Authentication not work between Router and RADIUS Server

YacineBEKHECHI91 — Fri, 21 Feb 2020 19:02:25 GMT

Hello Cisco Community 🙂

I have a simple topology of LAN network, everything works great excepted my Radius server !

So, here is my topology :

My problem is when I try to do connection attempt to the router R1 from Administrateur via SSH, the authentication between R1 and my server RADIUS doesn't work.

here is my R1 config :

Router1#sh run
Building configuration...

Current configuration : 3219 bytes
!
! No configuration change since last restart
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9i6a$F/bE9u0iqN3NhA.TTGRKs.
!
aaa new-model
!
!
aaa authentication login ACCES_SSH group radius
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.254
ip dhcp excluded-address 192.168.3.254
!
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
!
ip dhcp pool VLAN3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.254
!
!
no ip domain lookup
ip domain name MyDomaine.LAN
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 5
ip ssh time-out 60
ip ssh version 2
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.99
encapsulation dot1Q 99
ip address 192.168.99.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial1/0
ip address 223.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 223.0.0.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 223.0.0.2
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT_INTERNET_VLAN2 interface FastEthernet0/1 overload
ip nat inside source list NAT_INTERNET_VLAN3 interface FastEthernet0/1 overload
ip nat inside source list NAT_INTERNET_VLAN99 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.2.1 80 223.0.0.1 80 extendable
!
ip access-list standard NAT_INTERNET_VLAN2
permit 192.168.2.0 0.0.0.255
ip access-list standard NAT_INTERNET_VLAN3
permit 192.168.3.0 0.0.0.255
ip access-list standard NAT_INTERNET_VLAN99
permit 192.168.99.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
radius-server key router
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login authentication ACCES_SSH
transport input ssh
!
ntp master 1
ntp server 192.168.99.254
!
end

------------------------------------------------

RADIUS config :

clients.conf :

users :

------------------------------------

Administrateur config :

And the problem is :

So, if someone has an idea about that, please if he can tell me what the problem and thank you for helpful 🙂

Re: Authentication not work between Router and RADIUS Server

Seb Rupik — Wed, 02 Jan 2019 10:59:22 GMT

HI there,

I assume you are using freeraidus on the server? From the server console can you stop the radius service and manually run it with the command:

radiusd -X

...this will dump the debug output to the terminal and you will see what is going on when you attempt to SSH onto R1. Please share this.

If when you attempt to SSH onto R1, the radius debug shows no new output, can you confirm that the firewall running on the radius server is permitting traffic to TCP/1812 and TCP/1813 ?

cheers,

Seb.

topic Re: Authentication not work between Router and RADIUS Server in Network Access Control

Authentication not work between Router and RADIUS Server

Re: Authentication not work between Router and RADIUS Server