Authentication problem between Router C3745 and Server RADIUS

YacineBEKHECHI91 — Fri, 21 Feb 2020 19:02:23 GMT

Hello Cisco Community 🙂

I have a simple topology of LAN network, everything works great excepted my Radius server !

So, here is my topology :

My problem is when I try to do connection attempt to the router R1 from Administrateur via SSH, the authentication between R1 and my server RADIUS doesn't work.

here is my R1 config :

Router1#sh run
Building configuration...

Current configuration : 3219 bytes
!
! No configuration change since last restart
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9i6a$F/bE9u0iqN3NhA.TTGRKs.
!
aaa new-model
!
!
aaa authentication login ACCES_SSH group radius
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.254
ip dhcp excluded-address 192.168.3.254
!
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
!
ip dhcp pool VLAN3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.254
!
!
no ip domain lookup
ip domain name MyDomaine.LAN
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 5
ip ssh time-out 60
ip ssh version 2
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.99
encapsulation dot1Q 99
ip address 192.168.99.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial1/0
ip address 223.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 223.0.0.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 223.0.0.2
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT_INTERNET_VLAN2 interface FastEthernet0/1 overload
ip nat inside source list NAT_INTERNET_VLAN3 interface FastEthernet0/1 overload
ip nat inside source list NAT_INTERNET_VLAN99 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.2.1 80 223.0.0.1 80 extendable
!
ip access-list standard NAT_INTERNET_VLAN2
permit 192.168.2.0 0.0.0.255
ip access-list standard NAT_INTERNET_VLAN3
permit 192.168.3.0 0.0.0.255
ip access-list standard NAT_INTERNET_VLAN99
permit 192.168.99.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
radius-server key router
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login authentication ACCES_SSH
transport input ssh
!
ntp master 1
ntp server 192.168.99.254
!
end

------------------------------------------------

RADIUS config :

clients.conf :

users :

------------------------------------

Administrateur config :

And the problem is :

Authentication impossible with the password : bekhechiError message on R1

So, if someone have an idea about that, please if he can tell me what the problem and thank you for helpful 🙂

Re: Authentication problem between Router C3745 and Server RADIUS

balaji.bandi — Sat, 08 Dec 2018 23:12:31 GMT

Can you try testing from Switch your Radius is working or not with below command

#test aaa server Radius RADIUS-SERVER-IP  USERNAME PASSWORD

also look the logs in radius server.

Re: Authentication problem between Router C3745 and Server RADIUS

YacineBEKHECHI91 — Sun, 09 Dec 2018 13:53:34 GMT

Hi @balaji.bandi

hope you're good, I tested your issue but unfortunetly it doesn't work aymore !

I didn't know how to access to LOG RADIUS via command line linux

Re: Authentication problem between Router C3745 and Server RADIUS

balaji.bandi — Sun, 09 Dec 2018 16:30:30 GMT

basically standard setup of radius log will be store in

logdir = "/var/log/radius"

topic Re: Authentication problem between Router C3745 and Server RADIUS in Network Access Control

Authentication problem between Router C3745 and Server RADIUS

Re: Authentication problem between Router C3745 and Server RADIUS

Re: Authentication problem between Router C3745 and Server RADIUS

Re: Authentication problem between Router C3745 and Server RADIUS