Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1487
Views
0
Helpful
1
Replies

trouble with "radius-server local"

kundarsa
Level 1
Level 1

‎05-14-2021 10:17 PM

aaa new-model

radius-server local
nas 192.168.51.175 key 0 cisco
user test password test
user testa password test

 

When I create a local radius server I am unable to test it with the free radius tool radtest

freeRadius:~# radtest -t pap test test 192.168.51.194 1812 cisco
Sent Access-Request Id 54 from 0.0.0.0:41741 to 192.168.51.194:1812 length 74
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 192.168.51.175
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Accept Id 54 from 192.168.51.194:1812 to 192.168.51.175:41741 length 88
State = 0x26c26313708f5aa500000000000000000000000000000000000000000000000021d94e478d5721d843697c90d24f6cd5
Message-Authenticator = 0x64d787d5073d2d69af4d7e359551d890

 

however when i try testa

freeRadius:~# radtest -t pap testa test 192.168.51.194 1812 cisco
Sent Access-Request Id 160 from 0.0.0.0:34508 to 192.168.51.194:1812 length 75
User-Name = "testa"
User-Password = "test"
NAS-IP-Address = 192.168.51.175
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Reject Id 160 from 192.168.51.194:1812 to 192.168.51.175:34508 length 88
State = 0x26c26313708f5aa500000000000000000000000000000000000000000000000021d94e478d5721d843697c90d24f6cd5
Message-Authenticator = 0x5426653560529d8a8861bb1ef630eb6f
(0) -: Expected Access-Accept got Access-Reject

 

and on the router

R1#debug radius local-server error
Radius server error debugging is on
R1#
*Mar 1 00:50:29.179: RADSRV: Client testa password failed

 

what I have found is that the password must be the same as the username, so it only works when user testa has the password testa.

 

This is with a clean config, so only setting interface fa 0/0 to ip address dhcp, no shut, and the above commands were run on the router. I have tried this on access points as well version 12 and 15. will test other cisco hardware as a client instead of the freeradius tools but i cant see the freeradius tools deviating from the RFC's.

Labels:
0 Helpful
1 Reply 1

kundarsa
Level 1
Level 1

‎05-14-2021 11:38 PM

I told a cisco router to

aaa authentication login test group radius

radius server test
address ipv4 192.168.1.158 auth-port 1812 acct-port 1813
key cisco

and the

line vty 0 4

to

login authentication test

 

the AP is setup for users test/test and testa/test. I was able to telnet into the router with test/test but failed with bad password on testa/test same I was getting with radtest.

0 Helpful
Customers Also Viewed These Support Documents