cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
428
Views
0
Helpful
5
Replies

Radius configuration problem

jasonc0904
Level 1
Level 1

Hi all,
New here and having an issue with radius config to where most routers on our network are working with this config and a few are not. Seems like the Radius server is functioning as it should. Whenever I try to authenticate I get the below error:

RDI-MPLSRTR#test aaa group CLI-AUTH user password legacy
Attempting authentication test to server-group CLI-AUTH using radius

Oct 24 13:39:46.494: AAA: parse name=<no string> idb type=-1 tty=-1
Oct 24 13:39:46.494: AAA/MEMORY: create_user (0x312B68CC) user='username' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)No authoritative response from any server.

BRDI-MPLSRTR#
Oct 24 13:40:05.214: AAA/MEMORY: free_user (0x312B68CC) user='username' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
BRDI-MPLSRTR#

Here is my running config:

Current configuration : 8660 bytes
!
! Last configuration change at 11:25:08 Brazil Fri Oct 24 2014 by routeradm
! NVRAM config last updated at 17:57:15 Brazil Thu Oct 23 2014 by routeradm
! NVRAM config last updated at 17:57:15 Brazil Thu Oct 23 2014 by routeradm
version 15.1
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname BRDI-MPLSRTR
!
boot-start-marker
boot-end-marker
!
!
card type e1 0 0
logging console informational
enable secret 5 $1$V326$jfWrfTbyXz50acEwEiuWI0
!
aaa new-model
!
!
aaa group server radius CLI-AUTH
server 10.2.24.76
!
aaa authentication login default group CLI-AUTH local
!
!
!
!
!
aaa session-id common
!
clock timezone EDT -3 0
clock summer-time Brazil recurring 1 Sun May 2:00 1 Sun Nov 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name ******
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1554113946
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1554113946
revocation-check none
rsakeypair TP-self-signed-1554113946
!
!
crypto pki certificate chain TP-self-signed-1554113946
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353534 31313339 3436301E 170D3131 31303231 31323535
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35353431
31333934 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BABD 9AE60746 C2909671 FFD4616B 8914E2CB 281581FB 0C4B9870 26A8AB73
2C7CD3B0 401FEAE5 B8C739AF 0D175E36 6EE0E855 525FCE4B 514CEA47 D4B682F3
1AE30499 3C34BE1B 8A4761CC 542BE710 ACD858BC 372DD24F 7C7DB4E5 AC45C215
8370618D 5A7EEA8C 9BF5F032 202FB95D B10B51ED 811821B4 739281B6 D5DA9656
943B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1450E3B0 EEC104F6 2D20BE53 CB4DF329 D56FA081 6B301D06
03551D0E 04160414 50E3B0EE C104F62D 20BE53CB 4DF329D5 6FA0816B 300D0609
2A864886 F70D0101 05050003 81810046 82C7D216 72A8349A BA603092 8189DCAA
BE144B1D 5A4E35FB 432CEFF9 E1FA3BAE 29627CAF BCF1AD58 D36195DA D8BBB7B2
277EA531 041BBED4 57BED255 24002958 116C21B5 E21726EE 3AE054ED AEE2CA6C
F3085293 0D955571 56A2332F 324F3454 538716F8 9DAB8AC8 4CAE5221 853499F9
F4058C3E B47F2A70 32F4E743 6B6121
quit
license udi pid CISCO2911/K9 sn FTX1543ALZ2
!
!
archive
log config
hidekeys
path ftp://10.2.24.31/BRDI-MPLSRTR/$h
write-memory
time-period 10080
username ****** 
username ******
!
redundancy
!
!
!
!
controller E1 0/0/0
clock source line independent
channel-group 0 timeslots 1-31
!
ip ftp username ******
ip ftp password 
!
class-map match-any Voice-Video
match dscp af41 ef
class-map match-any BusinessCritical-VoiceSIG
match access-group 152
match dscp af21 af31
!
!
policy-map QOS-LLQ
class Voice-Video
priority 768
class BusinessCritical-VoiceSIG
bandwidth 768
class class-default
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description INSIDE < Brazil LAN Switch >
ip address 10.14.16.2 255.255.254.0
ip accounting output-packets
ip virtual-reassembly in
ip route-cache policy
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
description < L3 MPLS VPN: Pallcorp; Site-Circuit: Diadema 2005335985 >
ip address ******* 255.255.255.252
encapsulation ppp
service-policy output QOS-LLQ
!
!
router eigrp 64
network 10.14.16.0 0.0.1.255
network 10.14.18.0 0.0.1.255
network 10.14.20.0 0.0.0.31
network 10.14.20.32 0.0.0.31
network 10.14.20.64 0.0.0.31
redistribute bgp 65004 metric 1984 1 255 1 1500 route-map BGP-TO-EIGRP
no eigrp log-neighbor-changes
!
router bgp 65004
bgp log-neighbor-changes
network 10.14.8.0 mask 255.255.255.0 backdoor
network 10.14.16.0 mask 255.255.254.0
network 10.14.18.0 mask 255.255.254.0
network 10.14.20.0 mask 255.255.255.224
network 10.14.20.32 mask 255.255.255.224
network 10.14.20.64 mask 255.255.255.224
network 100.65.0.128 mask 255.255.255.252
neighbor ******** remote-as 3549
neighbor ******** distribute-list BGP-DIST out
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source GigabitEthernet0/1
ip flow-export version 9
ip flow-export destination 10.2.24.76 9996
!
!
ip access-list standard BGP-DIST
permit 10.14.16.0 0.0.1.255
permit 10.14.18.0 0.0.1.255
permit 10.14.20.0 0.0.0.31
permit 10.14.20.32 0.0.0.31
permit 10.14.20.64 0.0.0.31
ip access-list standard BLOCK-OSV
remark < Block Registration >
deny 10.2.26.0 0.0.0.255
permit any
ip access-list standard EIGRP-DIST
permit 10.14.16.0 0.0.0.255
permit 10.14.18.0 0.0.0.255
ip access-list standard NYPW-DOM3
remark < Route NYPW-DOMINO3 Traffic >
permit 10.2.32.63
ip access-list standard NYPWEH
remark < Route NYPW and NYEH Traffic >
permit 10.2.24.0 0.0.1.255
permit 10.2.32.0 0.0.3.255
permit 10.2.40.0 0.0.3.255
permit 10.2.48.0 0.0.1.255
ip access-list standard NYPWRT
remark < Route NYPW Traffic >
permit 10.2.24.0 0.0.1.255
permit 10.2.32.0 0.0.3.255
ip access-list standard PROXY-OUT
permit 10.14.16.5
permit 10.14.16.0 0.0.0.255
ip access-list standard VoIPRT
remark < Route From NYPW Traffic >
deny 10.2.26.0 0.0.0.255
deny 10.2.27.0 0.0.0.31
deny 10.2.20.0 0.0.3.255
deny 10.2.27.32 0.0.0.31
deny 10.2.56.0 0.0.1.255
deny 10.14.2.0 0.0.0.255
permit any
!
ip radius source-interface GigabitEthernet0/1
!
logging trap warnings
logging source-interface GigabitEthernet0/1
logging 10.195.36.253
access-list 15 permit 10.2.24.31
access-list 15 permit 10.2.24.76
access-list 15 permit 10.2.24.171
access-list 15 permit 10.2.25.226
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 152 permit tcp any any range 3200 3299
access-list 152 permit tcp any any eq telnet
!
!
!
!
route-map EIGRP-TO-BGP deny 10
match tag 65004
!
route-map EIGRP-TO-BGP permit 20
set tag 64
!
route-map BGP-TO-EIGRP deny 10
match tag 64
!
route-map BGP-TO-EIGRP permit 20
set tag 65004
!
route-map PROXY-SERVER permit 10
match ip address PROXYOUT
set ip next-hop *********
!
!
snmp-server community ******
snmp-server community ******
snmp-server community ******
snmp-server ifindex persist
snmp-server system-shutdown
snmp-server host 10.2.48.100 *****
radius-server host 10.2.24.76 key 7 00271A150754525F
!
!
!
control-plane
!
!
banner motd ^CC
************************************************** *****************************
* @@@@@@@@ Warning Notice: @@@@@@@@ **
* ----------------------------------------------------------------------------*
* This system is restricted solely to authorized users for legitimate *
* business purposes only. The actual or attempted unauthorized *
* access, use, or modification of this system is strictly prohibited by law. *
* Unauthorized users are subject to disciplinary proceedings and/or criminal *
* and civil penalties under state, federal, or other applicable domestic and *
* foreign laws. The use of this system may be monitored and recorded for *
* administrative and security reasons. Anyone accessing this system expressly *
* consents to such monitoring and is advised that if monitoring reveals *
* possible evidence of criminal activity, we may provide the evidence of such *
* activity to law enforcement officials and be used as evidence in court. *
************************************************** *****************************
^C
!
line con 0
line aux 0
modem InOut
transport input all
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password 7 06162F0D080F081D08461C
transport input ssh
line vty 5 15
privilege level 15
password 7 051B2623650D4F0D145419
transport input ssh
!
scheduler allocate 20000 1000
ntp server 10.2.40.40
end

