https://community.cisco.com/t5/network-access-control/please-help-trouble-shooting-radius/m-p/254721#M435013 <HTML><HEAD></HEAD><BODY><P>This looks to be the problem:</P><P><B></B></P><P>02:29:16: As33 AAA/AUTHOR/LCP: Processing AV timeout=9999999</P><P>02:29:16: As33 AAA/AUTHOR/LCP: timeout failed</P><P>02:29:16: As33 AAA/AUTHOR/LCP: Denied </P><P></P><P>You're doing authorization (not just authentication) on your dialup users, not sure if you really want that or not. If so, then you will have a session-timeout set in the Radius users profile, you can see the radius server replying with this:</P><P><B></B></P><P>02:29:16: Attribute 6 6 00000002</P><P>02:29:16: Attribute 7 6 00000001</P><P>02:29:16: Attribute 27 6 0098967F</P><P>02:29:16: Attribute 28 6 0000000A </P><P></P><P>which when decoded becomes:</P><P><B></B></P><P>02:29:16: Service-Type Framed</P><P>02:29:16: Framed-Protocol PPP</P><P>02:29:16: Session-Timeout 9999999</P><P>02:29:16: Idle-Timeout 10 </P><P></P><P>I would say the NAS/router doesn't like the Session-Timeout being so high, try lowering it and see what happens. </P><P></P><P>Alternatively, if you don't really want to do authorization for your dialup users, then remove the line:</P><P><B></B></P><P>aaa authorization network radius </P><P></P><P>and the problem should also go away.</P></BODY></HTML> Tue, 06 Jan 2004 05:05:05 GMT gfullage 2004-01-06T05:05:05Z https://community.cisco.com/t5/network-access-control/please-help-trouble-shooting-radius/m-p/254720#M435012 <P>I could telnet in to my Cisco 2620 using RADIUS authentication </P><P>"telnet 192.168.4.10 2033" (provide username/pass)</P><P>and then type AT which My modem reply with OK.</P><P></P><P>I could also dial-in to the NAS with local user</P><P></P><P>But I could not dial-in using RADIUS user.</P><P>Please help me trouble shoot the problem. </P><P>I enclose the debug information and also the configuration I used.</P><P></P><P>Thank you,</P><P></P><P>Nguyen Nhat Binh</P><P></P><P></P><P>Username: test </P><P>Password: </P><P></P><P>Cisco2620&gt;ena </P><P>Password: </P><P>Cisco2620# </P><P>Cisco2620# </P><P>Cisco2620# </P><P>Cisco2620#terminal monitor </P><P>Cisco2620# </P><P>02:28:00: %LINK-3-UPDOWN: Interface Async33, changed state to up </P><P>02:28:00: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially </P><P>02:28:24: %LINK-5-CHANGED: Interface Async33, changed state to reset </P><P>02:28:29: %LINK-3-UPDOWN: Interface Async33, changed state to down </P><P>02:28:35: %LINK-3-UPDOWN: Interface Async33, changed state to up </P><P>02:28:35: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially </P><P>02:28:46: %LINK-5-CHANGED: Interface Async33, changed state to reset </P><P>02:28:51: %LINK-3-UPDOWN: Interface Async33, changed state to down </P><P>02:29:15: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially </P><P>02:29:15: %LINK-3-UPDOWN: Interface Async33, changed state to up </P><P>02:29:16: AAA: parse name=Async33 idb type=10 tty=33 </P><P>02:29:16: AAA: name=Async33 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=33 c </P><P>hannel=0 </P><P>02:29:16: AAA/MEMORY: create_user (0x80CD711C) user='test' ruser='' port='Async3 </P><P>3' rem_addr='async' authen_type=CHAP service=PPP priv=1 </P><P>02:29:16: AAA/AUTHEN/START (327574709): port='Async33' list='' action=LOGIN serv </P><P>ice=PPP </P><P>02:29:16: AAA/AUTHEN/START (327574709): using "default" list </P><P>02:29:16: AAA/AUTHEN (327574709): status = UNKNOWN </P><P>02:29:16: AAA/AUTHEN/START (327574709): Method=radius (radius) </P><P>02:29:16: RADIUS: ustruct sharecount=1 </P><P>02:29:16: RADIUS: Initial Transmit Async33 id 89 192.168.4.141:1645, Access-Requ </P><P>est, len 75 </P><P>02:29:16: Attribute 4 6 C0A8040A </P><P>02:29:16: Attribute 5 6 00000021 </P><P>02:29:16: Attribute 61 6 00000000 </P><P>02:29:16: Attribute 1 6 74657374 </P><P>02:29:16: Attribute 3 19 27440611 </P><P>02:29:16: Attribute 6 6 00000002 </P><P>02:29:16: Attribute 7 6 00000001 </P><P>02:29:16: RADIUS: Received from id 89 192.168.4.141:1645, Access-Accept, len 44 </P><P>02:29:16: Attribute 6 6 00000002 </P><P>02:29:16: Attribute 7 6 00000001 </P><P>02:29:16: Attribute 27 6 0098967F </P><P>02:29:16: Attribute 28 6 0000000A </P><P>02:29:16: AAA/AUTHEN (327574709): status = PASS </P><P>02:29:16: As33 AAA/AUTHOR/LCP: Authorize LCP </P><P>02:29:16: As33 AAA/AUTHOR/LCP (1939832978): Port='Async33' list='' service=NET </P><P>02:29:16: AAA/AUTHOR/LCP: As33 (1939832978) user='test' </P><P>02:29:16: As33 AAA/AUTHOR/LCP (1939832978): send AV service=ppp </P><P>02:29:16: As33 AAA/AUTHOR/LCP (1939832978): send AV protocol=lcp </P><P>02:29:16: As33 AAA/AUTHOR/LCP (1939832978): found list "default" </P><P>02:29:16: As33 AAA/AUTHOR/LCP (1939832978): Method=radius (radius) </P><P>02:29:16: As33 AAA/AUTHOR (1939832978): Post authorization status = PASS_REPL </P><P>02:29:16: As33 AAA/AUTHOR/LCP: Processing AV service=ppp </P><P>02:29:16: As33 AAA/AUTHOR/LCP: Processing AV timeout=9999999 </P><P>02:29:16: As33 AAA/AUTHOR/LCP: timeout failed </P><P>02:29:16: As33 AAA/AUTHOR/LCP: Denied </P><P>02:29:16: AAA/MEMORY: free_user (0x80CD711C) user='test' ruser='' port='Async33' </P><P>rem_addr='async' authen_type=CHAP service=PPP priv=1 </P><P>02:29:18: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially </P><P>02:29:20: %LINK-5-CHANGED: Interface Async33, changed state to reset </P><P>02:29:25: %LINK-3-UPDOWN: Interface Async33, changed state to down </P><P></P><P></P><P></P><P></P><P>************************************************************* </P><P>! Cisco2620.cfg - Cisco router configuration file </P><P>! Automatically created by Cisco ConfigMaker v2.6 Build 6 </P><P>! Wednesday, December 31, 2003, 01:58:10 PM </P><P>! </P><P>! Hostname: Cisco2620 </P><P>! Model: 2620 </P><P>! ************************************************************* </P><P>! </P><P>service timestamps debug uptime </P><P>service timestamps log uptime </P><P>service password-encryption </P><P>no service tcp-small-servers </P><P>no service udp-small-servers </P><P>! </P><P>hostname Cisco2620 </P><P>! </P><P>enable password xxxxx </P><P>username dong password xxxx </P><P>! </P><P>no ip name-server </P><P>! </P><P>ip subnet-zero </P><P>no ip domain-lookup </P><P>ip routing </P><P>! </P><P>interface FastEthernet 0/0 </P><P>no shutdown </P><P>description connected to EthernetLAN </P><P>ip address 192.168.4.10 255.255.255.0 </P><P>no keepalive </P><P>! </P><P>interface Async 33 </P><P>no shutdown </P><P>description connected to Dial-inPCs(modem) </P><P>ip unnumbered FastEthernet 0/0 </P><P>ip tcp header-compression passive </P><P>encapsulation ppp </P><P>async mode dedicated </P><P>! group-range 33 33 </P><P>ppp authentication chap pap </P><P>no cdp enable </P><P>peer default ip address pool Cisco2620-Group-1 </P><P>! </P><P>router rip </P><P>version 2 </P><P>network 192.168.4.0 </P><P>no auto-summary </P><P>! </P><P>! </P><P>ip local pool Cisco2620-Group-1 10.10.10.10 10.10.10.10 </P><P>ip classless </P><P>no ip http server </P><P>snmp-server community public RO </P><P>no snmp-server location </P><P>no snmp-server contact </P><P>! </P><P>line console 0 </P><P>exec-timeout 0 0 </P><P>password a </P><P>login </P><P>! </P><P>line vty 0 4 </P><P>password xxxx </P><P>login </P><P>! </P><P>line 33 </P><P>exec </P><P>autoselect ppp </P><P>autoselect during-login </P><P>login local </P><P>modem InOut </P><P>transport input all </P><P>stopbits 1 </P><P>speed 38400 </P><P>flowcontrol hardware </P><P>! </P><P></P><P>aaa new-model </P><P>aaa authentication login default radius local </P><P>aaa authentication login no_radius enable </P><P>aaa authentication ppp default if-needed radius </P><P>aaa authorization network radius </P><P>aaa accounting exec start-stop radius </P><P>aaa accounting network start-stop radius </P><P></P><P>radius-server host 192.168.4.11 auth-port 1645 acct-port 1646 </P><P></P><P></P><P>radius-server key ubtq</P> Sun, 10 Mar 2019 14:37:10 GMT https://community.cisco.com/t5/network-access-control/please-help-trouble-shooting-radius/m-p/254720#M435012 nguyenbinh 2019-03-10T14:37:10Z https://community.cisco.com/t5/network-access-control/please-help-trouble-shooting-radius/m-p/254721#M435013 <HTML><HEAD></HEAD><BODY><P>This looks to be the problem:</P><P><B></B></P><P>02:29:16: As33 AAA/AUTHOR/LCP: Processing AV timeout=9999999</P><P>02:29:16: As33 AAA/AUTHOR/LCP: timeout failed</P><P>02:29:16: As33 AAA/AUTHOR/LCP: Denied </P><P></P><P>You're doing authorization (not just authentication) on your dialup users, not sure if you really want that or not. If so, then you will have a session-timeout set in the Radius users profile, you can see the radius server replying with this:</P><P><B></B></P><P>02:29:16: Attribute 6 6 00000002</P><P>02:29:16: Attribute 7 6 00000001</P><P>02:29:16: Attribute 27 6 0098967F</P><P>02:29:16: Attribute 28 6 0000000A </P><P></P><P>which when decoded becomes:</P><P><B></B></P><P>02:29:16: Service-Type Framed</P><P>02:29:16: Framed-Protocol PPP</P><P>02:29:16: Session-Timeout 9999999</P><P>02:29:16: Idle-Timeout 10 </P><P></P><P>I would say the NAS/router doesn't like the Session-Timeout being so high, try lowering it and see what happens. </P><P></P><P>Alternatively, if you don't really want to do authorization for your dialup users, then remove the line:</P><P><B></B></P><P>aaa authorization network radius </P><P></P><P>and the problem should also go away.</P></BODY></HTML> Tue, 06 Jan 2004 05:05:05 GMT https://community.cisco.com/t5/network-access-control/please-help-trouble-shooting-radius/m-p/254721#M435013 gfullage 2004-01-06T05:05:05Z https://community.cisco.com/t5/network-access-control/please-help-trouble-shooting-radius/m-p/254722#M435014 <HTML><HEAD></HEAD><BODY><P>Thank you alot for your support, I resolved the problem. Actually, I do not need authorization.</P><P></P><P>Wish you all the best for a new year.</P></BODY></HTML> Tue, 06 Jan 2004 07:14:45 GMT https://community.cisco.com/t5/network-access-control/please-help-trouble-shooting-radius/m-p/254722#M435014 nguyenbinh 2004-01-06T07:14:45Z