07-29-2010 10:46 AM - edited 03-10-2019 05:17 PM
Good afternoon fellow Cisco gods. =] I'm trying to configure RADIUS to work in my PacketTracer, and not able to seem to get it to work. I can telnet to it, but keeps failing on me. I just have the server (10.10.0.10), a switch with nothing special other than an IP address on VLAN1 and then the router (10.10.0.1) also, nothing special just a basic configuration.
The end goal, is to set up RADIUS to work for telnet, console, and enable. Yet still retain the local user database, in case network issues prevent communication to the RADIUS server.
Thanks in advance. My head is hurting from trying to get this working. Take care!
Here is the running configuration on the router, and its version information:
Router#sho run
Building configuration...
Current configuration : 683 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
aaa new-model
!
aaa authentication login default group radius local
aaa authentication enable default group radius local
!
!
aaa authorization exec default group radius local
!
!
!
!
!
username me privilege 3 password 0 password
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
!
!
!
line con 0
login
line vty 0 4
login
login authentication default
!
!
!
end
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 06:21 by pt_rel_team
ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
Copyright (c) 2000 by cisco Systems, Inc.
System returned to ROM by power-on
System image file is "c2800nm-advipservicesk9-mz.124-15.T1.bin"
<--omitted-->
cisco 2811 (MPC860) processor (revision 0x200) with 60416K/5120K bytes of memory
Processor board ID JAD05190MTZ (4292891495)
M860 processor: part number 0, mask 49
2 FastEthernet/IEEE 802.3 interface(s)
239K bytes of NVRAM.
62720K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Here is the debug AAA:
*Jul 29 12:38:07.455: AAA/BIND(20): Bind i/f
*Jul 29 12:38:07.455: AAA/AUTHEN/LOGIN(20): Pick method list 'default'
*Jul 29 12:38:07.455: AAA/BIND(20): Bind i/f
*Jul 29 12:38:07.455: AAA/AUTHEN/LOGIN(20): Pick method list 'default'
*Jul 29 12:38:07.455: AAA/BIND(20): Bind i/f
*Jul 29 12:38:07.455: AAA/AUTHEN/LOGIN(20): Pick method list 'default'
Solved! Go to Solution.
08-01-2010 07:06 PM
On the AAA server you need to add "10.10.0.1" (f0-0.router) as a "client."
If your Packet Tracer network is quite large, this can be a pain as you may not always know what IP address the AAA server sees the traffic originating from. Which means you need to add every single interface's address as radius/tacacs clients on the AAA server.
Would be nice if they add wildcard support for the AAA server in Packet Tracer.
Other than that, your router config looks good.
08-01-2010 11:10 PM
Shaun
The configuration on your router looks good. But I couldnt find the radius debugs captured from the router. Also we have to make sure that your router is defined as client on your AAA server. You can also use " ip radius source-interface < interface name>" to explicitly say that a particular ip address would be used to communicate with the AAA server. Until we confirm that these things are perfect, we will not be able to proceed.
Thanks,
Praveen Kumar , M.
07-30-2010 03:03 AM
Hi Shaun,
From the running configuration you have provided in the query, I dont find any radius-server configuration. I hope you missed to paste them. Apart from that you can enable "debug radius" and find out as to why the authentication is failing.
You can use "radius-server host
Regards,
Praveen Kumar , M.
07-30-2010 06:24 AM
You're right. It didn't show it. Here is the "full" running-config. The enabling of the debug, and the results of trying to telnet to the router. Thanks for your help!
Router#sho run
Building configuration...
Current configuration : 787 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
aaa new-model
!
aaa authentication login default group radius local
aaa authentication enable default group radius local
!
!
aaa authorization exec default group radius local
!
!
!
!
!
username me privilege 3 password 0 password
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
radius-server host 10.10.0.10 auth-port 1645 key P@ssw0rd
!
!
!
line con 0
login
line vty 0 4
login
login authentication default
!
!
!
end
Router#debug aaa auth
AAA Authentication debugging is on
Router#
*Jul 30 08:22:38.823: AAA/BIND(5): Bind i/f
*Jul 30 08:22:38.823: AAA/AUTHEN/LOGIN(5): Pick method list 'default'
*Jul 30 08:22:45.515: AAA/BIND(6): Bind i/f
*Jul 30 08:22:45.515: AAA/AUTHEN/LOGIN(6): Pick method list 'default'
*Jul 30 08:22:52.698: AAA/BIND(6): Bind i/f
*Jul 30 08:22:52.698: AAA/AUTHEN/LOGIN(6): Pick method list 'default'
Packet Tracer SERVER Command Line 1.0
SERVER>telnet 10.10.0.1
Trying 10.10.0.1 ...Open
User Access Verification
Username: user
Password:
% Login invalid
Username: user
Password:
% Login invalid
Username: user
Password:
[Connection to 10.10.0.1 closed by foreign host]
SERVER>
08-01-2010 07:06 PM
On the AAA server you need to add "10.10.0.1" (f0-0.router) as a "client."
If your Packet Tracer network is quite large, this can be a pain as you may not always know what IP address the AAA server sees the traffic originating from. Which means you need to add every single interface's address as radius/tacacs clients on the AAA server.
Would be nice if they add wildcard support for the AAA server in Packet Tracer.
Other than that, your router config looks good.
08-01-2010 11:10 PM
Shaun
The configuration on your router looks good. But I couldnt find the radius debugs captured from the router. Also we have to make sure that your router is defined as client on your AAA server. You can also use " ip radius source-interface < interface name>" to explicitly say that a particular ip address would be used to communicate with the AAA server. Until we confirm that these things are perfect, we will not be able to proceed.
Thanks,
Praveen Kumar , M.
08-02-2010 06:55 AM
Michael/pravm -
Got it! =] It was a misconfigure on the AAA server. Thank you so much for helping me out. Here is a SS of the "correct" configuration, along with the running configuration for the router. Just wish that packet tracer was more "robust", in that I could load our companies IOS's into there, and use our network equipment, rather then "guessing" that this will work on our production network.
Ah well, 'nother argument for another day. Cheers!!!
Router#sho run
Building configuration...
Current configuration : 787 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
aaa new-model
!
aaa authentication login default group radius local
aaa authentication enable default group radius local
!
!
aaa authorization exec default group radius local
!
!
!
!
!
username me privilege 3 password 0 password
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
radius-server host 10.10.0.10 auth-port 1645 key P@ssw0rd
!
!
!
line con 0
login
line vty 0 4
login
login authentication default
!
!
!
end
Router#
*Aug 02 08:51:32.079: AAA/BIND(3): Bind i/f
*Aug 02 08:51:32.079: AAA/AUTHEN/LOGIN(3): Pick method list 'default'
*Aug 02 08:51:40.799: AAA/BIND(3): Bind i/f
*Aug 02 08:51:40.799: AAA/AUTHEN/LOGIN(3): Pick method list 'enable-default'
08-02-2010 10:35 AM
shaun-murray wrote:
Michael/pravm -
Got it! =] It was a misconfigure on the AAA server. Thank you so much for helping me out. Here is a SS of the "correct" configuration, along with the running configuration for the router. Just wish that packet tracer was more "robust", in that I could load our companies IOS's into there, and use our network equipment, rather then "guessing" that this will work on our production network.
Ah well, 'nother argument for another day. Cheers!!!
If you want to test using your company's actual IOS images and configuration files you can use a program called GNS3. It's much more complicated but it runs the actual IOS files. There's plenty of tutorials on the web for it. The only really big down-side I can see is that it does not support actual switches. The switches it does emulate are very basic and don't run any kind of IOS. Another good thing about GNS3 is that you can have your simulated network use the computer it's running on to interact with the real network, connecting it to real servers such as AAA or DNS.
You have to remember that Packet Tracer isn't a simulator as much as it's a training aide. It's a great training aide yes, but it doesn't work like the real deal.
Like I said, GNS3 is quite complicated. Read the tutorials and the quick-start guide on the website.
GNS3 is available here: http://www.gns3.net/
08-02-2010 11:19 AM
rowshi wrote:
shaun-murray wrote:
Michael/pravm -
Got it! =] It was a misconfigure on the AAA server. Thank you so much for helping me out. Here is a SS of the "correct" configuration, along with the running configuration for the router. Just wish that packet tracer was more "robust", in that I could load our companies IOS's into there, and use our network equipment, rather then "guessing" that this will work on our production network.
Ah well, 'nother argument for another day. Cheers!!!
If you want to test using your company's actual IOS images and configuration files you can use a program called GNS3. It's much more complicated but it runs the actual IOS files. There's plenty of tutorials on the web for it. The only really big down-side I can see is that it does not support actual switches. The switches it does emulate are very basic and don't run any kind of IOS. Another good thing about GNS3 is that you can have your simulated network use the computer it's running on to interact with the real network, connecting it to real servers such as AAA or DNS.
You have to remember that Packet Tracer isn't a simulator as much as it's a training aide. It's a great training aide yes, but it doesn't work like the real deal.
Like I said, GNS3 is quite complicated. Read the tutorials and the quick-start guide on the website.
GNS3 is available here: http://www.gns3.net/
Yeah, I've installed GNS3. And you are right, it does use the IOS's. The issue still remains, that they don't support Nexus architecture, and unfortunately, we aren't a "Cisco only shop". Mores the pitty, we have Juniper, some 3COM, F5 and AdTran technologies. So that just complicates items. If someone was able to come up with an independent network simulator, to do REAL networking simulations. They'd make a killing.
Thanks again for all your help sir!
08-02-2010 10:19 AM
Unfortunately it doesn't look like Packet Tracer 5.3 supports the "ip radius source-interface" command.
Maybe in the next version.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide