Hi all,
Having a question about 2-way ppp authentication using Radius:
For my dial-in/dial-out DDR setup I want to do all the authentication on Radius. Sofar we have
been using locally configured usernames/passwords but this should be moved to ACS.
Relavant config parts:
==============
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login dialup group radius
aaa authentication login no-auth none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group radius local
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group radius local
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group tacacs+
!
username not-ako password somepassword
!
virtual-profile if-needed
virtual-profile virtual-template 1
!
interface BRI3/0
description LDMCKLM; BRI no +31703011090
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
autodetect encapsulation ppp v120
isdn switch-type basic-net3
isdn incoming-voice modem
no fair-queue
no cdp enable
ppp authentication chap pap ms-chap
ppp multilink
!
interface Virtual-Template1
ip unnumbered Loopback0
ppp authentication chap
ppp multilink
multilink max-links 2
!
interface Dialer1
description ; ako - ako b.v.
ip address 172.16.30.1 255.255.255.0
encapsulation ppp
ip route-cache policy
load-interval 30
dialer pool 1
dialer idle-timeout 300
dialer enable-timeout 60
dialer string 0703206714
dialer caller 0703206714
dialer load-threshold 180 either
dialer-group 1
no peer default ip address
fair-queue
compress stac
no cdp enable
ppp authentication chap callin
ppp multilink
multilink max-links 2
===========
And then the debugging I logged. Note that the remote 'ako' is
authenticated ok (22:53:59.314) but then for SENDAUTH the router fails to find the password
(22:53:59.318) and has to fall back to the method=local (22:53:59.322).
*Mar 3 22:53:59.302: RADIUS: Initial Transmit BRI3/0:1 id 29 192.168.10.10:1645, Access-Request,
len 96
*Mar 3 22:53:59.302: Attribute 4 6 C0A80B01
*Mar 3 22:53:59.302: Attribute 5 6 00007531
*Mar 3 22:53:59.302: Attribute 61 6 00000002
*Mar 3 22:53:59.302: Attribute 1 5 616B6F1E
*Mar 3 22:53:59.302: Attribute 30 11 37303332
*Mar 3 22:53:59.302: Attribute 31 11 37303332
*Mar 3 22:53:59.306: Attribute 3 19 0DBCAE20
*Mar 3 22:53:59.306: Attribute 6 6 00000002
*Mar 3 22:53:59.306: Attribute 7 6 00000001
*Mar 3 22:53:59.314: RADIUS: Received from id 29 192.168.10.10:1645, Access-Accept, len 78
*Mar 3 22:53:59.314: Attribute 6 6 00000002
*Mar 3 22:53:59.314: Attribute 7 6 00000001
*Mar 3 22:53:59.314: Attribute 62 6 00000002
*Mar 3 22:53:59.314: Attribute 8 6 FFFFFFFF
*Mar 3 22:53:59.314: Attribute 25 34 43495343
*Mar 3 22:53:59.314: AAA/AUTHEN (1856435090): status = PASS
*Mar 3 22:53:59.318: BR3/0:1 CHAP: O SUCCESS id 13 len 4
*Mar 3 22:53:59.318: BR3/0:1 CHAP: Processing saved Challenge, id 12 *Mar 3 22:53:59.318: AAA:
parse name=BRI3/0:1 idb type=14 tty=-1
*Mar 3 22:53:59.318: AAA: name=BRI3/0:1 flags=0x55 type=2 shelf=0 slot=3 adapter=0 port=0 channel=1
*Mar 3 22:53:59.318: AAA: parse name=<no string> idb type=-1 tty=-1 *Mar 3 22:53:59.318:
AAA/MEMORY: create_user (0x62588A70) user='ako' ruser='NULL' ds0=0 port='BRI3/0:1'
rem_addr='703206714/703207588'
authen_type=CHAP service=PPP priv=1 initial_task_id='0'
*Mar 3 22:53:59.318: AAA/AUTHEN/START (3299155666): port='BRI3/0:1' list='' action=SENDAUTH
service=PPP
*Mar 3 22:53:59.318: AAA/AUTHEN/START (3299155666): using "default" list *Mar 3 22:53:59.318:
AAA/AUTHEN/START (3299155666): Method=radius (radius) *Mar 3 22:53:59.318: AAA/AUTHEN/SENDAUTH
(3299155666): missing password for ako
*Mar 3 22:53:59.322: AAA/AUTHEN/SENDAUTH (3299155666): Failed sendauthen for ako
*Mar 3 22:53:59.322: AAA/AUTHEN (3299155666): status = FAIL
*Mar 3 22:53:59.322: AAA/AUTHEN/START (3299155666): Method=LOCAL
*Mar 3 22:53:59.322: AAA/AUTHEN (3299155666): status = PASS
Does anybody have any idears on how to configure the ACS and/or NAS to also succesfully use the
Radius method for SENDAUTH?
BTW I already tried the cisco av-pairs sendauth and send-secret. Not sure however if I used them
correctly because I can not find any precise documentation on this exact situation. Wen using
authen as the protocol (e.g. cisco-avpair=authen:send-secret=password) it does not pick it up on
my 3640 with IP plus vs. 12.2(19a).
