Cisco router and 2008 Radius

jef_rat72 · ‎09-06-2011

I can not seem to get this to work, can someone see an error on the cisco side? My thought is it's a Microsoft issue but would like to have my config reviewed anyway. Here is my config:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 1700

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$37j7$ctmkX1PFlJmmNnLv5mFK

!

aaa new-model

!

aaa authentication login test group radius local

aaa authorization exec test group radius local

!

aaa session-id common

tdm clock T1 1/0 both export line

!

voice-card 2

!

voice-card 3

!

ip cef

!

username cisco privilege 15 password 0 cisco

!

controller T1 1/0

framing esf

linecode b8zs

!

interface FastEthernet0/0

ip address 192.168.1.140 255.255.255.0

speed auto

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

no ip http server

no ip http secure-server

!

ip radius source-interface FastEthernet0/0

!

radius-server host 192.168.1.38 auth-port 1645 acct-port 1646 key cisco

!

control-plane

!

voice-port 2/0

!

voice-port 2/1

!

voice-port 3/0

!

voice-port 3/1

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

password cisco

login authentication test

transport input telnet

Here is AAA debug:

1700#

*Jun 20 11:21:23.616: AAA/BIND(00000009): Bind i/f

*Jun 20 11:21:23.616: AAA/ACCT/EVENT/(00000009): CALL START

*Jun 20 11:21:23.616: Getting session id for NET(00000009) : db=8321E8A8

*Jun 20 11:21:23.616: AAA/ACCT(00000000): add node, session 7

*Jun 20 11:21:23.616: AAA/ACCT/NET(00000009): add, count 1

*Jun 20 11:21:23.616: Getting session id for NONE(00000009) : db=8321E8A8

*Jun 20 11:21:23.616: AAA/AUTHEN/LOGIN (00000009): Pick method list 'test'

*Jun 20 11:21:32.306: Getting session id for EXEC(00000009) : db=8321E8A8

*Jun 20 11:21:34.322: AAA/AUTHEN/LOGIN (00000009): Pick method list 'test'

*Jun 20 11:22:04.968: AAA/ACCT/EVENT/(00000009): EXEC DOWN

*Jun 20 11:22:06.971: AAA/ACCT/EVENT/(00000009): CALL STOP

*Jun 20 11:22:06.971: AAA/ACCT/CALL STOP(00000009): Sending stop requests

*Jun 20 11:22:06.975: AAA/ACCT(00000009): Send all stops

*Jun 20 11:22:06.975: AAA/ACCT/NET(00000009): STOP

*Jun 20 11:22:06.975: AAA/ACCT/NET(00000009): Method list not found

*Jun 20 11:22:06.975: AAA/ACCT(00000009): del node, session 7

*Jun 20 11:22:06.975: AAA/ACCT/NET(00000009): free_rec, count 0

*Jun 20 11:22:06.975: AAA/ACCT/NET(00000009) reccnt 0, csr TRUE, osr 0

*Jun 20 11:22:06.975: AAA/ACCT/NET(00000009): Last rec in db, intf not enqueued

*Jun 20 11:22:13.025: AAA/BIND(0000000A): Bind i/f

*Jun 20 11:22:13.025: AAA/ACCT/EVENT/(0000000A): CALL START

*Jun 20 11:22:13.025: Getting session id for NET(0000000A) : db=8321ED5C

On my windows 2008 SP2 server (192.168.1.38) in event log I see a "special logon" event id 4672

Calvin Ryver · ‎09-10-2011

You may want to turn on the following debugs

debug radius

debug aaa authen

the message you got says the user is part of a special group. I do not really see a failure. There should be more of a message in the radius server.

see the link

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672

jef_rat72 · ‎09-10-2011

Thanks for the link Calvin.

I actually got it to work by just old fashion trial and error. Turned out to be two things:

Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">Authentication Methods.... CHAP had to be enabled.

Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">conditions..... delete the friendly name I read I needed to create. This "various RADIUS Clients was not so important to us" (will make sense if you follow link)

I mainly used this link for anyone interested:

http://www.darylhunter.me/blog/2010/06/cisco-ios-fu-7-cisco-radius-windows-server-2008-nps.html