[cisco-nas] Radius and SENDAUTH

Henk Blacquière henk.blacquiere at sscplus.nl
Tue May 31 05:07:17 EDT 2005


Hi all,

Having a question about 2-way ppp authentication using Radius:
For my dial-in/dial-out DDR setup I want to do all the authentication on Radius. Sofar we have
been using locally configured usernames/passwords but this should be moved to ACS.

Relavant config parts:
==============
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login dialup group radius
aaa authentication login no-auth none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group radius local
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group radius local
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group tacacs+
!
username not-ako password somepassword
!
virtual-profile if-needed
virtual-profile virtual-template 1
!
interface BRI3/0
 description LDMCKLM; BRI no +31703011090
 no ip address
 encapsulation ppp
 shutdown
 dialer pool-member 1
 autodetect encapsulation ppp v120
 isdn switch-type basic-net3
 isdn incoming-voice modem
 no fair-queue
 no cdp enable
 ppp authentication chap pap ms-chap
 ppp multilink
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ppp authentication chap
 ppp multilink
 multilink max-links 2
!
interface Dialer1
 description ; ako - ako b.v.
 ip address 172.16.30.1 255.255.255.0
 encapsulation ppp
 ip route-cache policy
 load-interval 30
 dialer pool 1
 dialer idle-timeout 300
 dialer enable-timeout 60
 dialer string 0703206714
 dialer caller 0703206714
 dialer load-threshold 180 either
 dialer-group 1
 no peer default ip address
 fair-queue
 compress stac
 no cdp enable
 ppp authentication chap callin
 ppp multilink
 multilink max-links 2
===========

And then the debugging I logged. Note that the remote 'ako' is
authenticated ok (22:53:59.314) but then for SENDAUTH the router fails to find the password
(22:53:59.318) and has to fall back to the method=local (22:53:59.322).

*Mar  3 22:53:59.302: RADIUS: Initial Transmit BRI3/0:1 id 29 192.168.10.10:1645, Access-Request,
len 96
*Mar  3 22:53:59.302:         Attribute 4 6 C0A80B01
*Mar  3 22:53:59.302:         Attribute 5 6 00007531
*Mar  3 22:53:59.302:         Attribute 61 6 00000002
*Mar  3 22:53:59.302:         Attribute 1 5 616B6F1E
*Mar  3 22:53:59.302:         Attribute 30 11 37303332
*Mar  3 22:53:59.302:         Attribute 31 11 37303332
*Mar  3 22:53:59.306:         Attribute 3 19 0DBCAE20
*Mar  3 22:53:59.306:         Attribute 6 6 00000002
*Mar  3 22:53:59.306:         Attribute 7 6 00000001
*Mar  3 22:53:59.314: RADIUS: Received from id 29 192.168.10.10:1645, Access-Accept, len 78
*Mar  3 22:53:59.314:         Attribute 6 6 00000002
*Mar  3 22:53:59.314:         Attribute 7 6 00000001
*Mar  3 22:53:59.314:         Attribute 62 6 00000002
*Mar  3 22:53:59.314:         Attribute 8 6 FFFFFFFF
*Mar  3 22:53:59.314:         Attribute 25 34 43495343
*Mar  3 22:53:59.314: AAA/AUTHEN (1856435090): status = PASS
*Mar  3 22:53:59.318: BR3/0:1 CHAP: O SUCCESS id 13 len 4
*Mar  3 22:53:59.318: BR3/0:1 CHAP: Processing saved Challenge, id 12 *Mar  3 22:53:59.318: AAA:
parse name=BRI3/0:1 idb type=14 tty=-1
*Mar  3 22:53:59.318: AAA: name=BRI3/0:1 flags=0x55 type=2 shelf=0 slot=3 adapter=0 port=0 channel=1
*Mar  3 22:53:59.318: AAA: parse name=<no string> idb type=-1 tty=-1 *Mar  3 22:53:59.318:
AAA/MEMORY: create_user (0x62588A70) user='ako' ruser='NULL' ds0=0 port='BRI3/0:1'
rem_addr='703206714/703207588'
authen_type=CHAP service=PPP priv=1 initial_task_id='0'
*Mar  3 22:53:59.318: AAA/AUTHEN/START (3299155666): port='BRI3/0:1' list='' action=SENDAUTH
service=PPP
*Mar  3 22:53:59.318: AAA/AUTHEN/START (3299155666): using "default" list *Mar  3 22:53:59.318:
AAA/AUTHEN/START (3299155666): Method=radius (radius) *Mar  3 22:53:59.318: AAA/AUTHEN/SENDAUTH
(3299155666): missing password for ako
*Mar  3 22:53:59.322: AAA/AUTHEN/SENDAUTH (3299155666): Failed sendauthen for ako
*Mar  3 22:53:59.322: AAA/AUTHEN (3299155666): status = FAIL
*Mar  3 22:53:59.322: AAA/AUTHEN/START (3299155666): Method=LOCAL
*Mar  3 22:53:59.322: AAA/AUTHEN (3299155666): status = PASS

Does anybody have any idears on how to configure the ACS and/or NAS to also succesfully use the
Radius method for SENDAUTH?

BTW I already tried the cisco av-pairs sendauth and send-secret. Not sure however if I used them
correctly because I can not find any precise documentation on this exact situation. Wen using
authen as the protocol (e.g. cisco-avpair=authen:send-secret=password) it does not pick it up on
my 3640 with IP plus vs. 12.2(19a).

Henk Blacquière
Network Consultant



More information about the cisco-nas mailing list