03-30-2001 08:22 AM - edited 02-21-2020 10:29 PM
Need basic RADIUS and aaa command line for 2511 access router. Using sample configure for basic radius and aaa. Using MS IAS. For some reason it will no authentication between router and radius server.
04-05-2001 07:32 AM
04-11-2001 05:12 PM
I was talking to somebody in the CISCO booth today about digital signature authentication in a RADIUS environment and they suggested that a good forum for the question would be here ... as to whether anybody at Cisco would be interested in deploying such an enhanced RADIUS product
Every since having done some electronic commerce work in the early '90s, I've been looking at making it more secure; basically pushing strong authentication further and further into the business processes.
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3
One of the things that I started to notice was that Certificates tended to replicate a small subset of information that was maintain in real time in business account records. Besides certificates being stale information they might unnecessarily divulge information that wasn't required in the business context (i.e. name and address in identity certificates when name and address was not necessary).
As part of that effort, it became very apparent that many business contexts would be better served with public keys registered in account records.
Work has been done on a passed financial standards that provides digital signature authentication (w/o requiring certificates) for all account-based retail payments)
http://webstore.ansi.org/ansidocstore/product.asp?sku=DSTU+X9%2E59%2D2000
we've looked at applying a similar paradigm to internet authentication; specifically looking at adding public key registration to RADIUS capability and RADIUS performing digital signature authentication using public key in the RADIUS database (in lieu of a certificate).
Furthermore, web server client authentication could similarly be done with a web servers supporting RADIUS and RADIUS digital signature authentication (not just for modem pool concentrator session connection). The benefit to some large ISP/webhoster is that they could have a single common administrative interface for managing all authentication information and allowing on a client and/or account basis an expanded choice of authentication paradigms integrated into a single common (existing) infrastructure.
In general this digital signature model is discussed in various forms at:
some RADIUS specific discussion from past newsgroups
http://www.garlic.com/~lynn/2000b.html#14
http://www.garlic.com/~lynn/2000b.html#46
05-10-2001 01:15 PM
check whether router can reach radius server
If so ,check whther radius accepting the packets from radius to authenticate..(make sure that Clients file has routers ip address and secret )..hope it will help you
06-18-2001 10:51 AM
I used to have that problem but after putting a checkmark on pap authentication in IAS, it worked like a charm. Default auth is MS-CHAP and router tries PAP.
Sam Munzani
CCIE # 6479
06-24-2001 04:16 PM
Also check dial up settings if using 95 or 98 to see if encrypted or not. Then as a client tries to authenticate, deb ppp neg to see more of the reason it may be happening and post trace here.
07-01-2001 09:26 PM
Hi dcalvin,
U first need to understand how AAA works. AAA process (triple A) consists of Authentication, Authorisation & Accounting. First u need to know at which of the above point your connection is dropped. To do this enable following debugging on your NAS (Access Server) : debug AAA authentication , debug AAA authorisation , debug AAA acounting, debug radius, debug PPP negotiation. Then telnet to the NAS & enable the telnet session to capture the NAS log to a file. Then dial into the NAS (make sure u setup NAS as well as the radius server to use PAP authentication.)Then examine the log generated & trace down where exactly the connection is dropped.Locate the error mesasage & search the cisco site for an explaination of the error. Also examine the Access-accept or Access-reject responses from the Radius server ie the attributes in the response messages. Best of luck
Edgar
08-20-2001 10:58 AM
No need for anymore replys---I have it working. Thanks for all the suggestions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide