12-08-2018 09:48 AM - edited 02-21-2020 11:02 AM
Hello Cisco Community :)
I have a simple topology of LAN network, everything works great excepted my Radius server !
So, here is my topology :
My problem is when I try to do connection attempt to the router R1 from Administrateur via SSH, the authentication between R1 and my server RADIUS doesn't work.
here is my R1 config :
Router1#sh run
Building configuration...
Current configuration : 3219 bytes
!
! No configuration change since last restart
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9i6a$F/bE9u0iqN3NhA.TTGRKs.
!
aaa new-model
!
!
aaa authentication login ACCES_SSH group radius
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.254
ip dhcp excluded-address 192.168.3.254
!
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
!
ip dhcp pool VLAN3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.254
!
!
no ip domain lookup
ip domain name MyDomaine.LAN
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 5
ip ssh time-out 60
ip ssh version 2
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.99
encapsulation dot1Q 99
ip address 192.168.99.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial1/0
ip address 223.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 223.0.0.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 223.0.0.2
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT_INTERNET_VLAN2 interface FastEthernet0/1 overload
ip nat inside source list NAT_INTERNET_VLAN3 interface FastEthernet0/1 overload
ip nat inside source list NAT_INTERNET_VLAN99 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.2.1 80 223.0.0.1 80 extendable
!
ip access-list standard NAT_INTERNET_VLAN2
permit 192.168.2.0 0.0.0.255
ip access-list standard NAT_INTERNET_VLAN3
permit 192.168.3.0 0.0.0.255
ip access-list standard NAT_INTERNET_VLAN99
permit 192.168.99.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
radius-server key router
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login authentication ACCES_SSH
transport input ssh
!
ntp master 1
ntp server 192.168.99.254
!
end
------------------------------------------------
RADIUS config :
clients.conf :
users :
------------------------------------
Administrateur config :
And the problem is :
Authentication impossible with the password : bekhechi
Error message on R1
So, if someone have an idea about that, please if he can tell me what the problem and thank you for helpful :)
12-08-2018 03:12 PM
Can you try testing from Switch your Radius is working or not with below command
#test aaa server Radius RADIUS-SERVER-IP USERNAME PASSWORD
also look the logs in radius server.
12-09-2018 05:52 AM - edited 12-09-2018 05:53 AM
hope you're good, I tested your issue but unfortunetly it doesn't work aymore !
I didn't know how to access to LOG RADIUS via command line linux
12-09-2018 08:30 AM
basically standard setup of radius log will be store in
logdir = "/var/log/radius"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide