Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1656
Views
0
Helpful
2
Replies

Please help trouble shooting RADIUS

nguyenbinh
Level 1
Level 1

‎01-05-2004 08:00 PM - edited ‎03-10-2019 07:37 AM

I could telnet in to my Cisco 2620 using RADIUS authentication

"telnet 192.168.4.10 2033" (provide username/pass)

and then type AT which My modem reply with OK.

I could also dial-in to the NAS with local user

But I could not dial-in using RADIUS user.

Please help me trouble shoot the problem.

I enclose the debug information and also the configuration I used.

Thank you,

Nguyen Nhat Binh

Username: test

Password:

Cisco2620>ena

Password:

Cisco2620#

Cisco2620#

Cisco2620#

Cisco2620#terminal monitor

Cisco2620#

02:28:00: %LINK-3-UPDOWN: Interface Async33, changed state to up

02:28:00: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

02:28:24: %LINK-5-CHANGED: Interface Async33, changed state to reset

02:28:29: %LINK-3-UPDOWN: Interface Async33, changed state to down

02:28:35: %LINK-3-UPDOWN: Interface Async33, changed state to up

02:28:35: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

02:28:46: %LINK-5-CHANGED: Interface Async33, changed state to reset

02:28:51: %LINK-3-UPDOWN: Interface Async33, changed state to down

02:29:15: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

02:29:15: %LINK-3-UPDOWN: Interface Async33, changed state to up

02:29:16: AAA: parse name=Async33 idb type=10 tty=33

02:29:16: AAA: name=Async33 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=33 c

hannel=0

02:29:16: AAA/MEMORY: create_user (0x80CD711C) user='test' ruser='' port='Async3

3' rem_addr='async' authen_type=CHAP service=PPP priv=1

02:29:16: AAA/AUTHEN/START (327574709): port='Async33' list='' action=LOGIN serv

ice=PPP

02:29:16: AAA/AUTHEN/START (327574709): using "default" list

02:29:16: AAA/AUTHEN (327574709): status = UNKNOWN

02:29:16: AAA/AUTHEN/START (327574709): Method=radius (radius)

02:29:16: RADIUS: ustruct sharecount=1

02:29:16: RADIUS: Initial Transmit Async33 id 89 192.168.4.141:1645, Access-Requ

est, len 75

02:29:16: Attribute 4 6 C0A8040A

02:29:16: Attribute 5 6 00000021

02:29:16: Attribute 61 6 00000000

02:29:16: Attribute 1 6 74657374

02:29:16: Attribute 3 19 27440611

02:29:16: Attribute 6 6 00000002

02:29:16: Attribute 7 6 00000001

02:29:16: RADIUS: Received from id 89 192.168.4.141:1645, Access-Accept, len 44

02:29:16: Attribute 6 6 00000002

02:29:16: Attribute 7 6 00000001

02:29:16: Attribute 27 6 0098967F

02:29:16: Attribute 28 6 0000000A

02:29:16: AAA/AUTHEN (327574709): status = PASS

02:29:16: As33 AAA/AUTHOR/LCP: Authorize LCP

02:29:16: As33 AAA/AUTHOR/LCP (1939832978): Port='Async33' list='' service=NET

02:29:16: AAA/AUTHOR/LCP: As33 (1939832978) user='test'

02:29:16: As33 AAA/AUTHOR/LCP (1939832978): send AV service=ppp

02:29:16: As33 AAA/AUTHOR/LCP (1939832978): send AV protocol=lcp

02:29:16: As33 AAA/AUTHOR/LCP (1939832978): found list "default"

02:29:16: As33 AAA/AUTHOR/LCP (1939832978): Method=radius (radius)

02:29:16: As33 AAA/AUTHOR (1939832978): Post authorization status = PASS_REPL

02:29:16: As33 AAA/AUTHOR/LCP: Processing AV service=ppp

02:29:16: As33 AAA/AUTHOR/LCP: Processing AV timeout=9999999

02:29:16: As33 AAA/AUTHOR/LCP: timeout failed

02:29:16: As33 AAA/AUTHOR/LCP: Denied

02:29:16: AAA/MEMORY: free_user (0x80CD711C) user='test' ruser='' port='Async33'

rem_addr='async' authen_type=CHAP service=PPP priv=1

02:29:18: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

02:29:20: %LINK-5-CHANGED: Interface Async33, changed state to reset

02:29:25: %LINK-3-UPDOWN: Interface Async33, changed state to down

*************************************************************

! Cisco2620.cfg - Cisco router configuration file

! Automatically created by Cisco ConfigMaker v2.6 Build 6

! Wednesday, December 31, 2003, 01:58:10 PM

!

! Hostname: Cisco2620

! Model: 2620

! *************************************************************

!

service timestamps debug uptime

service timestamps log uptime

service password-encryption

no service tcp-small-servers

no service udp-small-servers

!

hostname Cisco2620

!

enable password xxxxx

username dong password xxxx

!

no ip name-server

!

ip subnet-zero

no ip domain-lookup

ip routing

!

interface FastEthernet 0/0

no shutdown

description connected to EthernetLAN

ip address 192.168.4.10 255.255.255.0

no keepalive

!

interface Async 33

no shutdown

description connected to Dial-inPCs(modem)

ip unnumbered FastEthernet 0/0

ip tcp header-compression passive

encapsulation ppp

async mode dedicated

! group-range 33 33

ppp authentication chap pap

no cdp enable

peer default ip address pool Cisco2620-Group-1

!

router rip

version 2

network 192.168.4.0

no auto-summary

!

!

ip local pool Cisco2620-Group-1 10.10.10.10 10.10.10.10

ip classless

no ip http server

snmp-server community public RO

no snmp-server location

no snmp-server contact

!

line console 0

exec-timeout 0 0

password a

login

!

line vty 0 4

password xxxx

login

!

line 33

exec

autoselect ppp

autoselect during-login

login local

modem InOut

transport input all

stopbits 1

speed 38400

flowcontrol hardware

!

aaa new-model

aaa authentication login default radius local

aaa authentication login no_radius enable

aaa authentication ppp default if-needed radius

aaa authorization network radius

aaa accounting exec start-stop radius

aaa accounting network start-stop radius

radius-server host 192.168.4.11 auth-port 1645 acct-port 1646

radius-server key ubtq

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎01-05-2004 09:05 PM

This looks to be the problem:

02:29:16: As33 AAA/AUTHOR/LCP: Processing AV timeout=9999999

02:29:16: As33 AAA/AUTHOR/LCP: timeout failed

02:29:16: As33 AAA/AUTHOR/LCP: Denied

You're doing authorization (not just authentication) on your dialup users, not sure if you really want that or not. If so, then you will have a session-timeout set in the Radius users profile, you can see the radius server replying with this:

02:29:16: Attribute 6 6 00000002

02:29:16: Attribute 7 6 00000001

02:29:16: Attribute 27 6 0098967F

02:29:16: Attribute 28 6 0000000A

which when decoded becomes:

02:29:16: Service-Type Framed

02:29:16: Framed-Protocol PPP

02:29:16: Session-Timeout 9999999

02:29:16: Idle-Timeout 10

I would say the NAS/router doesn't like the Session-Timeout being so high, try lowering it and see what happens.

Alternatively, if you don't really want to do authorization for your dialup users, then remove the line:

aaa authorization network radius

and the problem should also go away.

0 Helpful

nguyenbinh
Level 1
Level 1
In response to gfullage

‎01-05-2004 11:14 PM

Thank you alot for your support, I resolved the problem. Actually, I do not need authorization.

Wish you all the best for a new year.

0 Helpful
Customers Also Viewed These Support Documents