rel. 12.3 aaa authorization network

giga01 · ‎05-30-2004

I have this configuration on my cisco 1700 router:

--------------------

version 12.3

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname remote-aoud

!

clock timezone ITA 1

clock summer-time ITA recurring last Sun Mar 2:00 last Sun Oct 3:00

aaa new-model

!

aaa group server tacacs+ tac_admin

server 192.168.13.100

server 192.168.13.102

!

aaa group server radius remote_access

server 192.168.13.100 auth-port 1645 acct-port 1646

server 192.168.13.102 auth-port 1645 acct-port 1646

!

aaa authentication login default group tac_admin local

aaa authentication enable default group tac_admin enable

aaa authentication ppp default group remote_access local

aaa authorization exec default group tac_admin local

aaa authorization network default group remote_access

aaa session-id common

ip subnet-zero

!

interface FastEthernet0

ip address 172.17.40.113 255.255.252.0

speed auto

no cdp enable

!

interface Async1

ip unnumbered FastEthernet0

encapsulation ppp

async mode interactive

peer default ip address 172.17.40.117

no keepalive

ppp authentication ms-chap

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.17.40.1

radius-server host 192.168.13.100 auth-port 1645 acct-port 1646 key 7 ...

radius-server host 192.168.13.102 auth-port 1645 acct-port 1646 key 7 ...

radius-server deadtime 60

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

!

line con 0

line 1

flush-at-activation

modem InOut

transport input all

autoselect during-login

autoselect ppp

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

exec-timeout 600 0

!

no scheduler allocate

sntp server 172.17.40.1

sntp server 192.168.13.1

!

end

-------------------------------

The users dialin are authenticate on a cisco acs 3.2

On acs 3.2 the user have check flag on ietf attributes 6 (framed) and 7 (ppp) for aaa authorization.

This works ok with release 12.2 but whit release 13.3 if i uncheck flag on ietf attributes 6 and 7 the

user login always.

In fact the aaa authorization network not work !!

thank

Ale

d.kratz · ‎05-30-2004

Dear Ale,

Your configuration seems right, but we don´t say nothing whithout debugs. Please, enable debug aaa authorization and debug tacacs, try make one connection and post logs in this thread.

Regards,

kratz

giga01 · ‎05-31-2004

Hello Kratz,

This is debug output:

remote-aoud#

00:06:07: AAA/BIND(00000003): Bind i/f Async1

00:06:09: %LINK-3-UPDOWN: Interface Async1, changed state to up

00:06:09: RADIUS/ENCODE(00000003):Orig. component type = EXEC

00:06:09: RADIUS: AAA Unsupported Attr: interface [153] 6

00:06:09: RADIUS: 41 73 79 6E [Asyn]

00:06:09: RADIUS(00000003): Storing nasport 1 in rad_db

00:06:09: RADIUS(00000003): Config NAS IP: 0.0.0.0

00:06:09: RADIUS/ENCODE(00000003): acct_session_id: 3

00:06:09: RADIUS(00000003): sending

00:06:09: RADIUS/ENCODE: Best Local IP-Address 192.168.13.113 for Radius-Server 192.168.13.100

00:06:09: RADIUS(00000003): Send Access-Request to 192.168.13.100:1645 id 1645/2, len 143

00:06:09: RADIUS: authenticator F8 75 D5 95 91 74 55 71 - 00 00 00 00 00 00 00 00

00:06:09: RADIUS: Framed-Protocol [7] 6 PPP [1]

00:06:09: RADIUS: User-Name [1] 12 "CASA\marco"

00:06:09: RADIUS: Vendor, Microsoft [26] 16

00:06:09: RADIUS: MSCHAP_Challenge [11] 10

00:06:09: RADIUS: F8 75 D5 95 91 74 55 71 [?u???tUq]

00:06:09: RADIUS: Vendor, Microsoft [26] 58

00:06:09: RADIUS: MS-CHAP-Response [1] 52 *

00:06:09: RADIUS: NAS-Port-Type [61] 6 Async [0]

00:06:09: RADIUS: Calling-Station-Id [31] 7 "async"

00:06:09: RADIUS: NAS-Port [5] 6 1

00:06:09: RADIUS: Service-Type [6] 6 Framed [2]

00:06:09: RADIUS: NAS-IP-Address [4] 6 192.168.13.113

00:06:09: RADIUS: Received from id 1645/2 192.168.13.100:1645, Access-Accept, len 62

00:06:09: RADIUS: authenticator E9 99 94 43 EB 4B 74 33 - F7 87 03 F6 64 F2 0E D6

00:06:09: RADIUS: Session-Timeout [27] 6 180

00:06:09: RADIUS: Framed-IP-Address [8] 6 255.255.255.255

00:06:09: RADIUS: Class [25] 30

00:06:09: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 66 63 [CISCOACS:00000fc]

00:06:09: RADIUS: 61 2F 63 30 61 38 30 64 37 31 2F 31 [a/c0a80d71/1]

00:06:09: RADIUS(00000003): Received from id 1645/2

00:06:09: As1 PPP/AAA: Check Attr: timeout: Peruser

00:06:10: As1 PPP/AAA: Check Attr: addr

00:06:10: As1 AAA/AUTHOR/LCP: Process Author

00:06:10: As1 AAA/AUTHOR/LCP: Process Attr: timeout

00:06:10: AAA/AUTHOR: Processing PerUser AV timeout

00:06:10: As1 AAA/AUTHOR/IPCP: FSM authorization not needed

00:06:10: As1 AAA/AUTHOR/FSM: We can start IPCP

00:06:10: As1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 192.168.13.170

00:06:10: As1 AAA/AUTHOR/IPCP: No remote address; FIP = Use peer provided address

00:06:10: As1 AAA/AUTHOR/IPCP: Processing AV addr

00:06:10: As1 AAA/AUTHOR/IPCP: Authorization succeeded

00:06:10: As1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 192.168.13.170

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for primary dns

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for primary wins

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for seconday dns

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for seconday wins

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for primary dns

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for seconday dns

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for primary dns

00:06:10: As1 AAA/AUTHOR/IPCP: no author-info for seconday dns

00:06:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up

If you see the authorization network fail in fact. The user is not permitted from the acs user configuration to connect , but the connection is established .

I add jpeg with acs user configuration.

Regards

Ale

giga01 · ‎05-31-2004

I have resolved !!!

I must insert :

radius-server attribute 6 mandatory

in my configuration with 12.3 ios release and all work well.

Thanks and Regards

Ale