Solved: Re: RADIUS and Cisco 2611 router - Page 2

bindikitty · ‎05-28-2008

Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.

Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:

Using 2297 out of 29688 bytes

!

! Last configuration change at 17:20:27 PDT Tue May 20 2008

! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008

!

version 12.1

no service single-slot-reload-enable

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Tester

!

logging buffered 10000 debugging

aaa new-model

aaa group server radius RadiusServers

server 172.26.0.2 auth-port 1812 acct-port 1813

!

aaa authentication login default group RadiusServers local

aaa authentication login localauth local

aaa authentication ppp default if-needed group radius local

aaa authorization exec default group radius local

aaa authorization network default group radius local

aaa accounting delay-start

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa processes 6

enable secret xxx

!

username test password xxx

!

clock timezone PST -8

clock summer-time PDT recurring

ip subnet-zero

no ip domain-lookup

!

no ip bootp server

!

interface Loopback0

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/0

description To Main Network

ip address X.X.X.X 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

full-duplex

no cdp enable

!

interface Ethernet0/1

description To Internal Network

ip address 172.26.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

load-interval 30

full-duplex

no cdp enable

!

ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128

ip nat inside source list 3 pool test overload

ip nat inside destination list 3 pool test

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.X

no ip http server

!

ip radius source-interface Ethernet0/1

access-list 3 permit 172.26.0.0 0.0.0.255

no cdp run

snmp-server community public RO 15

radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret

radius-server retransmit 3

radius-server key secret

!

line con 0

password xxx

logging synchronous

line aux 0

line vty 0 4

access-class 10 in

password 7 1234567890

logging synchronous

!

ntp clock-period 17208108

ntp server 192.43.244.18

end

My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.

I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.

Thank you for any assistance you may be able to provide.

bindikitty · ‎06-11-2008

I have not made any progress troubleshooting PPPoE. I configured a connection as described on the Carrick Solutions web site (thank you for that link), but my router is still not forwarding the authentication requests to my RADIUS server.

I have also used NTRadPing to test authentication. When I set it to test the RADIUS server directly, the RADIUS server sends an Access-Accept response. If I set NTRadPing to send a broadcast authentication request, the RADIUS sever itself responds, but the Cisco router does not forward the requests to the RADIUS server. And, if I set NTRadPing to send the requests directly to the Cisco router, the router does not forward the requests. The Cisco router is just ignoring the requests, unless I'm logging directly onto the router using HyperTerminal. And, it does not block unauthorized access to the network.

At this point, I'm completely stumped and spend my days searching the Internet for solutions and trying every configuration I can find.

michael.leblanc · ‎06-11-2008

Perhaps you can post the Cisco AAA configuration you are/were using during the PPPoE testing, with some topology info (i.e.: which physical ports the devices interconnect on).

Have you placed a sniffer between the host and switch to verify whether the host is sending PPPoE packets, and determined whether the switch responds on the wire?

michael.leblanc · ‎06-11-2008

If you explore Authentication Proxy and it works, it might make you forget PPPoE pretty fast.

If you decide to pursue PPPoE further, the following link is probably where you would find most of Cisco's information on PPPoE:

http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html

Cisco's "Service Providers" forums might provide some guidance on whether PPPoE is achievable with your platform and environment?

bindikitty · ‎06-12-2008

You were absolutely right about the Authentication Proxy. I finally found what I was looking for in the Cisco Field Manual: Router Configuration book, Chapter 13 (on safari.oreilly.com).

Here is my config, for anyone else who has the same struggle:

hostname Tester

!

logging buffered 10000 debugging

enable secret 5 **************************

!

aaa new-model

!

aaa authentication login default group radius

aaa authorization auth-proxy default group radius

aaa accounting auth-proxy default start-stop group radius

aaa session-id common

ip subnet-zero

ip cef

!

no ip domain lookup

!

no ip bootp server

ip auth-proxy inactivity-timer 120

ip auth-proxy name Customers http

ip audit po max-events 100

!

username test password 7 **************

username admin password 7 *************

!

interface FastEthernet0/0

description To Internet

ip address x.x.x.x 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

speed auto

full-duplex

no cdp enable

!

interface FastEthernet0/1

description To Internal Network Dumb Switch

ip address 172.26.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip auth-proxy Customers

load-interval 30

speed auto

full-duplex

no cdp enable

!

ip nat pool test x.x.x.x x.x.x.x netmask 255.255.255.128

ip nat inside source list 3 pool test overload

ip nat inside destination list 3 pool test

ip http server

ip http access-class 40

ip http authentication aaa

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

ip radius source-interface FastEthernet0/1

access-list 3 permit 172.26.0.0 0.0.0.255

access-list 40 deny any

no cdp run

!

radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret

!

line con 0

exec-timeout 0 0

password 7 *********

logging synchronous

line aux 0

line vty 0 4

access-class 10 in

password 7 ************

logging synchronous

The router IS forwarding the packets to my RADIUS server now, and when I try to access the Internet using my web browser, an authentication screen pops up in the browser. No additional setup on users' computers is necessary.

I am not able to authenticate, but my RADIUS server IS sending Access-Reject messages, which means the two are communicating, and the router is blocking unauthenticated access. I can see the packets being passed from my test workstation to the router, and then the router forwarding them on to the RADIUS server. Authentication issues I can resolve; I'm sure it just has something to do with the encryption.

Thank you so much for all your help, Michael. I really appreciate it!

michael.leblanc · ‎06-13-2008

When you have everything working to your satisfaction, consider exploring "ip http secure-server" to protect the Auth Proxy credential exchange between the host and router.

Unless my memory is failing me, when "ip http secure-server" was used in addition to "ip http server", I think the Auth Proxy credential exchange was secure.

I don't think you can use "ip http secure-server" by itself, so make sure you retain "ip http server".

If you want syslog messages for Authentication Proxy, consider:

ip auth-proxy auth-proxy-audit

Downloadable ACL observations:

1. Must use the keyword "any" as the source in auth-proxy ACEs configured on the RADIUS server. Tried using host , but although the ACE was passed to the AAA Client, it was not added to the interface ACL on the router.

2. When the RADIUS server passes the proxyacl AV pair to the router it contains the "any" keyword as the source. However, the router will translate the "any" keyword to the "authenticated IP address" before installing the temporary ACEs in the interface ACL.

Keep us posted on your progress until complete.

bindikitty · ‎06-17-2008

I have made no further progress. I can see the packets going from my computer, to the router, and then the router sending RADIUS request packets to the server, and the server sending RADIUS access-accept packets to the router, but the router is not adding any dynamic ACLs to allow Internet access. According to Cisco Document ID: 13889, the access list should be passed down from the RADIUS server, adding dynamic entries post-authorization to an ACL, allowing access.

I am unsure how this happens. Am I supposed to add ACL entries to the RADIUS server (ClearBox) as VSAs or commands to be passed back to the Cisco router? Or is the Cisco router supposed to "understand" the access-accept packets and automatically allow the authenticated computer access? I posed this question to the ClearBox forum, but have not received a response.

BK

michael.leblanc · ‎06-17-2008

Absolutely, you need to configure the downloadable ACL on the RADIUS server. If you don't configure it, it can not be passed to the router for installation in the interface ACL.

You need to use the vendor specific AV pair: [026/009/001] cisco-av-pair.

The syntax for the [009\001] cisco-av-pair would be:

auth-proxy:priv-lvl-15

auth-proxy:proxyacl#1-permit tcp any any eq 80

auth-proxy:proxyacl#2-permit tcp any any eq 25

auth-proxy:proxyacl#3-permit tcp any any eq 110

.

etc., depending on your specific desired security policy.

Please review the additional notes in my last post pertaining to the use of the keyword "any".

I have attached a Wireshark capture of the Auth Proxy Access-Accept frame so you can see an example of the AV pairs being passed to the AAA client (router).

Although you are not using Cisco Secure ACS, the following document may still provide some clarity:

http://www.cisco.com/application/pdf/paws/17778/auth_intro.pdf

Also, I've attached two other documents in my possession that I had difficulty finding the links for.

bindikitty · ‎06-18-2008

Thank you for that information. I finally got hold of ClearBox tech support, and they provided me with the information I needed to get my setup running. For those of you who may be going through the same struggle as I, here is my solution. Keep in mind this is a very BASIC test configuration--it is not a production configuration, so there are no security measures or additional settings necessary for using in a real environment. Now that I have this running in a test environment, I will work on modifying it for production.

-----Edited Config start----------

version 12.3

!

logging buffered 10000 debugging

aaa new-model

!

aaa authentication login default group radius

aaa authorization auth-proxy default group radius

aaa accounting auth-proxy default start-stop group radius

aaa session-id common

!

ip auth-proxy inactivity-timer 120

ip auth-proxy name Customers http

ip audit po max-events 100

!

username admin password 7 ****************

!

interface FastEthernet0/0

description To Internet

ip address x.x.x.x 255.255.255.128

ip nat outside

!

interface FastEthernet0/1

description To Internal Network

ip address 172.26.0.1 255.255.255.0

ip nat inside

ip auth-proxy Customers

!

ip nat pool test x.x.x.x x.x.x.x netmask 255.255.255.128

ip nat inside source list 3 pool test overload

ip nat inside destination list 3 pool test

ip http server

ip http access-class 40

ip http authentication aaa

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

ip radius source-interface FastEthernet0/1

access-list 3 permit 172.26.0.0 0.0.0.255

access-list 40 deny any

!

radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret

!

----------stop-----------

ClearBox RADIUS Server VSAs:

1. Configurator-->Realm-->Authorization tab

2. Click the + next to Access-Accept response list box

3. Leave Plain Attribute selected and click the drop down list next to the Attribute box. Select Cisco-AV-Pair

4. Enter auth-proxy:priv-lvl=15 in the Value box and click OK

5. Repeat steps 2 & 3 to add additional VSAs as listed in the above post

Be sure to have "debug radius" and "debug aaa authentication" enabled on your router. If you have problems authenticating, do "show log" to view the log output to find out why. Initially, my VSA settings didn't work, and I got "invalid format in Cisco avpair at "auth-proxy"" messages in my logs. I couldn't see the error, so I copied and pasted the settings from the above post, and then it worked.

Hope this helps. I am not endorsing ClearBox, and I don't know if it is better than other RADIUS servers or FreeRADIUS; it is just the one I selected because of the ones I looked at, it fit my needs best, and their tech support for a test product was excellent.

Thank you, Michael, for your expertise and patience. This is a great forum. I am truly indebted.

BK

michael.leblanc · ‎06-19-2008

You're welcome.

Glad you were finally able to experience a bit of joy after a long battle.

At some point you might want to refer to an earlier response (Jun 13, 2008, 8:56am PST), in which I suggested that you take a look at using "ip http secure-server" to protect the Auth Proxy credential exchange between the hosts and router.

There was also some info pertaining to the use of the "any" keyword in downloadable ACLs, and syslogging Auth Proxy.

Good luck with your implementation.