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

I do not see obvious problems in the config that you posted so I have these questions which I hope may lead us toward an understanding of the issue.

- I think that my memory of using the test aaa command was that I supplied a username and a password (it has been a long time since I did this and perhaps my memory is not accurate). Your example does not supply user name or password. Are you saying that this test (not supplying the name or password) works on other routers?

- Can you verify that the shared key specified for the Radius server is correct?

- Can you verify IP connectivity between this router and the configured server?

- Can you verify that the Radius server is configured to recognize this router (10.14.16.2) as a Radius client?

- When you do this test on the router are there any log records on the Radius server that show that it received the test request for authentication? What does the server think that it responded?

 

HTH

 

Rick

HTH

Rick

Thanks for the reply Rick. Your suggestion to check the Radius client config on the server was the trick. 

I am glad that my suggestion did lead you to a solution to the issue. Thank you for posting back to the forum and letting us know that you have solved the problem and that the issue was something in the configuration of the Radius server.

 

HTH

 

Rick

HTH

Rick

morgan_kon
Level 1
Level 1

Have you tried the test command like test aaa group radius <user> <pass> new-code ?

Also I suggest that check the radius server , see if there was any fail log.

Looks like it was an issue with the client config on the Radius server. I deleted it, rebuilt and now it works. Thanks for your replies!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: