08-31-2004 05:47 AM - edited 03-02-2019 06:08 PM
Hi!
I have a C2610 with modems for incoming RAS-connections. The users are verified via Radius on the local Domain Controller (AD and IAS). It is working fine.
But, when I change the radius-server to instead point to the new RSA Secure-ID Radius-server i get problems authenticating dial-in users.
Attached is the original, working config.
------ Snip Snip ------
when a user dials in it is successfully authenticated:
debug radius:
hostname#
00:29:32: %LINK-3-UPDOWN: Interface Async38, changed state to up
00:29:34: RADIUS: ustruct sharecount=1
00:29:34: RADIUS: Initial Transmit Async38 id 14 10.1.1.31:1645, Access-Request, len 80
00:29:34: Attribute 4 6 0A010103
00:29:34: Attribute 5 6 00000026
00:29:34: Attribute 61 6 00000000
00:29:34: Attribute 1 12 6D617274
00:29:34: Attribute 2 18 99DA9208
00:29:34: Attribute 6 6 00000002
00:29:34: Attribute 7 6 00000001
00:29:39: RADIUS: Retransmit id 14
00:29:39: RADIUS: Received from id 14 10.1.1.31:1645, Access-Accept, len 64
00:29:39: Attribute 7 6 00000001
00:29:39: Attribute 6 6 00000002
00:29:39: Attribute 25 32 310103F9
00:29:39: RADIUS: saved authorization data for user 80B65CB8 at 80B66118
00:29:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async38, changed state to up
00:29:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async38, changed state to down
00:29:56: %LINK-5-CHANGED: Interface Async38, changed state to reset
00:30:01: %LINK-3-UPDOWN: Interface Async38, changed state to down
Then I change to use the new RSA radius server:
no radius-server host 10.1.1.31 auth-port 1645 acct-port 1646
no radius-server host 10.1.1.32 auth-port 1645 acct-port 1646
no radius-server key xxxxx
radius-server host 10.1.1.20
radius-server key xxxxx
The user has an internal user jila with a static password. When dialing with this jila user in I get this error (again, debug radius):
hostname#
00:02:51: %LINK-3-UPDOWN: Interface Async38, changed state to up
00:02:52: RADIUS: ustruct sharecount=1
00:02:52: RADIUS: Initial Transmit Async38 id 2 10.1.1.20:1645, Access-Request, len 74
00:02:52: Attribute 4 6 0A010103
00:02:52: Attribute 5 6 00000026
00:02:52: Attribute 61 6 00000000
00:02:52: Attribute 1 6 6A696C61
00:02:52: Attribute 2 18 7C02B057
00:02:52: Attribute 6 6 00000002
00:02:52: Attribute 7 6 00000001
00:02:56: RADIUS: Received from id 2 10.1.1.20:1645, Access-Accept, len 47
00:02:56: Attribute 18 21 50415353
00:02:56: Attribute 1 6 6A696C61
00:02:56: RADIUS: saved authorization data for user 80E14F94 at 80B65A4C
00:02:56: RADIUS: no appropriate authorization type for user.
00:02:59: %LINK-5-CHANGED: Interface Async38, changed state to reset
00:03:04: %LINK-3-UPDOWN: Interface Async38, changed state to down
Note the "no appropriate authorization type for user". What is this???????
The real strange thing is that when I telnet (on the LAN) into the 2610-router I can successfully authenticate via Radius:
Username: jila
Password:
hostname>
Again, the debug radius output:
hostname#
00:03:43: RADIUS: ustruct sharecount=1
00:03:43: RADIUS: Initial Transmit tty66 id 3 10.1.1.20:1645, Access-Request, len 74
00:03:43: Attribute 4 6 0A010103
00:03:43: Attribute 5 6 00000042
00:03:43: Attribute 61 6 00000005
00:03:43: Attribute 1 6 6A696C61
00:03:43: Attribute 31 12 31302E31
00:03:43: Attribute 2 18 AEFEC3CD
00:03:47: RADIUS: Received from id 3 10.1.1.20:1645, Access-Accept, len 47
00:03:47: Attribute 18 21 50415353
00:03:47: Attribute 1 6 6A696C61
00:03:47: RADIUS: saved authorization data for user 80C7425C at 80E1E774
pp-lund-r#
What am I doing wrong? Is there something wrong in the aaa-commands? What is the "no appropriate author type for user"? I cant find this error message somewhere on CCO.
Thanks for your help!
Regards
Jimmy Larsson
08-31-2004 01:58 PM
You say that you attach the working config. But when I look at the file all I see is duplication of the debug results in your posting.
If you want assistance with this I would request that you post all of the aaa statements and all statements that configure radius from both the old (working) and new (non-working) configs.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: