[cisco-nas] cannot get radius aaa working with 2611 router

Milan Obuch milan.obuch at bluegrass.sk
Thu May 13 00:26:31 EDT 2004


On Thursday 13 May 2004 05:51, Souphonh wrote:
> Dear All,
>
> I am using cisco 2611 with IOS image file c2600-i-mz.122-16.bin, and the
> radius server is icradius-0.18.1. The following is my radius aaa
> configuration part:
>
>   aaa new-model
>   aaa authentication login default local
>   aaa authentication ppp default if-needed group radius local
>   aaa authorization network default group radius if-authenticated
>   aaa accounting network default start-stop group radius
>   ....
>
>   interface Group-Async1
>    ip unnumbered Loopback0
>    ip nat inside
>    encapsulation ppp
>    ip tcp header-compression
>    no ip mroute-cache
>    async mode interactive
>    peer default ip address pool dialin_pool
>    ppp authentication chap pap default
>    group-range 33 40
>   !
>
>   ......
>
>   radius-server host x.x.x.x auth-port 1812 acct-port 1813
>   radius-server key 7 0EDFTRHKIHGGFF
>   radius-server vsa send accounting
>   radius-server vsa send authentication

Try it without vsa's. I hit something similar some time ago. With vsa's 
failures, without vsa's everything OK.
Milan

> The above configuration works fine with cisco 3640 using IOS image file
> c3640-jk8o3s-mz.122-16a.bin. But not lucky for the 2611 nas. These are the
> radius debug log while I have tried to callin:
>
>   01:04:57: AAA/AUTHEN/START (1083241614): port='Async33' list=''
> action=LOGIN service=PPP 01:04:57: AAA/AUTHEN/START (1083241614): using
> "default" list
>   01:04:57: AAA/AUTHEN (1083241614): status = UNKNOWN
>   01:04:57: AAA/AUTHEN/START (1083241614): Method=radius (radius)
>   01:04:57: RADIUS: ustruct sharecount=2
>   01:04:57: Radius: radius_port_info() success=1 radius_nas_port=1
>   01:04:57: RADIUS: added cisco VSA 2 len 7 "Async33"
>   01:04:57: RADIUS: Initial Transmit Async33 id 0 202.47.226.10:1812,
> Access-Request, len 91 01:04:57:         Attribute 4 6 CA2FE285
>   01:04:57:         Attribute 5 6 00000021
>   01:04:57:         Attribute 26 15 0000000902094173
>   01:04:57:         Attribute 61 6 00000000
>   01:04:57:         Attribute 1 7 61646D69
>   01:04:57:         Attribute 3 19 016AF044
>   01:04:57:         Attribute 6 6 00000002
>   01:04:57:         Attribute 7 6 00000001
>   01:04:57: RADIUS: Received from id 0 202.47.226.10:1812, Access-Accept,
> len 56 01:04:57:         Attribute 13 6 00000001
>   01:04:57:         Attribute 7 6 00000001
>   01:04:57:         Attribute 28 6 00004650
>   01:04:57:         Attribute 62 6 00000001
>   01:04:57:         Attribute 6 6 00000002
>   01:04:57:         Attribute 27 6 00057E40
>   01:04:57: RADIUS: Response (0) failed decrypt
>   01:04:57: RADIUS: Reply for 0 fails decrypt
>   01:04:57: AAA/AUTHEN (1083241614): status = ERROR
>   01:04:57: AAA/AUTHEN/START (1083241614): Method=LOCAL
>   01:04:57: AAA/AUTHEN (1083241614): User not found, end of method list
>   01:04:57: AAA/AUTHEN (1083241614): status = FAIL
>   01:04:57: Async33 AAA/DISC: 17/"User Error"
>   01:04:57: Async33 AAA/DISC/EXT: 1043/"CHAP Auth Failed"
>   01:04:57: AAA/ACCT/PROG: Updating Connect Progress for ds0 -1 to 101
>   01:04:57: As33 AAA/DISC: 18/"Host Request"
>   01:04:57: As33 AAA/DISC/EXT: 1046/"Upper Layer Req Close"
>   01:04:57: As33 AAA/DISC: 1/"User Request"
>   01:04:57: As33 AAA/DISC/EXT: 1045/"Received Terminate"
>   01:04:57: AAA/MEMORY: free_user (0x811441D4) user='admin' ruser='NULL'
> port='Async33' rem_addr='async' authen_type=CHAP service=PPP priv=1
> 01:04:57: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
>   01:04:57: As33 AAA/DISC: 2/"Lost Carrier"
>   01:04:57: As33 AAA/DISC/EXT: 1011/"Lost Carrier"
>   01:04:57: AAA/ACCT/PROG: Updating Connect Progress for ds0 -1 to 65
>   01:04:58: As33 AAA/DISC: 2/"Lost Carrier"
> Could you please suggest what is wrong with the settings.
>
> Thanks and Regards,
> Souphonh


More information about the cisco-nas mailing list