|
General Cisco Forum - Cisco Systems - Hardware Software and Security News and Discussions
|
|
|
|
If you were Registered and logged in, you could reply and use other advanced thread options
|
Posted by on February 28, 2005, 1:29 pm
I have a reverse telnet session setup and working great with a 2611XM
router. I would like to add some authentication to the telnet session.
There is a RADIUS server (Misrosoft IAS, Server 2003) on the network
that is in service, authenticating dial-in users. I added this router
in IAS as RADIUS Standard, entered the AAA and RADIUS commands I
thought were necessary, but no luck so far.
Posted below are the config and some debug output. I'm not as familiar
with RADIUS as I should be so it's very possible that debug output is
screaming the answer.
I've used "user1" "user1@domain.com" and "DOMAIN\user1" at the
"Username:" prompt, always with the same result.
One line that stands out is "RADIUS: AAA Unsupported [134] 5",
perhaps this is a clue?
Also this line..."RADIUS/ENCODE(0000001A): dropping service type,
"radius-server attribute 6 on-for-login-auth" is off" looked strange to
me, so I entered the command "radius-server attribute 6
on-for-login-auth" but authentication still failed, so I took that out.
If anyone can offer some guidance I would be most grateful.
------------------------------------------------
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
aaa new-model
!
aaa authentication login CONSOLE local
aaa authentication login AUX group radius
aaa authentication login AUX-NOAUTH none
aaa authorization reverse-access AUX none
aaa session-id common
enable password *******
!
username admin password *******
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
voice call carrier capacity active
!
mta receive maximum-recipients 0
!
interface Loopback99
ip address 172.24.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 172.16.203.196 255.255.0.0
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
ip classless
ip alias 172.24.2.2 2065
ip http server
!
radius-server host 172.16.201.40 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key *******
radius-server authorization permit missing Service-Type
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
login authentication CONSOLE
line aux 0
authorization reverse-access AUX
login authentication AUX
modem InOut
no exec
transport input all
escape-character BREAK
stopbits 1
line vty 0 4
password 7 130B1206060D0A
!
end
-----------------------------------------------------------
Router#term mon
Router#debug aaa authen
AAA Authentication debugging is on
Router#debug radius authen
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius packet hex dump debugging is off
Radius packet protocol (authentication) debugging is on
Radius packet protocol (accounting) debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Router#
*Mar 5 01:13:07.523: AAA/AUTHEN/LOGIN (0000001A): Pick method list
'AUX'
*Mar 5 01:13:07.523: RADIUS/ENCODE(0000001A): ask "Username: "
*Mar 5 01:13:07.523: RADIUS/ENCODE(0000001A): send packet; GET_USER
*Mar 5 01:13:13.743: RADIUS/ENCODE(0000001A): ask "Password: "
*Mar 5 01:13:13.743: RADIUS/ENCODE(0000001A): send packet;
GET_PASSWORD
*Mar 5 01:13:17.535: RADIUS: AAA Unsupported [134] 5
*Mar 5 01:13:17.535: RADIUS: 74 74 79 [tty]
*Mar 5 01:13:17.535: RADIUS(0000001A): Storing nasport 65 in rad_db
*Mar 5 01:13:17.535: RADIUS/ENCODE(0000001A): dropping service type,
"radius-server attribute 6 on-for-login-auth" is off
*Mar 5 01:13:17.539: RADIUS/ENCODE(0000001A): acct_session_id: 21
*Mar 5 01:13:17.539: RADIUS(0000001A): sending
*Mar 5 01:13:17.539: RADIUS: Send to unknown id 18 172.16.201.40:1645,
Access-Request, len 76
*Mar 5 01:13:17.539: RADIUS: authenticator C8 4C 2D 7B EB 54 A5 99 -
C4 B1 98 D9 04 14 5B 03
*Mar 5 01:13:17.539: RADIUS: User-Name [1] 5 "user1"
*Mar 5 01:13:17.539: RADIUS: User-Password [2] 18 *
*Mar 5 01:13:17.539: RADIUS: NAS-Port [5] 6 65
*Mar 5 01:13:17.539: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
*Mar 5 01:13:17.539: RADIUS: Calling-Station-Id [31] 15
"172.16.203.171"
*Mar 5 01:13:17.543: RADIUS: NAS-IP-Address [4] 6
172.16.203.196
*Mar 5 01:13:17.555: RADIUS: Received from id 18 190.9.201.40:1645,
Access-Reject, len 20
*Mar 5 01:13:17.555: RADIUS: authenticator 86 B7 DF 9C 32 88 52 2B -
DE CD D1 79 B8 9A 3E 44
*Mar 5 01:13:17.555: RADIUS: Received from id 1A
*Mar 5 01:13:19.559: AAA/AUTHEN/LOGIN (0000001A): Pick method list
'AUX'
*Mar 5 01:13:19.559: RADIUS/ENCODE(0000001A): ask "Username: "
*Mar 5 01:13:19.559: RADIUS/ENCODE(0000001A): send packet; GET_USER
Router#
|
|
Posted by jonathan on March 2, 2005, 12:48 am
Hi,
your config lines should be similar in your ios version like this ones:
aaa new-model
aaa authentication attempts login 5
aaa authentication password-prompt Password:
aaa authentication username-prompt Login:
aaa authentication login default group radius local-case
aaa authentication login VTY group radius local-case
aaa authentication login CONSOLE group radius local-case
aaa authentication ppp default if-needed group radius
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
aaa session-id common
BR,
jonathan
rfield@hepn.com wrote:
> I have a reverse telnet session setup and working great with a 2611XM
> router. I would like to add some authentication to the telnet session.
> There is a RADIUS server (Misrosoft IAS, Server 2003) on the network
> that is in service, authenticating dial-in users. I added this router
> in IAS as RADIUS Standard, entered the AAA and RADIUS commands I
> thought were necessary, but no luck so far.
>
> Posted below are the config and some debug output. I'm not as familiar
> with RADIUS as I should be so it's very possible that debug output is
> screaming the answer.
>
> I've used "user1" "user1@domain.com" and "DOMAIN\user1" at the
> "Username:" prompt, always with the same result.
>
> One line that stands out is "RADIUS: AAA Unsupported [134] 5",
> perhaps this is a clue?
>
> Also this line..."RADIUS/ENCODE(0000001A): dropping service type,
> "radius-server attribute 6 on-for-login-auth" is off" looked strange to
> me, so I entered the command "radius-server attribute 6
> on-for-login-auth" but authentication still failed, so I took that out.
>
> If anyone can offer some guidance I would be most grateful.
>
>
> ------------------------------------------------
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Router
> !
> aaa new-model
> !
> aaa authentication login CONSOLE local
> aaa authentication login AUX group radius
> aaa authentication login AUX-NOAUTH none
> aaa authorization reverse-access AUX none
> aaa session-id common
> enable password *******
> !
> username admin password *******
> !
> ip subnet-zero
> !
> ip audit notify log
> ip audit po max-events 100
> !
> voice call carrier capacity active
> !
> mta receive maximum-recipients 0
> !
> interface Loopback99
> ip address 172.24.2.1 255.255.255.0
> !
> interface FastEthernet0/0
> no ip address
> no ip mroute-cache
> shutdown
> duplex auto
> speed auto
> no cdp enable
> !
> interface FastEthernet0/1
> ip address 172.16.203.196 255.255.0.0
> no ip mroute-cache
> speed auto
> full-duplex
> no cdp enable
> !
> ip classless
> ip alias 172.24.2.2 2065
> ip http server
> !
> radius-server host 172.16.201.40 auth-port 1645 acct-port 1646
> radius-server retransmit 3
> radius-server key *******
> radius-server authorization permit missing Service-Type
> call rsvp-sync
> !
> mgcp profile default
> !
> dial-peer cor custom
> !
> line con 0
> exec-timeout 0 0
> login authentication CONSOLE
> line aux 0
> authorization reverse-access AUX
> login authentication AUX
> modem InOut
> no exec
> transport input all
> escape-character BREAK
> stopbits 1
> line vty 0 4
> password 7 130B1206060D0A
> !
> end
>
> -----------------------------------------------------------
> Router#term mon
> Router#debug aaa authen
> AAA Authentication debugging is on
> Router#debug radius authen
> Radius protocol debugging is on
> Radius protocol brief debugging is off
> Radius packet hex dump debugging is off
> Radius packet protocol (authentication) debugging is on
> Radius packet protocol (accounting) debugging is off
> Radius packet retransmission debugging is off
> Radius server fail-over debugging is off
> Router#
> *Mar 5 01:13:07.523: AAA/AUTHEN/LOGIN (0000001A): Pick method list
> 'AUX'
> *Mar 5 01:13:07.523: RADIUS/ENCODE(0000001A): ask "Username: "
> *Mar 5 01:13:07.523: RADIUS/ENCODE(0000001A): send packet; GET_USER
> *Mar 5 01:13:13.743: RADIUS/ENCODE(0000001A): ask "Password: "
> *Mar 5 01:13:13.743: RADIUS/ENCODE(0000001A): send packet;
> GET_PASSWORD
> *Mar 5 01:13:17.535: RADIUS: AAA Unsupported [134] 5
> *Mar 5 01:13:17.535: RADIUS: 74 74 79 [tty]
> *Mar 5 01:13:17.535: RADIUS(0000001A): Storing nasport 65 in rad_db
> *Mar 5 01:13:17.535: RADIUS/ENCODE(0000001A): dropping service type,
> "radius-server attribute 6 on-for-login-auth" is off
> *Mar 5 01:13:17.539: RADIUS/ENCODE(0000001A): acct_session_id: 21
> *Mar 5 01:13:17.539: RADIUS(0000001A): sending
> *Mar 5 01:13:17.539: RADIUS: Send to unknown id 18 172.16.201.40:1645,
> Access-Request, len 76
> *Mar 5 01:13:17.539: RADIUS: authenticator C8 4C 2D 7B EB 54 A5 99 -
> C4 B1 98 D9 04 14 5B 03
> *Mar 5 01:13:17.539: RADIUS: User-Name [1] 5 "user1"
> *Mar 5 01:13:17.539: RADIUS: User-Password [2] 18 *
> *Mar 5 01:13:17.539: RADIUS: NAS-Port [5] 6 65
> *Mar 5 01:13:17.539: RADIUS: NAS-Port-Type [61] 6 Virtual
> [5]
> *Mar 5 01:13:17.539: RADIUS: Calling-Station-Id [31] 15
> "172.16.203.171"
> *Mar 5 01:13:17.543: RADIUS: NAS-IP-Address [4] 6
> 172.16.203.196
> *Mar 5 01:13:17.555: RADIUS: Received from id 18 190.9.201.40:1645,
> Access-Reject, len 20
> *Mar 5 01:13:17.555: RADIUS: authenticator 86 B7 DF 9C 32 88 52 2B -
> DE CD D1 79 B8 9A 3E 44
> *Mar 5 01:13:17.555: RADIUS: Received from id 1A
> *Mar 5 01:13:19.559: AAA/AUTHEN/LOGIN (0000001A): Pick method list
> 'AUX'
> *Mar 5 01:13:19.559: RADIUS/ENCODE(0000001A): ask "Username: "
> *Mar 5 01:13:19.559: RADIUS/ENCODE(0000001A): send packet; GET_USER
> Router#
>
|
| Similar Threads | Posted | | IOS authentication with MS IAS (AAA/radius) | July 28, 2005, 3:25 pm |
| radius authentication | February 15, 2006, 7:54 am |
| Radius authentication | July 25, 2007, 1:40 pm |
| pix vpn radius authentication question | December 1, 2004, 3:31 pm |
| Re: pix vpn radius authentication question | December 2, 2004, 1:00 pm |
| Authentication through webserver to a RADIUS | January 26, 2005, 7:38 am |
| PIX VPN Radius Authentication question | April 5, 2005, 10:06 am |
| PPTP with Radius Authentication | May 3, 2006, 4:52 pm |
| Re: http authentication against radius | November 18, 2007, 11:16 am |
| second authentication with asa's and radius | March 4, 2009, 11:57 am |
|
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map
> router. I would like to add some authentication to the telnet session.
> There is a RADIUS server (Misrosoft IAS, Server 2003) on the network
> that is in service, authenticating dial-in users. I added this router
> in IAS as RADIUS Standard, entered the AAA and RADIUS commands I
> thought were necessary, but no luck so far.
>
> Posted below are the config and some debug output. I'm not as familiar
> with RADIUS as I should be so it's very possible that debug output is
> screaming the answer.
>
> I've used "user1" "user1@domain.com" and "DOMAIN\user1" at the
> "Username:" prompt, always with the same result.
>
> One line that stands out is "RADIUS: AAA Unsupported [134] 5",
> perhaps this is a clue?
>
> Also this line..."RADIUS/ENCODE(0000001A): dropping service type,
> "radius-server attribute 6 on-for-login-auth" is off" looked strange to
> me, so I entered the command "radius-server attribute 6
> on-for-login-auth" but authentication still failed, so I took that out.
>
> If anyone can offer some guidance I would be most grateful.
>
>
> ------------------------------------------------
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Router
> !
> aaa new-model
> !
> aaa authentication login CONSOLE local
> aaa authentication login AUX group radius
> aaa authentication login AUX-NOAUTH none
> aaa authorization reverse-access AUX none
> aaa session-id common
> enable password *******
> !
> username admin password *******
> !
> ip subnet-zero
> !
> ip audit notify log
> ip audit po max-events 100
> !
> voice call carrier capacity active
> !
> mta receive maximum-recipients 0
> !
> interface Loopback99
> ip address 172.24.2.1 255.255.255.0
> !
> interface FastEthernet0/0
> no ip address
> no ip mroute-cache
> shutdown
> duplex auto
> speed auto
> no cdp enable
> !
> interface FastEthernet0/1
> ip address 172.16.203.196 255.255.0.0
> no ip mroute-cache
> speed auto
> full-duplex
> no cdp enable
> !
> ip classless
> ip alias 172.24.2.2 2065
> ip http server
> !
> radius-server host 172.16.201.40 auth-port 1645 acct-port 1646
> radius-server retransmit 3
> radius-server key *******
> radius-server authorization permit missing Service-Type
> call rsvp-sync
> !
> mgcp profile default
> !
> dial-peer cor custom
> !
> line con 0
> exec-timeout 0 0
> login authentication CONSOLE
> line aux 0
> authorization reverse-access AUX
> login authentication AUX
> modem InOut
> no exec
> transport input all
> escape-character BREAK
> stopbits 1
> line vty 0 4
> password 7 130B1206060D0A
> !
> end
>
> -----------------------------------------------------------
> Router#term mon
> Router#debug aaa authen
> AAA Authentication debugging is on
> Router#debug radius authen
> Radius protocol debugging is on
> Radius protocol brief debugging is off
> Radius packet hex dump debugging is off
> Radius packet protocol (authentication) debugging is on
> Radius packet protocol (accounting) debugging is off
> Radius packet retransmission debugging is off
> Radius server fail-over debugging is off
> Router#
> *Mar 5 01:13:07.523: AAA/AUTHEN/LOGIN (0000001A): Pick method list
> 'AUX'
> *Mar 5 01:13:07.523: RADIUS/ENCODE(0000001A): ask "Username: "
> *Mar 5 01:13:07.523: RADIUS/ENCODE(0000001A): send packet; GET_USER
> *Mar 5 01:13:13.743: RADIUS/ENCODE(0000001A): ask "Password: "
> *Mar 5 01:13:13.743: RADIUS/ENCODE(0000001A): send packet;
> GET_PASSWORD
> *Mar 5 01:13:17.535: RADIUS: AAA Unsupported [134] 5
> *Mar 5 01:13:17.535: RADIUS: 74 74 79 [tty]
> *Mar 5 01:13:17.535: RADIUS(0000001A): Storing nasport 65 in rad_db
> *Mar 5 01:13:17.535: RADIUS/ENCODE(0000001A): dropping service type,
> "radius-server attribute 6 on-for-login-auth" is off
> *Mar 5 01:13:17.539: RADIUS/ENCODE(0000001A): acct_session_id: 21
> *Mar 5 01:13:17.539: RADIUS(0000001A): sending
> *Mar 5 01:13:17.539: RADIUS: Send to unknown id 18 172.16.201.40:1645,
> Access-Request, len 76
> *Mar 5 01:13:17.539: RADIUS: authenticator C8 4C 2D 7B EB 54 A5 99 -
> C4 B1 98 D9 04 14 5B 03
> *Mar 5 01:13:17.539: RADIUS: User-Name [1] 5 "user1"
> *Mar 5 01:13:17.539: RADIUS: User-Password [2] 18 *
> *Mar 5 01:13:17.539: RADIUS: NAS-Port [5] 6 65
> *Mar 5 01:13:17.539: RADIUS: NAS-Port-Type [61] 6 Virtual
> [5]
> *Mar 5 01:13:17.539: RADIUS: Calling-Station-Id [31] 15
> "172.16.203.171"
> *Mar 5 01:13:17.543: RADIUS: NAS-IP-Address [4] 6
> 172.16.203.196
> *Mar 5 01:13:17.555: RADIUS: Received from id 18 190.9.201.40:1645,
> Access-Reject, len 20
> *Mar 5 01:13:17.555: RADIUS: authenticator 86 B7 DF 9C 32 88 52 2B -
> DE CD D1 79 B8 9A 3E 44
> *Mar 5 01:13:17.555: RADIUS: Received from id 1A
> *Mar 5 01:13:19.559: AAA/AUTHEN/LOGIN (0000001A): Pick method list
> 'AUX'
> *Mar 5 01:13:19.559: RADIUS/ENCODE(0000001A): ask "Username: "
> *Mar 5 01:13:19.559: RADIUS/ENCODE(0000001A): send packet; GET_USER
> Router#
>