RADIUS Server is Unreachable

shefiksah · ‎03-22-2005

Hi All

i am using Cisco 3640 router.i have a problem with radius server.

i did basic aaa configuration but i still have problem...the problem is

01:30:39: RADIUS: Initial Transmit id 6 171.68.118.115:1645,

Access-Request, Len 67

01:30:39: Attribute 4 6 0A1F0196

01:30:39: Attribute 61 6 00000000

01:30:39: Attribute 1 11 70726F78

01:30:39: Attribute 2 18 E552A3E5

01:30:39: Attribute 6 6 00000005

01:30:44: RADIUS: Retransmit id 6

01:30:49: RADIUS: Retransmit id 6

01:30:59: RADIUS: Marking server 171.68.118.115 dead

01:30:59: RADIUS: Tried all servers.

01:30:59: RADIUS: No valid server found. Trying any viable server

01:30:59: RADIUS: Tried all servers.

01:30:59: RADIUS: No response for id 6

01:30:59: RADIUS: No response from server

01:30:59: AAA/AUTHEN (1597176845): status = ERROR

Can anyone help me....

Thanks

Richard Burts · ‎03-22-2005

There are several things that could cause the symptoms that you have.

First have you verified that you are using the correct address for the

Radius server?

Second I would evaluate IP connectivity. Can your router get to the

address of the Radius server. And can the Radius server get to the

address of your router? (ping is probably the easy way to check this)

Third (if you do have good IP connectivity) I would look at any routers

or firewalls along the data path and make sure that no one is filtering

out the Radius packets (port 1645).

Fourth (if you do not find any error in the preceding steps) I would

check the Radius server. Is it configured to recognize this router? And

is there any sign on the server that it has received any request from

the router? If so what did it do?

HTH

Rick

HTH

Rick

shefiksah · ‎03-23-2005

Dear Rick,

thanks for your reply.

We have check all options you've mentioned one by one. All are ok.

- We can ping - and get reply back

- No firewalls - direct connection via ethernet

We connected the same Radius server directly to a 4000 series Cisco Router and it worked fine.

When we use the same commands and setup on the Cisco 3640 we get the above message.

- Could it be the ethernet ports?

- or maybe the IOS of the router?

The IOS is: IOS (tm) 3600 Software (C3640-IK9S-M), Version 12.2(17a),

Any help will be much appreciated,

Kind Regards

Shefik

==================

sh version:

isco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-IK9S-M), Version 12.2(17a), RELEASE SOFTWARE (fc1)

Compiled Thu 19-Jun-03 11:24 by pwade

Image text-base: 0x60008930, data-base: 0x61296000

ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

ISPACCESS uptime is 1 day, 2 hours, 24 minutes

System returned to ROM by power-on

System image file is "flash:c3640-ik9s-mz.122-17a.bin"

cisco 3640 (R4700) processor (revision 0x00) with 125952K/5120K bytes of memory.

Processor board ID 17632609

R4700 CPU at 100Mhz, Implementation 33, Rev 1.0

Bridging software.

X.25 software, Version 3.0.0.

2 FastEthernet/IEEE 802.3 interface(s)

DRAM configuration is 64 bits wide with parity disabled.

125K bytes of non-volatile configuration memory.

32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

---------------

Building configuration...

Current configuration : 1136 bytes

!

version 12.2

service config

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ISPACCESS

!

aaa new-model

aaa group server radius test

server 202.52.62.104 auth-port 1812 acct-port 1813

!

aaa authentication login secure1 group test

aaa authentication ppp default group radius

aaa authorization network default group radius

enable secret 5

!

username xxxx password 7

username xxxxx password 7

ip subnet-zero

!

call rsvp-sync

!

interface FastEthernet0/0

ip address 192.168.1.250 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 220.245.140.46 255.255.255.248

ip access-group 115 in

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 220.245.140.41

ip http server

!

access-list 115 permit tcp any any

radius-server host 202.52.62.104 auth-port 1812 acct-port 1813

radius-server key 7

!

dial-peer cor custom

!

privilege exec level 7 clear line

!

line con 0

password 7

line aux 0

line vty 0 3

password 7

line vty 4

login authentication secure1

!

end

Richard Burts · ‎03-23-2005

Shefik

Thanks for including the additional information including the config of the router. I believe it has allowed me to identify your problem.

The first clue to the problem is that the debug in your first post indicates that the router is using port 1645 to communicate with the radius server. But the config that you sent clearly shows that it specifies port 1812. This indicates that we should look carefully for some mismatch in the config.

I see in the config that your aaa authentication command for login is using a method called secure1. When I look to see where secure1 is used I find that it is used on vty 4 but not on vty 0 through 3. So these vty ports will use the default authentication. I believe that this is the mismatch that is causing your problem. If you configure vty 0 3 with login authentication secure1, then I believe that the router will authenticate as you want it to do.

HTH

Rick

HTH

Rick