RADIUS can not authenticate using telnet/ssh

kamrannaseem · ‎06-28-2013

Hi,

I have TekRadius server running, when i try to login to my cisco 2960 switch through consol it's working fine but when i try to login through telnet/ssh it doest not let me in.

any help will be much appriciated.

Kind regards,

Jatin Katyal · ‎06-28-2013

Can you post the running config from the 2960? Also, check if you're getting any error message on the radius server.

Jatin Katyal
- Do rate helpful posts -

~Jatin

kamrannaseem · ‎06-28-2013

Hi Jatin,

username test privilege 15 secret 5 $1$HwE9$.kxhsf7I5gIuBnw3xT67A1

aaa new-model

aaa authentication login default group radius

aaa authentication login VTY group radius local

aaa authentication login localauth local

aaa authentication login ssh group radius

aaa authentication ppp default if-needed group radius local

aaa authorization exec default group radius local

aaa authorization exec VTY group radius local

aaa authorization network default group radius local

aaa accounting exec default start-stop group radius

!

aaa session-id common

clock timezone gmt 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00

system mtu routing 1500

ip subnet-zero

!

no ip domain-lookup

ip ssh version 2

ip rcmd rcp-enable

ip rcmd remote-username RMEUser

line con 0

password 7 107A0C0A111E1C0C

line vty 0 3

access-class 1 in

authorization exec VTY

login authentication VTY

line vty 4

access-class 1 in

authorization exec VTY

login authentication ssh

transport input telnet ssh

line vty 5 15

access-class 1 in

authorization exec VTY

login authentication VTY

!

end

Many thanks.

Jatin Katyal · ‎06-28-2013

I think telnet/ssh is not enabled under line vty 0 3. Please add the below listed command there.

line vty 0 3

transport input telnet ssh

Jatin Katyal
- Do rate helpful posts -

~Jatin

kamrannaseem · ‎06-28-2013

Hi jatin,

no luck same issue.

regards,

kamran.

Jatin Katyal · ‎06-28-2013

can you run the following debugs:

debug aaa authen

debug radius

debug aaa autho

Jatin Katyal
- Do rate helpful posts -

~Jatin

kamrannaseem · ‎06-28-2013

Hi Jatin,

Username:

1d06h: AAA/AUTHEN/ABORT: (840134049) because Login timed out.

1d06h: AAA/MEMORY: free_user_quiet (0x1C74914) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=1 servic e=1 priv=1

1d06h: AAA: parse name=tty0 idb type=-1 tty=-1

1d06h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

1d06h: AAA/MEMORY: create_user (0x1BB5588) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

1d06h: AAA/AUTHEN/START (195888831): port='tty0' list='' action=LOGIN service=LOGIN

1d06h: AAA/AUTHEN/START (195888831): using "default" list

1d06h: AAA/AUTHEN/START (195888831): Method=radius (radius)

1d06h: AAA/AUTHEN (195888831): status = GETUSER

% Username: timeout expired!

% Authentication failed.

1d06h: RADIUS: Pick NAS IP for u=0x1C74914 tableid=0 cfg_addr=0.0.0.0
1d06h: RADIUS: ustruct sharecount=2
1d06h: Radius: radius_port_info() success=1 radius_nas_port=1
1d06h: RADIUS: added cisco VSA 2 len 4 "tty0"
1d06h: RADIUS: added cisco VSA 1 len 19 "disc-cause-ext=1020"
1d06h: RADIUS: added cisco VSA 1 len 20 "connect-progress=101"
1d06h: RADIUS: added cisco VSA 1 len 14 "nas-rx-speed=0"
1d06h: RADIUS: added cisco VSA 1 len 14 "nas-tx-speed=0"
1d06h: RADIUS: No secret to encode request (rctx

User Access Verification

Username: :0x1BB50B4)
1d06h: RADIUS: Unable to encrypt (rctx:0x1BB50B4)
1d06h: RADIUS(00000000): Send Accounting-Request to 128.1.15.92:1813 id 1646/92, len 201
1d06h: RADIUS: authenticator 99 4E FD 5D C5 26 71 C8 - BA D0 5D 45 C5 72 27 30
1d06h: RADIUS: NAS-IP-Address      [4]   6   128.1.17.214
1d06h: RADIUS: NAS-Port            [5]   6   0
1d06h: RADIUS: Vendor, Cisco       [26] 12
1d06h: RADIUS:   cisco-nas-port     [2]   6   "tty0"
1d06h: RADIUS: NAS-Port-Type       [61] 6   Async                     [0]
1d06h: RADIUS: User-Name           [1]   6   "test"
1d06h: RADIUS: Acct-Status-Type    [40] 6   Stop                      [2]
1d06h: RADIUS: Acct-Authentic      [45] 6   RADIUS                    [1]
1d06h: RADIUS: Service-Type        [6]   6   NAS Prompt                [7]
1d06h: RADIUS: Acct-Session-Id     [44] 10 "0000002E"
1d06h: RADIUS: Acct-Terminate-Cause[49] 6   user-request              [1]
1d06h: RADIUS: Acct-Session-Time   [46] 6   42
1d06h: RADIUS: Vendor, Cisco       [26] 27
1d06h: RADIUS:   Cisco AVpair       [1]   21 "disc-cause-ext=1020"
1d06h: RADIUS: Vendor, Cisco       [26] 28
1d06h: RADIUS:   Cisco AVpair       [1]   22 "connect-progress=101"
1d06h: RADIUS: Vendor, Cisco       [26] 22
1d06h: RADIUS:   Cisco AVpair       [1]   16 "nas-rx-speed=0"
1d06h: RADIUS: Vendor, Cisco       [26] 22
1d06h: RADIUS:   Cisco AVpair       [1]   16 "nas-tx-speed=0"
1d06h: RADIUS: Acct-Delay-Time     [41] 6   0
1d06h: RADIUS: Received from id 1646/92 128.1.15.92:1813, Accounting-response, len 20
1d06h: RADIUS: authenticator 24 C3 FD 3B F1 F3 A6 76 - 0D B7 99 E8 55 52 4C 68

1d06h: AAA/MEMORY: free_user (0x1BAF6EC) user='1d06h: AAA/MEMORY: free_user (0x1BB8770) user='aa' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1

1d06h: AAA: parse name=tty0 idb type=-1 tty=-1

1d06h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

1d06h: AAA/MEMORY: create_user (0x1BAF3A4) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

Many thanks

Jatin Katyal · ‎06-28-2013

could you please increase the radius-server timeout to some where 10 seconds and try again.

Jatin Katyal
- Do rate helpful posts -

~Jatin

kamrannaseem · ‎06-28-2013

Hi Jatin

where i can change the time ?

regards.

Jatin Katyal · ‎06-29-2013

Looking again at the debugs, I come across

1d06h: RADIUS: No secret to encode request (rctx

User Access Verification

Username: :0x1BB50B4)

1d06h: RADIUS: Unable to encrypt (rctx:0x1BB50B4)

The above debugs shows that there is no shared secret configured on the 2960 to encrypt or encode the radius-request. This is how you can configure the key on the 2960. The same key should be defined on the radius server as well.

radius-server host 1.1.1.1 key

Jatin Katyal
- Do rate helpful posts -

~Jatin

kamrannaseem · ‎07-01-2013

Hi Jatin,

Hope you had a good weekend !!

I had it configured, but i have done it again though... but i dont understand why it puts 7 after the word key ?

many thanks.

Jatin Katyal · ‎07-01-2013

http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/sec-cr-r1.html#wp7224581170

encryption-key

Specifies the encryption key.

Valid values for encryption-key are:

0—Specifies that an unencrypted key follows.
7—Specifies that a hidden key follows.
String specifying the unencrypted (clear-text) server key.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

kamrannaseem · ‎07-01-2013

Hi Jatin,

I have done it again but no luck....

any other sugestions ?

many thanks.

Jatin Katyal · ‎07-01-2013

can you post the debugs again.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

kamrannaseem · ‎07-01-2013

Hi Jatin,

following are the debug lines from aaa autho:

2d02h: AAA: parse name=tty0 idb type=-1 tty=-1

2d02h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel= 0

2d02h: AAA/MEMORY: create_user (0x1ABAD30) user='NULL' ruser='NULL' ds0=0 port=' tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0 ', vrf= (id=0)eem

Password:

2d02h: AAA/MEMORY: free_user (0x1BA2F74) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15

many thanks