cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1237
Views
10
Helpful
4
Replies

RV340W RADIUS Authentication failing after Firmware update

thegannet
Level 1
Level 1

Hi,

 

We recently updated the Firmware on our RV340W from 1.0.01.18 to 1.0.03.15.

 

Ever since we cannot verify our VPN (or WebUI) users using the RADIUS server.  It seems to authenticate with the RADIUS server ok, but the the router fails to allow access.

 

Anything we could be missing?

 

Thanks in advance,

-- Peter.

4 Replies 4

thegannet
Level 1
Level 1

A little further information - from the Logs, The RADIUS authentication is working, but then for some reason it is feeling the need to authenticate with the localDB too:

 

2019-Jul-11, 12:25:09 UTC error user jsonrpc: Last message 'User peter login fai' repeated 1 times, supressed by syslog-ng on router4506C2
2019-Jul-11, 12:24:54 UTC info system <Email Sent about failure>
2019-Jul-11, 12:24:54 UTC error user jsonrpc: User peter login fail from 192.168.0.146
2019-Jul-11, 12:24:54 UTC error user weblogin: Localdb:authorization failed as group is NULL
2019-Jul-11, 12:24:54 UTC info user weblogin: pam_radius_auth: User peter authentication succeeded

 

Any ideas please?

 

-- Peter.

Hello,

 

Following input from Cisco Support, the RADIUS Server client needs to return an additional Attribute 'Class', the value of which needs to correspond to a User Group defined in the Router UI.

eg: Class=admin

 

This caused a further headache for us because our RADIUS Server doesn't support sending attributes back.  We have had to use Windows Servers' built in RADIUS Server to forward the request on to our existing provider and append the relevant attribute to the reply.

 

I have to say this - please can this stuff be documented somewhere?!  We've lost countless hours to this - as have Cisco support having to reproduce and get us the answer.

 

-- Peter.

I have the same issue . Can you please share your conf where you and how you add that Class ? Thank you.

Hi  we found how to fix that issue 

First  we need to in the groups in cisco then  you need to create group lets say with name  readonlygroup and on this group we need to select permition lets say readonly with login or whatever .

Then we need to go in users in radius and  settings shoud be that 

 

Userreadonly Cleartext-Password := "passreadonly"
Service-Type = NAS-Prompt-User,
Class = readonlygroup,
Cisco-AVPair = "shell:roles=network-admin vdc-admin vdc-operator"

Most important settin is Class = readonlygroup,  that class say in which group user shoud be assing

If your group  in cisco is with name  GROUPEXAMPLE   you  need to change Class = GROUPEXAMPLE   

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: