05-14-2021 10:17 PM
aaa new-model
radius-server local
nas 192.168.51.175 key 0 cisco
user test password test
user testa password test
When I create a local radius server I am unable to test it with the free radius tool radtest
freeRadius:~# radtest -t pap test test 192.168.51.194 1812 cisco
Sent Access-Request Id 54 from 0.0.0.0:41741 to 192.168.51.194:1812 length 74
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 192.168.51.175
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Accept Id 54 from 192.168.51.194:1812 to 192.168.51.175:41741 length 88
State = 0x26c26313708f5aa500000000000000000000000000000000000000000000000021d94e478d5721d843697c90d24f6cd5
Message-Authenticator = 0x64d787d5073d2d69af4d7e359551d890
however when i try testa
freeRadius:~# radtest -t pap testa test 192.168.51.194 1812 cisco
Sent Access-Request Id 160 from 0.0.0.0:34508 to 192.168.51.194:1812 length 75
User-Name = "testa"
User-Password = "test"
NAS-IP-Address = 192.168.51.175
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Reject Id 160 from 192.168.51.194:1812 to 192.168.51.175:34508 length 88
State = 0x26c26313708f5aa500000000000000000000000000000000000000000000000021d94e478d5721d843697c90d24f6cd5
Message-Authenticator = 0x5426653560529d8a8861bb1ef630eb6f
(0) -: Expected Access-Accept got Access-Reject
and on the router
R1#debug radius local-server error
Radius server error debugging is on
R1#
*Mar 1 00:50:29.179: RADSRV: Client testa password failed
what I have found is that the password must be the same as the username, so it only works when user testa has the password testa.
This is with a clean config, so only setting interface fa 0/0 to ip address dhcp, no shut, and the above commands were run on the router. I have tried this on access points as well version 12 and 15. will test other cisco hardware as a client instead of the freeradius tools but i cant see the freeradius tools deviating from the RFC's.
05-14-2021 11:38 PM
I told a cisco router to
aaa authentication login test group radius
radius server test
address ipv4 192.168.1.158 auth-port 1812 acct-port 1813
key cisco
and the
line vty 0 4
to
login authentication test
the AP is setup for users test/test and testa/test. I was able to telnet into the router with test/test but failed with bad password on testa/test same I was getting with radtest.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide