topic Re: RADIUS and Cisco 2611 router in Network Access Control

RADIUS and Cisco 2611 router

bindikitty — Sun, 10 Mar 2019 22:52:31 GMT

Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.

Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:

Using 2297 out of 29688 bytes

! Last configuration change at 17:20:27 PDT Tue May 20 2008

! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008

version 12.1

no service single-slot-reload-enable

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

hostname Tester

logging buffered 10000 debugging

aaa new-model

aaa group server radius RadiusServers

server 172.26.0.2 auth-port 1812 acct-port 1813

aaa authentication login default group RadiusServers local

aaa authentication login localauth local

aaa authentication ppp default if-needed group radius local

aaa authorization exec default group radius local

aaa authorization network default group radius local

aaa accounting delay-start

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa processes 6

enable secret xxx

username test password xxx

clock timezone PST -8

clock summer-time PDT recurring

ip subnet-zero

no ip domain-lookup

no ip bootp server

interface Loopback0

ip address 192.168.0.1 255.255.255.0

interface Ethernet0/0

description To Main Network

ip address X.X.X.X 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

full-duplex

no cdp enable

interface Ethernet0/1

description To Internal Network

ip address 172.26.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

load-interval 30

full-duplex

no cdp enable

ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128

ip nat inside source list 3 pool test overload

ip nat inside destination list 3 pool test

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.X

no ip http server

ip radius source-interface Ethernet0/1

access-list 3 permit 172.26.0.0 0.0.0.255

no cdp run

snmp-server community public RO 15

radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret

radius-server retransmit 3

radius-server key secret

line con 0

password xxx

logging synchronous

line aux 0

line vty 0 4

access-class 10 in

password 7 1234567890

logging synchronous

ntp clock-period 17208108

ntp server 192.43.244.18

end

My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.

I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.

Thank you for any assistance you may be able to provide.

Re: RADIUS and Cisco 2611 router

Jagdeep Gambhir — Wed, 28 May 2008 22:37:24 GMT

First i would suggest you to use IP radius source interface command , so that it use a specific interface for sending radius request to server. We should have same IP listed for router in radius server.

Also ensure that secret key is same, on both ends. We also have NAT , so you may need to change ip on radius server.

Check if you are able to ping radius server from your router ? need to rule out routing issue.

If still it is not working, then get the debugs,

debug aaa authentication

debug radius

Also if possible sniff the radius server and see if request from router is hitting radius.

Regards,

~JG

Do rate helpful posts

Re: RADIUS and Cisco 2611 router

bindikitty — Wed, 28 May 2008 22:56:58 GMT

Thank you for your quick response. I have IP radius source-interface Ethernet0/1, which is my internal interface. It should be in the config file I included in my initial post.

And yes, the secret key is the same on both ends, and I can ping the RADIUS server. In fact, the RADIUS server can surf the Internet through the router, although other connected computers cannot.

I have turned on debug aaa authentication and radius, and I do not see any debug messages when a computer tries to authenticate. I do see debug messages when I try to log into the Cisco router using HyperTerm. I get Access-Reject messages (this is fine--I'm not worried about authenticating--as long as I can get an Access-Reject message, then I know the two devices are communicating) and also "Response failed decrypt", as well as "Marking server 172.26.0.2:1812,1813 dead, Tried all servers, No valid server found."

However, using Wireshark, I see PPPoED Active Discovery Initiation broadcasts from the test computer (not server), but nothing from the Cisco router. The RADIUS server does not respond because the test computer is not an authorized client. It appears as though the router is not forwarding the requests to the RADIUS server.

Re: RADIUS and Cisco 2611 router

michael.leblanc — Thu, 29 May 2008 01:30:59 GMT

The few things that stood out for me were the absence of:

aaa authentication enable default group radius local

The redundancy of the key specification in:

radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret

radius-server retransmit 3

radius-server key secret

Note: I would specify it one way, and not both. My preference is to specify it in the same command line as the IP.

... and, since I am not familiar with the "aaa processes" command, I am not sure whether "6" is an appropriate setting or not.

I do believe it would be beneficial for you to focus on the AAA Client (router) to AAA Server interaction first.

In Wireshark preferences | Protocols | Radius, there is a "Shared Secret" field where you can enter your RADIUS password. This will enable you to see the content of your RADIUS packets unencrypted. This may help you see what is going on.

The debug messages encountered when logging in to the router suggests to me that there is communication between the router (AAA client) and the RADIUS server.

The "Response failed decrypt" message suggests that there may be a shared password issue despite the fact that you don't believe it. The marking the server dead, and no valid server found "may" be an extension of the decryption failure, but I'm not 100% sure. Worth considering though.

It is not clear to me what the PPPoED in your post is all about. It appears that you are using a PPPoE client on the test computer; that you think the router is some how going to respond to it based on your configuration (but it doesn't).

I suspect there is a disconnect between the configuration of the router, and what you are expecting in interaction between the test computer and router.

I'm not sure what to make of the - "The RADIUS server does not respond because the test computer is not an authorized client." statement. The Radius server should respond to the AAA Client which is the router.

Contrary to your statements, you're not likely an idiot, you're just covering new ground. It's part of getting to where you want to go.

Re: RADIUS and Cisco 2611 router

bindikitty — Thu, 29 May 2008 22:25:47 GMT

I've tried posting this several times today, but it has yet to show up. Please forgive me if this appears multiple times:

Thank you for your response; it was very helpful, and I believe I am making progress.

>> aaa authentication enable default group radius local

The "local" method is not accepted by my router; it will only accept enable, group, line, none, or .

I removed the "aaa processes" command since it seemed to not be affecting anything. Not sure about it, but it was in a config I copied from a document I found on the Internet.

Thank you for the tip about Wireshark and RADIUS encryption. I took a look at the user password, and it is listed correctly in the Access-Request packets, except it is appended with a series of eight /000. Howerver, this is the USER password, not the shared secret. I was unable to locate the shared secret anywhere in the packet.

The PPPoED references concern the access authentication attempts from my test workstation. I wanted to see if the router, which is the RADIUS client, is passing the authentication requests to the RADIUS server. It is not, except for local authentication attempts using HyperTerm. I am trying to get it set up so it will pass all authentication requests to the RADIUS server. However, I may be doing this incorrectly as I have never set up network authentication before, other than Windows computers on a workgroup LAN or using ADS. For authentication testing, I set up Dial-Up Networking using Broadband Connection Settings. Should I be using or doing something different?

Lastly, as for my idiot reference, that was an abbreviation of the half-page grovel I usually include in all listserv posts to avoid people flaming me for wasting electrons. Thank you for your kindness and patience.

Re: RADIUS and Cisco 2611 router

michael.leblanc — Fri, 30 May 2008 00:01:00 GMT

I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.

The command I shared:

aaa authentication enable default group radius local

... was erroneous. The keyword should have been "enable", as you have discovered.

Therefore use:

aaa authentication enable default group radius enable

When I view a Wireshark trace I see the following:

AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"

Like you, I see the user password appended with the group of \000 grouping's.

Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).

I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.

The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.

My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.

However, there are other mainstream authentication methods that I think you should investigate as well.

You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.

I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.

The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.

I think you should:

1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.

2. Investigate whether PPPoE support exists on your router's interfaces.

3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).

4. Decide which methods appeals to you.

5. Dive in.

I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.

I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.

Good luck.

Re: RADIUS and Cisco 2611 router

bindikitty — Tue, 03 Jun 2008 22:01:43 GMT

> I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.

This is exactly what I was doing. Thank you.

> 1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.

Done. This was a Doh! moment--I'd forgotten to add the IP address of the router to the RADIUS server's client list. A few hours of sleep helped. Once I added the router to the client list, I was able to immediately authenticate against the RADIUS database and log in using HyperTerm. However, the router still does not pass the test workstation's network authentication request packets to the RADIUS server.

> 2. Investigate whether PPPoE support exists on your router's interfaces.

ppp is an unrecognized router Interface command. However, the 'aaa authentication ppp default if-needed group radius local'command is supposed to apply the command to all interfaces.

I've worked through most of the issues. My RADIUS server and router are communicating as far as logging into the router itself, but the router is still not passing network authentication requests (Broadband Connection using the Dial-up and VPN settings) to the RADIUS server. And, I can access the Internet even though my test workstation has not authenticated. These seem to be the last issues I have to resolve.

Re: RADIUS and Cisco 2611 router

michael.leblanc — Tue, 03 Jun 2008 22:45:22 GMT

The "ppp authentication" interface configuration mode command is used to enable PPP authentication on an interface. The fact that this command is not available on the interfaces (Ethernet?) that you wish to establish PPP authentication on, suggests that you will not succeed.

With respect to the "aaa authentication ppp default if-needed group radius local" global command, the "if-needed" keyword means the user is not authenticated (if) they have already authenticated on a TTY line.

I'm not sure the client functionality you are using is really a true PPPoE client anyway. Is it not intended for serial interfaces?

