cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3189
Views
0
Helpful
7
Replies

RADIUS and aaa authentication

dcalvin
Level 1
Level 1

Need basic RADIUS and aaa command line for 2511 access router. Using sample configure for basic radius and aaa. Using MS IAS. For some reason it will no authentication between router and radius server.

7 Replies 7

lynn.wheeler
Level 1
Level 1

I was talking to somebody in the CISCO booth today about digital signature authentication in a RADIUS environment and they suggested that a good forum for the question would be here ... as to whether anybody at Cisco would be interested in deploying such an enhanced RADIUS product

Every since having done some electronic commerce work in the early '90s, I've been looking at making it more secure; basically pushing strong authentication further and further into the business processes.

http://www.garlic.com/~lynn/aadsm5.htm#asrn2

http://www.garlic.com/~lynn/aadsm5.htm#asrn3

One of the things that I started to notice was that Certificates tended to replicate a small subset of information that was maintain in real time in business account records. Besides certificates being stale information they might unnecessarily divulge information that wasn't required in the business context (i.e. name and address in identity certificates when name and address was not necessary).

As part of that effort, it became very apparent that many business contexts would be better served with public keys registered in account records.

Work has been done on a passed financial standards that provides digital signature authentication (w/o requiring certificates) for all account-based retail payments)

http://webstore.ansi.org/ansidocstore/product.asp?sku=DSTU+X9%2E59%2D2000

we've looked at applying a similar paradigm to internet authentication; specifically looking at adding public key registration to RADIUS capability and RADIUS performing digital signature authentication using public key in the RADIUS database (in lieu of a certificate).

Furthermore, web server client authentication could similarly be done with a web servers supporting RADIUS and RADIUS digital signature authentication (not just for modem pool concentrator session connection). The benefit to some large ISP/webhoster is that they could have a single common administrative interface for managing all authentication information and allowing on a client and/or account basis an expanded choice of authentication paradigms integrated into a single common (existing) infrastructure.

In general this digital signature model is discussed in various forms at:

http://www.garlic.com/~lynn/

some RADIUS specific discussion from past newsgroups

http://www.garlic.com/~lynn/2000b.html#14

http://www.garlic.com/~lynn/2000b.html#46

http://www.garlic.com/~lynn/2001d.html#20

http://www.garlic.com/~lynn/2001d.html#46

ppillai
Level 1
Level 1

check whether router can reach radius server

If so ,check whther radius accepting the packets from radius to authenticate..(make sure that Clients file has routers ip address and secret )..hope it will help you

I used to have that problem but after putting a checkmark on pap authentication in IAS, it worked like a charm. Default auth is MS-CHAP and router tries PAP.

Sam Munzani

CCIE # 6479

Also check dial up settings if using 95 or 98 to see if encrypted or not. Then as a client tries to authenticate, deb ppp neg to see more of the reason it may be happening and post trace here.

e.rebello
Level 1
Level 1

Hi dcalvin,

U first need to understand how AAA works. AAA process (triple A) consists of Authentication, Authorisation & Accounting. First u need to know at which of the above point your connection is dropped. To do this enable following debugging on your NAS (Access Server) : debug AAA authentication , debug AAA authorisation , debug AAA acounting, debug radius, debug PPP negotiation. Then telnet to the NAS & enable the telnet session to capture the NAS log to a file. Then dial into the NAS (make sure u setup NAS as well as the radius server to use PAP authentication.)Then examine the log generated & trace down where exactly the connection is dropped.Locate the error mesasage & search the cisco site for an explaination of the error. Also examine the Access-accept or Access-reject responses from the Radius server ie the attributes in the response messages. Best of luck

Edgar

dcalvin
Level 1
Level 1

No need for anymore replys---I have it working. Thanks for all the suggestions