Problems with Radius Authentication

i_lopez · ‎05-07-2002

Hi all, I have problems trying to authenticate with Radius only at the ppp connection.

When I dial-in using the terminal window I can access the router with the Radius authentication, but the access to the network is not posible. Only works using a local user.

Thanks in advanced.

Here are de config router and debugs....

Congiguration's router:

version 11.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Cisco3620

!

aaa new-model

aaa authentication login default radius local

aaa authentication login NO_AUTHEN none

aaa authentication ppp default radius local

enable password ******

username cisco password 0 tricom

ip subnet-zero

no ip finger

!

process-max-time 200

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

ip address ***.**.36.99 255.255.252.0

no cdp enable

!

interface Group-Async33

ip unnumbered FastEthernet0/0

no ip directed-broadcast

encapsulation ppp

async mode interactive

peer default ip address pool lab

no cdp enable

ppp authentication chap

group-range 33 40

!

router eigrp 1

network ***.**.0.0

!

ip local pool lab ***.**.**.90 ***.**.**.95

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

logging buffered 4096 debugging

no cdp run

radius-server host ***.**.*.** auth-port 1645 acct-port 1646

radius-server key *******

!

line con 0

login authentication NO_AUTHEN

transport input none

line 33 40

autoselect during-login

autoselect ppp

modem InOut

transport preferred none

transport input all

transport output none

stopbits 1

flowcontrol hardware

Debugs:

3d13h: AAA: parse name=tty33 idb type=10 tty=33

3d13h: AAA: name=tty33 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=33 channel=0

3d13h: AAA/AUTHEN: creattty33' rem_addr='async' authen_type=ASCII service=LOGIN priv=1

3d13h: AAA/AUTHEN/START (15223567): port='tty33' list='' action=LOGIN service=LOGIN

3d13h: AAA/AUTHEN/START (15223567): using "default" list

3d13h: AAA/AUTHEN/START (15223567): Method=RADIUS

3d13h: AAA/AUTHEN (15223567): status = GETUSER

3d13h: AAA/AUTHEN/ABORT: (15223567) because Autoselected.

3d13h: AAA/AUTHEN: free_user (0x60F4A404) user='' ruser='' port='tthen_type=ASCII service=LOGIN priv=1

3d13h: As33 LCP: Lower layer not up, Fast Starting

3d13h: As33 PPP: Treating connection as a dedicated line

3d13h: %LINK-3-UPDOWN: Interface Async33, changed state to up

3d13h: As33 PPP: Phase is AUTHENTICATING, by this end

3d13h: As33 CHAP: O CHALLENGE id 6 len 30 from "Cisco3620"

3d13h: As33 CHAP: I RESPONSE id 6 len 35 from "carlos welhous"

3d13h: AAA: parse name=Async33 idb type=10 tty=33

3d13h: AAA: name=Async33 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=33 channel=0

3d13h: AAA/AUTHEN: create_user (0x60F4A3AC) user='carlos welhous' ruser='' port='Async33' rem_addr='async' authen_type=CHAP service=PPP priv=1

3d13h: AAA/AUTHEN/START (3218263426): port='Async33' list='' action=LOGIN service=PPP

3d13h: AAA/AUTHEN/START (3218263426): using "default" list

3d13h: AAA/AUTHEN/START (3218263426): Method=RADIUS

3d13h: RADIUS: ustruct sharecount=1

3d13h: RADIUS: Initial Transmit id 17 172.22.0.30:1645, Access-Request, len 85

3d13h: Attribute 4 6 AC162463

3d13h: Attribute 5 6 00000021

3d13h: Attribute 61 6 00000000

3h: Attribute 1 16 6361726C

3d13h: Attribute 3 19 06E45FF5

3d13h: Attribute 6 6 00000002

3d13h: Attribute 7 6 00000001

3d13h: As33 CHAP: I RESPONSE id 6 len 35 from "carlos welhous"

3d13h: As33 AUTH: Duplicate authentication request id=6 already in progress

3d13h: RADIUS: Retransmit id 17

3d13h: As33 CHAP: I RESPONSE id 6 len 35 from "carlos welhous"

3d13h: As33 AUTH: Duplicate authentication request id=6 already in progress

3d13h: As33 CHAP: I RESPONSE id 6 len 35 from "carlos welhous"

3d13h: As33 AUTH: Duplicate authentication request id=6 already in progress

3d13h: RADIUS: Retransmit id 17

3d13h: As33 CHAP: I RESPONSE id 6 len 35 from "carlos welhous"

3d13h: As33 AUTH: Duplicate authentication request id=6 already in progress

3d13h: As33 CHAP: I RESPONSE id 6 len 35 from "carlos welhous"

3d13h: As33 AUTH: Duplicate authentication request id=6 already in progress

3d13h: RADIUS: Retransmit id 17

3d13h: As33 CHAP: I RESPONSE id 6 len 35 from "carlos welhous"

3d13h: As33 AUTH: Duplicate authentication request id=6 already in progress

3d13h: RADIUS: No response for id 17

3d13h: RADIUS: No response from server

3d13h: AAA/AUTHEN (3218263426): status = ERROR

3d13h: AAA/AUTHEN/START (3218263426): Method=LOCAL

3d13h: AAA/AUTHEN (3218263426): User not found, end of method list

3d13h: AAA/AUTHEN (3218263426): status = FAIL

3d12h: As33 CHAP: Unable to validate Response. Username carlos welhous: Authentication failure

3d12h: As33 CHAP: O FAILURE id 4 len 26 msg is "Authentication failure"

3d12h: AAA/AUTHEN: free_user (0x60E43030) user='carlos welhous' ruser='' port='Async33' rem_addr='async' authen_type=CHAP service=PPP priv=1

3d12h: %LINK-5-CHANGED: Interface Async33, changed state to reset

3d12h: %LINK-3-UPDOWN: Interface Async33, changed state to down

mljohnson · ‎05-07-2002

The debug only indicates that there is no connectivity with the RADIUS server; it makes no sense that PPP connections would fail while terminal connections succeed. I would think that if the RADIUS server were unable to process PPP calls, or was unhappy with any of the AV-Pairs it would still reply to the NAS. All that I can suggest is to troubleshoot this at the RADIUS server, to verify if it is receiving the ACCESS-REQUEST, and why it may not be responding to it.