09-06-2011 11:30 AM - edited 03-10-2019 06:22 PM
I can not seem to get this to work, can someone see an error on the cisco side? My thought is it's a Microsoft issue but would like to have my config reviewed anyway. Here is my config:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1700
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$37j7$ctmkX1PFlJmmNnLv5mFK
!
aaa new-model
!
aaa authentication login test group radius local
aaa authorization exec test group radius local
!
aaa session-id common
tdm clock T1 1/0 both export line
!
voice-card 2
!
voice-card 3
!
ip cef
!
username cisco privilege 15 password 0 cisco
!
controller T1 1/0
framing esf
linecode b8zs
!
interface FastEthernet0/0
ip address 192.168.1.140 255.255.255.0
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
no ip http server
no ip http secure-server
!
ip radius source-interface FastEthernet0/0
!
radius-server host 192.168.1.38 auth-port 1645 acct-port 1646 key cisco
!
control-plane
!
voice-port 2/0
!
voice-port 2/1
!
voice-port 3/0
!
voice-port 3/1
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
login authentication test
transport input telnet
Here is AAA debug:
1700#
*Jun 20 11:21:23.616: AAA/BIND(00000009): Bind i/f
*Jun 20 11:21:23.616: AAA/ACCT/EVENT/(00000009): CALL START
*Jun 20 11:21:23.616: Getting session id for NET(00000009) : db=8321E8A8
*Jun 20 11:21:23.616: AAA/ACCT(00000000): add node, session 7
*Jun 20 11:21:23.616: AAA/ACCT/NET(00000009): add, count 1
*Jun 20 11:21:23.616: Getting session id for NONE(00000009) : db=8321E8A8
*Jun 20 11:21:23.616: AAA/AUTHEN/LOGIN (00000009): Pick method list 'test'
*Jun 20 11:21:32.306: Getting session id for EXEC(00000009) : db=8321E8A8
*Jun 20 11:21:34.322: AAA/AUTHEN/LOGIN (00000009): Pick method list 'test'
*Jun 20 11:22:04.968: AAA/ACCT/EVENT/(00000009): EXEC DOWN
*Jun 20 11:22:06.971: AAA/ACCT/EVENT/(00000009): CALL STOP
*Jun 20 11:22:06.971: AAA/ACCT/CALL STOP(00000009): Sending stop requests
*Jun 20 11:22:06.975: AAA/ACCT(00000009): Send all stops
*Jun 20 11:22:06.975: AAA/ACCT/NET(00000009): STOP
*Jun 20 11:22:06.975: AAA/ACCT/NET(00000009): Method list not found
*Jun 20 11:22:06.975: AAA/ACCT(00000009): del node, session 7
*Jun 20 11:22:06.975: AAA/ACCT/NET(00000009): free_rec, count 0
*Jun 20 11:22:06.975: AAA/ACCT/NET(00000009) reccnt 0, csr TRUE, osr 0
*Jun 20 11:22:06.975: AAA/ACCT/NET(00000009): Last rec in db, intf not enqueued
*Jun 20 11:22:13.025: AAA/BIND(0000000A): Bind i/f
*Jun 20 11:22:13.025: AAA/ACCT/EVENT/(0000000A): CALL START
*Jun 20 11:22:13.025: Getting session id for NET(0000000A) : db=8321ED5C
On my windows 2008 SP2 server (192.168.1.38) in event log I see a "special logon" event id 4672
09-10-2011 06:55 AM
You may want to turn on the following debugs
debug radius
debug aaa authen
the message you got says the user is part of a special group. I do not really see a failure. There should be more of a message in the radius server.
see the link
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672
09-10-2011 10:48 AM
Thanks for the link Calvin.
I actually got it to work by just old fashion trial and error. Turned out to be two things:
Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">Authentication Methods.... CHAP had to be enabled.
Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">conditions..... delete the friendly name I read I needed to create. This "various RADIUS Clients was not so important to us" (will make sense if you follow link)
I mainly used this link for anyone interested:
http://www.darylhunter.me/blog/2010/06/cisco-ios-fu-7-cisco-radius-windows-server-2008-nps.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide