Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
181
Views
0
Helpful
1
Replies

Radius/AAA problems between C2610 and RSA ACE-Server

jilahbg
Level 1
Level 1

‎08-31-2004 05:47 AM - edited ‎03-02-2019 06:08 PM

Hi!

I have a C2610 with modems for incoming RAS-connections. The users are verified via Radius on the local Domain Controller (AD and IAS). It is working fine.

But, when I change the radius-server to instead point to the new RSA Secure-ID Radius-server i get problems authenticating dial-in users.

Attached is the original, working config.

------ Snip Snip ------

when a user dials in it is successfully authenticated:

debug radius:

hostname#

00:29:32: %LINK-3-UPDOWN: Interface Async38, changed state to up

00:29:34: RADIUS: ustruct sharecount=1

00:29:34: RADIUS: Initial Transmit Async38 id 14 10.1.1.31:1645, Access-Request, len 80

00:29:34: Attribute 4 6 0A010103

00:29:34: Attribute 5 6 00000026

00:29:34: Attribute 61 6 00000000

00:29:34: Attribute 1 12 6D617274

00:29:34: Attribute 2 18 99DA9208

00:29:34: Attribute 6 6 00000002

00:29:34: Attribute 7 6 00000001

00:29:39: RADIUS: Retransmit id 14

00:29:39: RADIUS: Received from id 14 10.1.1.31:1645, Access-Accept, len 64

00:29:39: Attribute 7 6 00000001

00:29:39: Attribute 6 6 00000002

00:29:39: Attribute 25 32 310103F9

00:29:39: RADIUS: saved authorization data for user 80B65CB8 at 80B66118

00:29:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async38, changed state to up

00:29:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async38, changed state to down

00:29:56: %LINK-5-CHANGED: Interface Async38, changed state to reset

00:30:01: %LINK-3-UPDOWN: Interface Async38, changed state to down

Then I change to use the new RSA radius server:

no radius-server host 10.1.1.31 auth-port 1645 acct-port 1646

no radius-server host 10.1.1.32 auth-port 1645 acct-port 1646

no radius-server key xxxxx

radius-server host 10.1.1.20

radius-server key xxxxx

The user has an internal user jila with a static password. When dialing with this jila user in I get this error (again, debug radius):

hostname#

00:02:51: %LINK-3-UPDOWN: Interface Async38, changed state to up

00:02:52: RADIUS: ustruct sharecount=1

00:02:52: RADIUS: Initial Transmit Async38 id 2 10.1.1.20:1645, Access-Request, len 74

00:02:52: Attribute 4 6 0A010103

00:02:52: Attribute 5 6 00000026

00:02:52: Attribute 61 6 00000000

00:02:52: Attribute 1 6 6A696C61

00:02:52: Attribute 2 18 7C02B057

00:02:52: Attribute 6 6 00000002

00:02:52: Attribute 7 6 00000001

00:02:56: RADIUS: Received from id 2 10.1.1.20:1645, Access-Accept, len 47

00:02:56: Attribute 18 21 50415353

00:02:56: Attribute 1 6 6A696C61

00:02:56: RADIUS: saved authorization data for user 80E14F94 at 80B65A4C

00:02:56: RADIUS: no appropriate authorization type for user.

00:02:59: %LINK-5-CHANGED: Interface Async38, changed state to reset

00:03:04: %LINK-3-UPDOWN: Interface Async38, changed state to down

Note the "no appropriate authorization type for user". What is this???????

The real strange thing is that when I telnet (on the LAN) into the 2610-router I can successfully authenticate via Radius:

Username: jila

Password:

hostname>

Again, the debug radius output:

hostname#

00:03:43: RADIUS: ustruct sharecount=1

00:03:43: RADIUS: Initial Transmit tty66 id 3 10.1.1.20:1645, Access-Request, len 74

00:03:43: Attribute 4 6 0A010103

00:03:43: Attribute 5 6 00000042

00:03:43: Attribute 61 6 00000005

00:03:43: Attribute 1 6 6A696C61

00:03:43: Attribute 31 12 31302E31

00:03:43: Attribute 2 18 AEFEC3CD

00:03:47: RADIUS: Received from id 3 10.1.1.20:1645, Access-Accept, len 47

00:03:47: Attribute 18 21 50415353

00:03:47: Attribute 1 6 6A696C61

00:03:47: RADIUS: saved authorization data for user 80C7425C at 80E1E774

pp-lund-r#

What am I doing wrong? Is there something wrong in the aaa-commands? What is the "no appropriate author type for user"? I cant find this error message somewhere on CCO.

Thanks for your help!

Regards

Jimmy Larsson

Labels:
Preview file
5 KB
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎08-31-2004 01:58 PM

You say that you attach the working config. But when I look at the file all I see is duplication of the debug results in your posting.

If you want assistance with this I would request that you post all of the aaa statements and all statements that configure radius from both the old (working) and new (non-working) configs.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents