Re: AAA authorization - request never sent

n.oneill · ‎06-17-2004

Hi

I am having a problem with AAA Authorization and Microsoft IAS. I want to pass of authorization for network (PPP) access to MS IAS (radius). At present it fails but it never makes a request to the IAS server. I am running a packet sniffer and never see any packets from the Router.

Debug as follows:

Jun 17 12:20:30.388: As65 AAA/AUTHOR/LCP: Authorize LCP

Jun 17 12:20:30.388: As65 AAA/AUTHOR/LCP (3152618189): Port='Async65' list='IAS' service=NET

Jun 17 12:20:30.388: AAA/AUTHOR/LCP: As65 (3152618189) user='testuser'

Jun 17 12:20:30.388: As65 AAA/AUTHOR/LCP (3152618189): send AV service=ppp

Jun 17 12:20:30.388: As65 AAA/AUTHOR/LCP (3152618189): send AV protocol=lcp

Jun 17 12:20:30.388: As65 AAA/AUTHOR/LCP (3152618189): found list "IAS"

Jun 17 12:20:30.392: As65 AAA/AUTHOR/LCP (3152618189): Method=radius (radius)

Jun 17 12:20:30.392: As65 AAA/AUTHOR (3152618189): Post authorization status = ERROR

Jun 17 12:20:30.392: As65 AAA/AUTHOR/LCP (3152618189): Method=NOT_SET

Jun 17 12:20:30.392: As65 AAA/AUTHOR/LCP (3152618189): no methods left to try

Jun 17 12:20:30.392: As65 AAA/AUTHOR (3152618189): Post authorization status = ERROR

Jun 17 12:20:30.392: As65 AAA/AUTHOR/LCP: Denied

Relevant config:

aaa new-model

aaa group server radius default

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa group server radius IAS

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa authentication login default group radius

aaa authentication login NONE none

aaa authentication login LINE line

aaa authentication login RADIUS group radius

aaa authentication ppp default local

aaa authorization network default group radius

aaa authorization network IAS group radius

aaa authorization network NO_AUTH none

radius-server host x.x.x.x auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key xxxxx

interface Ethernet0/0

ip address x.x.x.x 255.255.0.0

!

interface Serial1/0:15

description Connected to xxxxx

no ip address

encapsulation ppp

dialer pool-member 1

dialer pool-member 5

dialer pool-member 2

isdn switch-type primary-net5

isdn incoming-voice modem

ppp authentication pap

!

interface Group-Async1

ip unnumbered Ethernet0/0

encapsulation ppp

ip tcp header-compression passive

no ip mroute-cache

dialer in-band

dialer idle-timeout 1800

dialer-group 2

async mode interactive

peer default ip address pool sales

no fair-queue

ppp authentication pap

ppp authorization IAS

ppp multilink

group-range 65 70

Richard Burts · ‎06-17-2004

I believe there is an inconsistency in the way that you have configured authorization. The Group-async interface defines an authorization method using: "ppp authorization IAS". And you define a matching group for a particular server using:

"aaa group server radius IAS

server x.x.x.x auth-port 1645 acct-port 1646"

However the authorization you define in the aaa section for ppp is: "aaa authorization network IAS group radius" which does not point to a recognizable group.

I suggest that you change your configuration to be: aaa authorization network IAS group IAS

HTH

Rick

n.oneill · ‎06-18-2004

Thanks for the reply and I take your point.

I don't think I needed the aaa server groups configured at all:

gw1(config)#aaa authorization network IAS group ?

WORD Server-group name

radius Use list of all Radius hosts.

tacacs+ Use list of all Tacacs+ hosts.

So to my mind it should try all radius hosts.

I added the line you suggested to use the aaa server group IAS but it still does exactly the same and never queries the aaa server.

So any further suggestions would be gratefully received!

Richard Burts · ‎06-25-2004

Have you made progress on this?

If it is still not working, am I correct in understanding that authentication works correctly and that the problem is in authorization?

If it is still not working, would you post the current contents of the config and a fresh debug output?

Rick

HTH

Rick

n.oneill · ‎07-01-2004

Unfortunatly, still not working.

Config and debug attached.

Nick

Richard Burts · ‎07-01-2004

I have looked at the additional information that you sent and have these responses.

The debug shows pretty clearly that it recognizes that it should try radius for authorization, it does not show any communication with a radius server (even though debug radius is turned on), there is "Post authorization status = ERROR", and it says no more methods and authorization fails.

My best guess at this point is that there is a problem communicating with the radius server. The part of configuration that you posted did not include the server definition. I suggest that you look closely at that, and perhaps post it.

Do you have any data about communication with the radius server? What is the output of show radius statistics? If it were me, I might try debug ip packet with an access list which identifies any ip packet with the radius server address as the source or destination as a way to determine whether there is any communication:

debug ip packet 199

access-list 199 permit ip host any

access-list 199 permit ip any host

I am not sure why you are doing authentication locally but authorization via radius. I would have expected if the user is defined in radius that you would use radius for both. But I am not sure that this necessarily is related to the problem that you are having.

HTH

Rick

HTH

Rick

n.oneill · ‎07-02-2004

It's working now!

See the following post:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd5e6c3/39#selected_message

I managed to work it out before Zulfi posted but what he is saying is correct of course.

Nick