Re: RADIUS and Cisco 2611 router

bindikitty — Wed, 04 Jun 2008 18:40:20 GMT

OK, I upgraded my router to a 2621 running a newer OS and was able to add 'pppoe enable' to the interface to turn on pppoe authentication. I also removed the 'if-needed' method. However, the PPPoE authentication packets are still not being forwarded to the router, and I can still access the Internet without authenticating.

> I'm not sure the client functionality you are using is really a true PPPoE client anyway. Is it not intended for serial interfaces?

I do not know whether this is the appropriate tool to use or not. We offer FTTH Internet service--no DSL, dial-up, or cable--which has been strictly plug and play until recently. All customers had to do was get the fiber box activated at their premises, plug their equipment into the Ethernet ports, and they were on the Internet. However, I now have to find a cost-effective way of enforcing authentication so we can track bandwidth usage. I have never done this before. If this is not the appropriate tool, then what is?

Thank you.

Re: RADIUS and Cisco 2611 router

michael.leblanc — Wed, 04 Jun 2008 19:20:13 GMT

Tenacious.

Found the following URL that may have some information worthy of your attention:

http://www.carricksolutions.com/windowsxp.php

I have not read it, but it suggests that there is some native PPPoE support on XP, and provides some info on how to configure/troubleshoot it.

If the native functionality doesn't suit you, perhaps you should identify a freeware PPPoE client for testing purposes.

If you have not done so, I still think you should take a quick look at 802.1x and Authentication Proxy, for comparative purposes, if nothing else.

Authentication Proxy would only require a browser, and would not add additional encapsulation, or complexity (e.g.: software installation).

Re: RADIUS and Cisco 2611 router

bindikitty — Wed, 11 Jun 2008 21:07:00 GMT

Ignore this...I think I just answered my own question. This document is about PORT based authentication--I'm looking for user authentication.

Just a quick question about this...I've been reading up on 802.1x, and I have a 2950 switch that should be capable of performing this. However, I am not clear on whether the two supported topologies (Point-to-Point or Wireless LAN) would work for my environment. All of my customers come into the switch on a single trunk port. How would either of these topologies work in this situation? According to document 78-11380-02 (Configuring 802.1x Port-Based Authentication), P2P allows only one client to be connected to an 802.1x-enabled switch port. Wireless LAN (which we're not) allows multiple hosts, but the first host enables the port for everyone.

Or am I completely missing this? Unfortunately, I have only one 2950 switch, and it is in production. My test switches are 2912s, which are completely different animals. I have not been able to get the 2912s to accept the commands used to configure a 2950 for authentication to test it.

Re: RADIUS and Cisco 2611 router

michael.leblanc — Wed, 11 Jun 2008 21:31:37 GMT

We've used 802.1x on the access ports of our 2950, and you are correct, if one device/user authenticates, the port enters the authorized state which permits access to all devices/users connected through that port.

If all of your users connect through a single trunk port, this is not a solution for you.

How have things progressed with your PPPoE exploration?

Re: RADIUS and Cisco 2611 router

michael.leblanc — Wed, 11 Jun 2008 21:57:07 GMT

Re: This document is about PORT based authentication--I'm looking for user authentication.

The port is moved into an "authorized" state as a result of "user authentication".

I.E.: The user uses an 802.1x supplicant on the host to facilitate the exchange of credentials (username and password) with the Authenticator (802.1x enabled switch).

Re: RADIUS and Cisco 2611 router

bindikitty — Wed, 11 Jun 2008 22:52:54 GMT

As you may have guessed, I'm pretty confused at this point.

If the port is moved into an authorized state as a result of user authentication and all of my users come into the switch on a single trunk port, then am I correct in assuming this will not work for my situation?

Re: RADIUS and Cisco 2611 router

michael.leblanc — Wed, 11 Jun 2008 23:11:21 GMT

Correct.

Per my post at 3:31pm PST:

"... if one device/user authenticates, the port enters the authorized state which permits access to all devices/users connected through that port.

If all of your users connect through a single trunk port, this is not a solution for you."

Today's post was the first indication that all your users came through the same trunk port. Had I known previously, I wouldn't have suggested that you read up on 802.1x.

Authentication Proxy would facilitate downloadable per-user ACLs on the same interface for multiple user's. It would be worth investigation.

Presumably, you saw the links I posted earlier with config/troubleshooting guidance for PPPoE. How has that investigation progressed?

Re: RADIUS and Cisco 2611 router

bindikitty — Wed, 11 Jun 2008 23:28:26 GMT

I have not made any progress troubleshooting PPPoE. I configured a connection as described on the Carrick Solutions web site (thank you for that link), but my router is still not forwarding the authentication requests to my RADIUS server.

