as5300 not sending username to radius

Athiqur Rahman — Mon, 11 Mar 2019 00:07:35 GMT

I have an AS5300 IOS (tm) 5300 Software (C5300-I-M), Version 12.2(16) using it as RAS.

I am using FreeRADIUS Version 2.1.8 for accounting puposes

The problem I am facing is that when opening a ppp dial up connection to the as5300, it is not sending the username. I need the as5300 to send the username so that a realm can be matched.

Below is snippet of debug output from FreeRadius

rad_recv: Accounting-Request packet from host 192.168.0.57 port 1646, id=211, length=97
        NAS-IP-Address = 192.168.0.57
        NAS-Port = 182
        NAS-Port-Type = Async
        Called-Station-Id = "02081131234"
        Calling-Station-Id = "2075176623"
        Acct-Status-Type = Start
        Service-Type = Framed-User
        Acct-Session-Id = "0000006E"
        Framed-Protocol = PPP
        Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 182,Client-IP-Address = 192.168.0.57,NAS-IP-Address = 217.73.64.57,Acct-Session-Id = "0000006E",'
[acct_unique] Acct-Unique-Session-ID = "93340c227b9a5bca".
++[acct_unique] returns ok
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
++[files] returns noop

Below is my AAA config from my cisco

aaa new-model
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization network default none
aaa accounting send stop-record authentication failure
aaa accounting network default start-stop group radius

I have tested with radtest with username testing@secureroot and i get the following output which does ffind the username and thus the realm. this indicates to me that there is nothing wrong with my freeradius config

rad_recv: Access-Request packet from host 127.0.0.1 port 37443, id=212, length=67
        User-Name = "testing@secureroot"
        User-Password = "mypassword"
        NAS-IP-Address = 217.73.64.75
        NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "secureroot" for User-Name = "testing@secureroot"
[suffix] Found realm "secureroot"
[suffix] Adding Stripped-User-Name = "testing"
[suffix] Adding Realm = "secureroot"
[suffix] Authentication realm is LOCAL.

i have done tcpdump of my successful radtest and it looks like

15:12:42.183076 IP 87.102.106.147.43340 > 217.73.64.75.1812: RADIUS, Access Request (1), id: 0x64 length: 67
15:12:42.183079 IP 217.73.64.75.1812 > 87.102.106.147.43340: RADIUS, Access Accept (2), id: 0x64 length: 62

below is the tcpdump of the cisco communicating with the radius

14:29:59.998964 IP 217.73.64.57.1646 > 217.73.64.75.1813: RADIUS, Accounting Request (4), id: 0xe3 length: 97
14:30:00.003907 IP 217.73.64.75.1813 > 217.73.64.57.1646: RADIUS, Accounting Response (5), id: 0xe3 length: 20
14:30:12.061861 IP 217.73.64.57.1646 > 217.73.64.75.1813: RADIUS, Accounting Request (4), id: 0xe4 length: 150
14:30:12.063124 IP 217.73.64.75.1813 > 217.73.64.57.1646: RADIUS, Accounting Response (5), id: 0xe4 length: 20

The tcpdump shows that when opening ppp connection to the cisco it is not sending any access requests to port 1812, only accounting packets. Somethinge definitely wrong with the config on the cisco.

I am thinking i have missed something simple

Thanks

Re: as5300 not sending username to radius

Jatin Katyal — Sun, 16 May 2010 07:32:13 GMT

Athiqur,

Consider, if you haven't recievded any solution on this.

If you are not seeing radius access request coming from the AS5300 that means its not trying to communicate over UDP port 1812 that what we have configured on the free radius server.

Could you please issue the below listed command and see if that helps;

radius-server host auth-port 1812 acct-port 1813 key

Command refrence;

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_r1gt.html#wp1173811

Also if that doesn't help, please provide me the o/p of the following debugs;

debug aaa authentication

debug radius

term mon

Also send me the "Sh Run" from the IOS.

Regds,

Do rate helpul posts-

Re: as5300 not sending username to radius

Athiqur Rahman — Mon, 17 May 2010 08:14:49 GMT

Thanks, but I have solved the problem. The cisco was not sending requests to radius becuase I was missing the line

ppp authentication chap pap

in the Dialer interface.

topic Re: as5300 not sending username to radius in Network Access Control

as5300 not sending username to radius

Re: as5300 not sending username to radius

Re: as5300 not sending username to radius