre User-Password == "teste"
Anyway, this is not working. I got "Authentication failed" when I telnet to R2
Sniffing the interface with wireshark I can actually see Access-Request packets coming to laptop, so I would say that something is missing on Radius side.
Anyone has this working that can help here?
Thanks.
I'm trying to get one of my routers to authenticate the telnet connections with a machine with FreeRadius installed.
R2#show run | inc aaa
aaa new-model
aaa authentication login CISCO group radius local
aaa session-id common
R2#show run | inc radius
aaa authentication login CISCO group radius local
radius-server host 192.168.10.1 auth-port 1645 acct-port 1646 key cisco
R2#show run | section line vty
line vty 0 4
login authentication CISCO
transport input telnet ssh
I downloaded FreeRadius and after a little bit of search online it seems only client and user must be added from config point of view:
clients.conf:
client 172.23.0.1 {
secret = cisco
shortname = R2
}
users.conf:
andre User-Password == "teste"
Anyway, this is not working. I got "Authentication failed" when I telnet to R2
Sniffing the interface with wireshark I can actually see Access-Request packets coming to laptop, so I would say that something is missing on Radius side.
Anyone has this working that can help here?
Thanks.
Comments
-
Optionsmackenzae
Member Posts: 77 ■□□□□□□□□□
Did you verify if the FreeRadius server is listening on those ports?
-
OptionsAMD4EVER
Member Posts: 64 ■■□□□□□□□□
To verify that this is a problem with Radius, all you'd need to change is the lines below and then try logging in using local authentication. If that works then you know the problem is somehow Radius related.
no aaa authentication login CISCO group radius local
aaa authentication login CISCO group local
You could also just run a "debug radius" and see what is going on with authentication -
Optionsaocferreira
Member Posts: 50 ■■■□□□□□□□
According to debug messages, it seems definetely RADIUS problem.. I've been trying but can't make it work:
*Feb 19 00:14:35.066: AAA/AUTHEN/LOGIN (00000063): Pick method list 'RADIUSAUTH'
*Feb 19 00:14:35.066: RADIUS/ENCODE(00000063): ask "Password: "
*Feb 19 00:14:35.066: RADIUS/ENCODE(00000063): send packet; GET_PASSWORD
*Feb 19 00:14:51.126: RADIUS/ENCODE(00000063):Orig. component type = EXEC
*Feb 19 00:14:51.126: RADIUS: AAA Unsupported Attr: interface [174] 6
*Feb 19 00:14:51.126: RADIUS: 74 74 79 31 [tty1]
*Feb 19 00:14:51.126: RADIUS/ENCODE(00000063): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Feb 19 00:14:51.126: RADIUS(00000063): Config NAS IP: 0.0.0.0
*Feb 19 00:14:51.126: RADIUS/ENCODE(00000063): acct_session_id: 99
*Feb 19 00:14:51.126: RADIUS(00000063): sending
*Feb 19 00:14:51.130: RADIUS/ENCODE: Best Local IP-Address 172.12.0.2 for Radius-Server 192.168.10.1
*Feb 19 00:14:51.130: RADIUS(00000063): Send Access-Request to 192.168.10.1:1812 id 1645/16, len 87
*Feb 19 00:14:51.130: RADIUS: authenticator CF E2 4B BE 68 13 FC 4B - 14 22 A2 B6 63 61 B2 AF
*Feb 19 00:14:51.130: RADIUS: User-Name [1] 11 "aferreira"
*Feb 19 00:14:51.130: RADIUS: User-Password [2] 18 *
*Feb 19 00:14:51.130: RADIUS: NAS-Port [5] 6 194
*Feb 19 00:14:51.130: RADIUS: NAS-Port-Id [87] 8 "tty194"
*Feb 19 00:14:51.130: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Feb 19 00:14:51.130: RADIUS: Calling-Station-Id [31] 12 "172.13.0.2"
*Feb 19 00:14:51.130: RADIUS: NAS-IP-Address [4] 6 172.12.0.2
*Feb 19 00:14:55.398: RADIUS: Retransmit to (192.168.10.1:1812,1812) for id 1645/16
*Feb 19 00:14:59.974: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.10.1:1812,1812 is not responding.
*Feb 19 00:14:59.974: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.10.1:1812,1812 is being marked alive.
*Feb 19 00:14:59.974: RADIUS: Retransmit to (192.168.10.1:1812,1812) for id 1645/16
*Feb 19 00:15:04.390: RADIUS: Retransmit to (192.168.10.1:1812,1812) for id 1645/16
*Feb 19 00:15:09.254: RADIUS: No response from (192.168.10.1:1812,1812) for id 1645/16
*Feb 19 00:15:09.254: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Feb 19 00:15:09.254: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*Feb 19 00:15:11.258: AAA/AUTHEN/LOGIN (00000063): Pick method list 'RADIUSAUTH'
*Feb 19 00:15:11.262: RADIUS/ENCODE(00000063): ask "Password: "
*Feb 19 00:15:11.262: RADIUS/ENCODE(00000063): send packet; GET_PASSWORD -
Options
DCD
Member Posts: 473 ■■■■□□□□□□
I don't know how you have this set up but you have your radius-serve set to 192.168.10.1 but the client is at 172.23.0.1. Can both devices ping each other? -
OptionsAMD4EVER
Member Posts: 64 ■■□□□□□□□□
If you can't ping the RADIUS server from the router then check for routing issues. If you can't ping the router from the RADIUS server then make sure the gateway is configured properly on the RADIUS server and that an ACL isn't blocking traffic on the router. If both of those are working then I'd check to make sure the RADIUS server is configured to use port 1812 for RADIUS and again look to make sure no ACLs are negatively affecting this traffic.
