Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
10
Helpful
9
Replies

question about AAA from router not from radius ??

Dr.X
Level 2
Level 2

‎10-10-2012 07:59 AM - edited ‎03-07-2019 09:23 AM

hi ,

im using  L2TP tunnel between LAC Router and LNS router

LAC===============LNS===========>internet

customers uses pppoe and type the username xxx@lns1

i have database server and radius server ,

my request is ,

i want to make a test account and put username and password on router not on radius and databse

my question is wt i need to config on router ????

i want just to put on customer adsl router the username test@lns1 nas password 123 , wt i need to autenticate this username from router not from AAA radius ???????

i will paste my current config on router that AAA from radius server , and  want to know what i need to do if i want the AAA from router itself

here  is my config  on LNS router :

aaa new-model

!

!

aaa group server radius radiusservers

server-private x.x.x.x auth-port 111 acct-port 111 key 7 1ccccccccccc

server-private x.x.x.x  auth-port 111 acct-port 111 key 7 1ccccccccccc

!

aaa authentication login adminstaff local

aaa authentication login sdm_vpn_xauth_ml_1 group radius

aaa authentication ppp vpdn group radiusservers local

aaa authorization network default group radius local

aaa authorization network vpdn group radiusservers local

aaa authorization network sdm_vpn_group_ml_1 local

aaa accounting delay-start

aaa accounting update newinfo periodic 5

aaa accounting network vpdn

action-type start-stop

broadcast

group radiusservers

!

!        

aaa server radius dynamic-author

client x.x.x.x server-key 7 34wefwefwefwefwe

=================================

interface Virtual-Template1

ip unnumbered GigabitEthernet0/1

ip tcp adjust-mss 1412

no logging event link-status

peer default ip address pool 111

ppp mtu adaptive

ppp authentication pap vpdn

ppp authorization vpdn

ppp accounting vpdn

ip radius source-interface GigabitEthernet0/1

logging alarm informational

!        

!        

======================================

radius-server attribute nas-port format d

radius-server configure-nas

radius-server host x.x.x.x1 auth-port 111 acct-port 111 key 7 fgsgsdgsdgsdgsdgsd

radius-server retransmit 0

radius-server key 7934t788uf2

radius-server vsa send cisco-nas-port

radius-server vsa send accounting

radius-server vsa send authentication

Labels:
0 Helpful
9 Replies 9

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-10-2012 11:23 AM

Hello Ahmed,

the AAA ppp authentication list of methods that you have is:

aaa authentication ppp vpdn group radiusservers local

you need to change this in

aaa authentication ppp vpdn local group radiusservers

because the order of authentication methods is important with the current  version of the command the radius server is contacted first, and local is used only if the radius server is not reachable or it does not provide an answer.

Edit:

you will likely need to change also the aaa authorization network list  of methods in the same way.

Hope to help

Giuseppe

Dr.X
Level 2
Level 2
In response to Giuseppe Larosa

‎10-11-2012 10:48 AM

hi

Giuseppe ,

thanks for your reply ,

i have a question ,

can i edit the config , and 1st to see the  local router database , and if no answer from router or not found on router local database , then=============> go to radius ???

can i  do that ??

if yes , wt config shoud be modified ??

regards

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Dr.X

‎10-11-2012 11:11 AM

Hello Ahmed,

the configuration change that I have suggested in my first post in this thread should do what you want: look for local database first and then go to radius

aaa authentication ppp vpdn local group radiusservers

the order of the list of authentication methods is local first then radius with this command

Hope to help

Giuseppe

0 Helpful

Dr.X
Level 2
Level 2
In response to Giuseppe Larosa

‎10-11-2012 12:08 PM

hi ,

i changed one command as you  request , but couldnet  get authenticated by local router database !!!

shoudl i change the authorization and accounting ??

i

regards

0 Helpful

Dr.X
Level 2
Level 2
In response to Dr.X

‎10-11-2012 12:10 PM

another questions

have look at the command

aaa authentication login adminstaff local

my question is , wt about the adminstaff location ???

it is not in router config ???!!!

regards

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Dr.X

‎10-11-2012 01:03 PM

Hello Ahmed,

you should try to change also the list of authorizzation methods

However, in an L2TP extended PPP sessions scenario, the use of RADIUS may be mandatory. It is not so easy to work without the Radius. As a workaround you could create a test user account on RADIUS server.

This would allow to test all the chain,

>> aaa authentication login adminstaff local

this is a list of authentication methods to be used for login, if used in router configuration expect to see it under line vty or line con 0 configuration stanzas.

To be noted a list of authentication methods can be defined and never used this is not a problem.

Hope to help

Giuseppe

0 Helpful

Dr.X
Level 2
Level 2
In response to Giuseppe Larosa

‎10-11-2012 01:13 PM

hi

Giuseppe ,

about the radius authentications ,

yesterday , the config commands was written , and the radisu server wasnt ready yet , and i could login using local databse using the previous commands i posted in the 1st post .

but after radisu server has been up and configured , i no longer can user local database from router ,

i will try to change authorization and give u a reply

about the

adminstaff list , im not understanding wt is this list  !!!! is this a list that contiains info , or it is just a name ??

and when the info of this list ?

regards

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Dr.X

‎10-11-2012 01:58 PM

Hello Ahmed,

1)  authentication ppp

When the RADIUS server is offine or it does not answer the list of authentication methods moves to the next method that is local in the original list.

Once the RADIUS server is up and running it will answer to AAA authentication requests made by the router using RADIUS messages. This is the reason why a locally defined username/pwd pair does not work anymore the RADIUS server replies with a FAIL message.

The router does not move to next authentication method so the ppp authentication fails if the user/pwd is only locally defined

2) adminstuff

AAA can be used to provide lists of methods for different operations the aaa authentication login specifies a list of authentication methods to be used for accessing the device on vty   ( telnet or ssh sessions) or on console

so the

aaa authentication login adminstuff local

line vty 0 4

login authentication adminstuff

is equivalent to:

no aaa new-model

line vty 0 4

login local

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a1.html#GUID-3DB1CC8A-4A98-400B-A906-C42F265C7EA2

Hope to help

Giuseppe

Dr.X
Level 2
Level 2
In response to Giuseppe Larosa

‎10-13-2012 06:02 AM

hi ,

Giuseppe

i could finally edit the authorizatin command and arranged it like the authorization command , and i could now check  the local then radisus server

thanks

regards

0 Helpful
Customers Also Viewed These Support Documents