Henk Blacquière
Network Consultant
Having a question about 2-way ppp authentication using Radius:
For my dial-in/dial-out DDR setup I want to do all the authentication on Radius. Sofar we have
been using locally configured usernames/passwords but this should be moved to ACS.
Relavant config parts:
==============
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login dialup group radius
aaa authentication login no-auth none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group radius local
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group radius local
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group tacacs+
!
username not-ako password somepassword
!
virtual-profile if-needed
virtual-profile virtual-template 1
!
interface BRI3/0
description LDMCKLM; BRI no +31703011090
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
autodetect encapsulation ppp v120
isdn switch-type basic-net3
isdn incoming-voice modem
no fair-queue
no cdp enable
ppp authentication chap pap ms-chap
ppp multilink
!
interface Virtual-Template1
ip unnumbered Loopback0
ppp authentication chap
ppp multilink
multilink max-links 2
!
interface Dialer1
description ; ako - ako b.v.
ip address 172.16.30.1 255.255.255.0
encapsulation ppp
ip route-cache policy
load-interval 30
dialer pool 1
dialer idle-timeout 300
dialer enable-timeout 60
dialer string 0703206714
dialer caller 0703206714
dialer load-threshold 180 either
dialer-group 1
no peer default ip address
fair-queue
compress stac
no cdp enable
ppp authentication chap callin
ppp multilink
multilink max-links 2
===========
And then the debugging I logged. Note that the remote 'ako' is
authenticated ok (22:53:59.314) but then for SENDAUTH the router fails to find the password
(22:53:59.318) and has to fall back to the method=local (22:53:59.322).
*Mar 3 22:53:59.302: RADIUS: Initial Transmit BRI3/0:1 id 29 192.168.10.10:1645, Access-Request,
len 96
*Mar 3 22:53:59.302: Attribute 4 6 C0A80B01
*Mar 3 22:53:59.302: Attribute 5 6 00007531
*Mar 3 22:53:59.302: Attribute 61 6 00000002
*Mar 3 22:53:59.302: Attribute 1 5 616B6F1E
*Mar 3 22:53:59.302: Attribute 30 11 37303332
*Mar 3 22:53:59.302: Attribute 31 11 37303332
*Mar 3 22:53:59.306: Attribute 3 19 0DBCAE20
*Mar 3 22:53:59.306: Attribute 6 6 00000002
*Mar 3 22:53:59.306: Attribute 7 6 00000001
*Mar 3 22:53:59.314: RADIUS: Received from id 29 192.168.10.10:1645, Access-Accept, len 78
*Mar 3 22:53:59.314: Attribute 6 6 00000002
*Mar 3 22:53:59.314: Attribute 7 6 00000001
*Mar 3 22:53:59.314: Attribute 62 6 00000002
*Mar 3 22:53:59.314: Attribute 8 6 FFFFFFFF
*Mar 3 22:53:59.314: Attribute 25 34 43495343
*Mar 3 22:53:59.314: AAA/AUTHEN (1856435090): status = PASS
*Mar 3 22:53:59.318: BR3/0:1 CHAP: O SUCCESS id 13 len 4
*Mar 3 22:53:59.318: BR3/0:1 CHAP: Processing saved Challenge, id 12 *Mar 3 22:53:59.318: AAA:
parse name=BRI3/0:1 idb type=14 tty=-1
*Mar 3 22:53:59.318: AAA: name=BRI3/0:1 flags=0x55 type=2 shelf=0 slot=3 adapter=0 port=0 channel=1
*Mar 3 22:53:59.318: AAA: parse name=<no string> idb type=-1 tty=-1 *Mar 3 22:53:59.318:
AAA/MEMORY: create_user (0x62588A70) user='ako' ruser='NULL' ds0=0 port='BRI3/0:1'
rem_addr='703206714/703207588'
authen_type=CHAP service=PPP priv=1 initial_task_id='0'
*Mar 3 22:53:59.318: AAA/AUTHEN/START (3299155666): port='BRI3/0:1' list='' action=SENDAUTH
service=PPP
*Mar 3 22:53:59.318: AAA/AUTHEN/START (3299155666): using "default" list *Mar 3 22:53:59.318:
AAA/AUTHEN/START (3299155666): Method=radius (radius) *Mar 3 22:53:59.318: AAA/AUTHEN/SENDAUTH
(3299155666): missing password for ako
*Mar 3 22:53:59.322: AAA/AUTHEN/SENDAUTH (3299155666): Failed sendauthen for ako
*Mar 3 22:53:59.322: AAA/AUTHEN (3299155666): status = FAIL
*Mar 3 22:53:59.322: AAA/AUTHEN/START (3299155666): Method=LOCAL
*Mar 3 22:53:59.322: AAA/AUTHEN (3299155666): status = PASS
Does anybody have any idears on how to configure the ACS and/or NAS to also succesfully use the
Radius method for SENDAUTH?
BTW I already tried the cisco av-pairs sendauth and send-secret. Not sure however if I used them
correctly because I can not find any precise documentation on this exact situation. Wen using
authen as the protocol (e.g. cisco-avpair=authen:send-secret=password) it does not pick it up on
my 3640 with IP plus vs. 12.2(19a).
Henk Blacquière
Network Consultant