Mailing List Archive: [nsp] Radius authentication

[nsp] Radius authentication

Oct 3, 2002, 2:41 PM

Post #1 of 3 (1654 views)

Hello,

I have customer authenticating to cisco router then to radius server from
the cisco client software. On the router's config, I see something which I
am not sure of.

here it is;

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 "key string"
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 "key string"

however when I issue a show run, in the running-config I see that the key
has not been "hidden" and it in clear text. Would that cause a problem?

Also, when I change my authentication method locally to the router, the
remote users authenticate. However under radius authentiation, I don't get
any response.

I know the username/passwords are there. Also, I have mirrored the config
of an existing client with the same scenario that is up and running
flawlessly.

Any help would be appreciated.
thanks
Hagop

Re: [nsp] Radius authentication [ In reply to ]

sudakov at sibptus

Oct 3, 2002, 7:18 PM

Post #2 of 3 (1603 views)

Permalink

Hagop Karaoghlanian wrote:
>
> I have customer authenticating to cisco router then to radius server from
> the cisco client software. On the router's config, I see something which I
> am not sure of.
>
> here it is;
>
> radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 "key string"
> radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 "key string"
>
> however when I issue a show run, in the running-config I see that the key
> has not been "hidden" and it in clear text. Would that cause a problem?

Should not be a problem.
More recent IOSes hide it, older ones don't.

>
> Also, when I change my authentication method locally to the router, the
> remote users authenticate. However under radius authentiation, I don't get
> any response.

Have you already tried
debug radius
debug aaa authen
debug aaa author

on the NAS and detailed debug on the radius server?
Are you sure the auth-port and acct-port are correct? More recent
radius daemons should listen on ports 1813 and 1812 IMHO.

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN

RE: [nsp] Radius authentication [ In reply to ]

hkaraoghlanian at rogers

Oct 3, 2002, 10:47 PM

Post #3 of 3 (1616 views)

Permalink

Hi Victor,

Thanks for the insight...Actually I turned on debug radius, and found that
the radius did not have the same username/password combination as the client
software.

Thanks for everyones time
Hagop

-----Original Message-----
From: cisco-nsp-admin@puck.nether.net
[mailto:cisco-nsp-admin@puck.nether.net]On Behalf Of Victor Sudakov
Sent: Thursday, October 03, 2002 10:19 PM
To: Hagop Karaoghlanian
Cc: 'cisco-nsp@puck.nether.net'
Subject: Re: [nsp] Radius authentication

Hagop Karaoghlanian wrote:
>
> I have customer authenticating to cisco router then to radius server from
> the cisco client software. On the router's config, I see something which
I
> am not sure of.
>
> here it is;
>
> radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 "key
string"
> radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 "key
string"
>
> however when I issue a show run, in the running-config I see that the key
> has not been "hidden" and it in clear text. Would that cause a problem?

Should not be a problem.
More recent IOSes hide it, older ones don't.

>
> Also, when I change my authentication method locally to the router, the
> remote users authenticate. However under radius authentiation, I don't
get
> any response.

Have you already tried
debug radius
debug aaa authen
debug aaa author

on the NAS and detailed debug on the radius server?
Are you sure the auth-port and acct-port are correct? More recent
radius daemons should listen on ports 1813 and 1812 IMHO.

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/