I have also used NTRadPing to test authentication. When I set it to test the RADIUS server directly, the RADIUS server sends an Access-Accept response. If I set NTRadPing to send a broadcast authentication request, the RADIUS sever itself responds, but the Cisco router does not forward the requests to the RADIUS server. And, if I set NTRadPing to send the requests directly to the Cisco router, the router does not forward the requests. The Cisco router is just ignoring the requests, unless I'm logging directly onto the router using HyperTerminal. And, it does not block unauthorized access to the network.

At this point, I'm completely stumped and spend my days searching the Internet for solutions and trying every configuration I can find.

Re: RADIUS and Cisco 2611 router

michael.leblanc — Wed, 11 Jun 2008 23:46:56 GMT

Perhaps you can post the Cisco AAA configuration you are/were using during the PPPoE testing, with some topology info (i.e.: which physical ports the devices interconnect on).

Have you placed a sniffer between the host and switch to verify whether the host is sending PPPoE packets, and determined whether the switch responds on the wire?

Re: RADIUS and Cisco 2611 router

michael.leblanc — Thu, 12 Jun 2008 02:51:54 GMT

If you explore Authentication Proxy and it works, it might make you forget PPPoE pretty fast.

If you decide to pursue PPPoE further, the following link is probably where you would find most of Cisco's information on PPPoE:

http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html

Cisco's "Service Providers" forums might provide some guidance on whether PPPoE is achievable with your platform and environment?

Re: RADIUS and Cisco 2611 router

bindikitty — Thu, 12 Jun 2008 23:04:33 GMT

You were absolutely right about the Authentication Proxy. I finally found what I was looking for in the Cisco Field Manual: Router Configuration book, Chapter 13 (on safari.oreilly.com).

Here is my config, for anyone else who has the same struggle:

hostname Tester

logging buffered 10000 debugging

enable secret 5 **************************

aaa new-model

aaa authentication login default group radius

aaa authorization auth-proxy default group radius

aaa accounting auth-proxy default start-stop group radius

aaa session-id common

ip subnet-zero

ip cef

no ip domain lookup

no ip bootp server

ip auth-proxy inactivity-timer 120

ip auth-proxy name Customers http

ip audit po max-events 100

username test password 7 **************

username admin password 7 *************

interface FastEthernet0/0

description To Internet

ip address x.x.x.x 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

speed auto

full-duplex

no cdp enable

interface FastEthernet0/1

description To Internal Network Dumb Switch

ip address 172.26.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip auth-proxy Customers

load-interval 30

speed auto

full-duplex

no cdp enable

ip nat pool test x.x.x.x x.x.x.x netmask 255.255.255.128

ip nat inside source list 3 pool test overload

ip nat inside destination list 3 pool test

ip http server

ip http access-class 40

ip http authentication aaa

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip radius source-interface FastEthernet0/1

access-list 3 permit 172.26.0.0 0.0.0.255

access-list 40 deny any

no cdp run

radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret

line con 0

exec-timeout 0 0

password 7 *********

logging synchronous

line aux 0

line vty 0 4

access-class 10 in

password 7 ************

logging synchronous

The router IS forwarding the packets to my RADIUS server now, and when I try to access the Internet using my web browser, an authentication screen pops up in the browser. No additional setup on users' computers is necessary.

I am not able to authenticate, but my RADIUS server IS sending Access-Reject messages, which means the two are communicating, and the router is blocking unauthenticated access. I can see the packets being passed from my test workstation to the router, and then the router forwarding them on to the RADIUS server. Authentication issues I can resolve; I'm sure it just has something to do with the encryption.

Thank you so much for all your help, Michael. I really appreciate it!

Re: RADIUS and Cisco 2611 router

michael.leblanc — Fri, 13 Jun 2008 14:56:58 GMT

When you have everything working to your satisfaction, consider exploring "ip http secure-server" to protect the Auth Proxy credential exchange between the host and router.

Unless my memory is failing me, when "ip http secure-server" was used in addition to "ip http server", I think the Auth Proxy credential exchange was secure.

I don't think you can use "ip http secure-server" by itself, so make sure you retain "ip http server".

If you want syslog messages for Authentication Proxy, consider:

ip auth-proxy auth-proxy-audit

Downloadable ACL observations:

1. Must use the keyword "any" as the source in auth-proxy ACEs configured on the RADIUS server. Tried using host , but although the ACE was passed to the AAA Client, it was not added to the interface ACL on the router.

2. When the RADIUS server passes the proxyacl AV pair to the router it contains the "any" keyword as the source. However, the router will translate the "any" keyword to the "authenticated IP address" before installing the temporary ACEs in the interface ACL.

Keep us posted on your progress until complete.