Router Login With NPS Radius Problem

mhdganji110 · ‎10-24-2012

Hi !

I like to use Microsoft Network Policy Server 2008 As Radius server for my routers and so control logins using active directory groups

I think i did it all correctly but i get authentication failure

and I should add that i have tested it both with domain groups and local groups

Router Interface : Fa 0/1 : 192.168.10.254

NPS : 192.168.10.11

Router Config :

aaa new-model
!
!
aaa authentication login Ganji group radius local
aaa authorization exec Ganji group radius local  
!

!
radius-server host 192.168.10.11 auth-port 1812 acct-port 1813 key 123456
!

line vty 0 4
 exec-timeout 15 0
 authorization exec Ganji
 logging synchronous
 login authentication Ganji
 transport input all
!

NPS Config :

http://www.webbosworld.co.uk/blog/?p=191

Router Log :

*Oct 24 11:43:08.579: RADIUS/ENCODE(00000014): ask "Password: "
*Oct 24 11:43:08.579: RADIUS/ENCODE(00000014): send packet; GET_PASSWORD
R1#
*Oct 24 11:43:13.891: RADIUS/ENCODE(00000014):Orig. component type = Exec
*Oct 24 11:43:13.899: RADIUS:  AAA Unsupported Attr: interface         [204] 4  
*Oct 24 11:43:13.899: RADIUS:   74 74                [ tt]
*Oct 24 11:43:13.903: RADIUS(00000014): Config NAS IP: 192.168.10.254
*Oct 24 11:43:13.907: RADIUS/ENCODE(00000014): acct_session_id: 10
*Oct 24 11:43:13.907: RADIUS(00000014): sending
*Oct 24 11:43:13.923: RADIUS(00000014): Send Access-Request to 192.168.10.11:1812 id 1645/12, len 73
*Oct 24 11:43:13.923: RADIUS:  authenticator AB 7D 7F 2C 5F 53 4E 56 - 87 25 94 F0 88 EA 5E A0
*Oct 24 11:43:13.923: RADIUS:  User-Name           [1]   5   "noc"
*Oct 24 11:43:13.923: RADIUS:  User-Password       [2]   18  *
*Oct 24 11:43:13.923: RADIUS:  NAS-Port            [5]   6   2                  
*Oct 24 11:43:13.923: RADIUS:  NAS-Port-Id         [87]  6   "tty2"
*Oct 24 11:43:13.923: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Oct 24 11:
R1#43:13.923: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Oct 24 11:43:13.923: RADIUS:  NAS-IP-Address      [4]   6   192.168.10.254     
*Oct 24 11:43:13.927: RADIUS(00000014): Started 5 sec timeout
*Oct 24 11:43:13.943: RADIUS: Received from id 1645/12 192.168.10.11:1812, Access-Reject, len 20
*Oct 24 11:43:13.947: RADIUS:  authenticator BB A6 60 D5 8C E7 4D 87 - B5 00 1A 76 87 E3 0E 94
*Oct 24 11:43:13.963: RADIUS(00000014): Received from id 1645/12
R1#
*Oct 24 11:43:17.983: AAA/AUTHEN/LOGIN (00000014): Pick method list 'Ganji'
*Oct 24 11:43:17.991: RADIUS/ENCODE(00000014): ask "Username: "
*Oct 24 11:43:17.991: RADIUS/ENCODE(00000014): send packet; GET_USER
R1#

NPS Log :

*Oct 24 11:43:08.579: RADIUS/ENCODE(00000014): ask "Password: "
*Oct 24 11:43:08.579: RADIUS/ENCODE(00000014): send packet; GET_PASSWORD
R1#
*Oct 24 11:43:13.891: RADIUS/ENCODE(00000014):Orig. component type = Exec
*Oct 24 11:43:13.899: RADIUS:  AAA Unsupported Attr: interface         [204] 4  
*Oct 24 11:43:13.899: RADIUS:   74 74                [ tt]
*Oct 24 11:43:13.903: RADIUS(00000014): Config NAS IP: 192.168.10.254
*Oct 24 11:43:13.907: RADIUS/ENCODE(00000014): acct_session_id: 10
*Oct 24 11:43:13.907: RADIUS(00000014): sending
*Oct 24 11:43:13.923: RADIUS(00000014): Send Access-Request to 192.168.10.11:1812 id 1645/12, len 73
*Oct 24 11:43:13.923: RADIUS:  authenticator AB 7D 7F 2C 5F 53 4E 56 - 87 25 94 F0 88 EA 5E A0
*Oct 24 11:43:13.923: RADIUS:  User-Name           [1]   5   "noc"
*Oct 24 11:43:13.923: RADIUS:  User-Password       [2]   18  *
*Oct 24 11:43:13.923: RADIUS:  NAS-Port            [5]   6   2                  
*Oct 24 11:43:13.923: RADIUS:  NAS-Port-Id         [87]  6   "tty2"
*Oct 24 11:43:13.923: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Oct 24 11:
R1#43:13.923: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Oct 24 11:43:13.923: RADIUS:  NAS-IP-Address      [4]   6   192.168.10.254     
*Oct 24 11:43:13.927: RADIUS(00000014): Started 5 sec timeout
*Oct 24 11:43:13.943: RADIUS: Received from id 1645/12 192.168.10.11:1812, Access-Reject, len 20
*Oct 24 11:43:13.947: RADIUS:  authenticator BB A6 60 D5 8C E7 4D 87 - B5 00 1A 76 87 E3 0E 94
*Oct 24 11:43:13.963: RADIUS(00000014): Received from id 1645/12
R1#
*Oct 24 11:43:17.983: AAA/AUTHEN/LOGIN (00000014): Pick method list 'Ganji'
*Oct 24 11:43:17.991: RADIUS/ENCODE(00000014): ask "Username: "
*Oct 24 11:43:17.991: RADIUS/ENCODE(00000014): send packet; GET_USER
R1#

mhdganji110 · ‎10-24-2012

It is solved now

the problem was the fact that Vendor-Specific and Configure VSA were not set

more details here :

http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/

asmatjalal50795 · ‎04-13-2020

Apr 12 21:33:19.738: RADIUS/ENCODE(0000001A):Orig. component type = Exec
Apr 12 21:33:19.738: RADIUS/ENCODE(0000001A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Apr 12 21:33:19.738: RADIUS(0000001A): Config NAS IP: 0.0.0.0
Apr 12 21:33:19.738: RADIUS(0000001A): Config NAS IPv6: ::
Apr 12 21:33:19.738: RADIUS/ENCODE(0000001A): acct_session_id: 6
Apr 12 21:33:19.738: RADIUS(0000001A): sending
Apr 12 21:33:19.738: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x
Apr 12 21:33:19.742: RADIUS(0000001A): Send Access-Request to x.x.x.x:1812 id 1645/13, len 68
Apr 12 21:33:19.742: RADIUS: authenticator 97 FF 4D B6 E7 5D 22 81 - 42 21 2B AF F5 36 6B 03
Apr 12 21:33:19.742: RADIUS: User-Name [1] 6 "6038"
Apr 12 21:33:19.742: RADIUS: User-Password [2] 18 *
Apr 12 21:33:19.742: RADIUS: NAS-Port [5] 6 2
Apr 12 21:33:19.742: RADIUS: NAS-Port-Id [87] 6 "tty2"
Apr 12 21:33:19.742: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Apr 12 21:33:19.742: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
Apr 12 21:33:19.742: RADIUS(0000001A): Sending a IPv4 Radius Packet
Apr 12 21:33:19.742: RADIUS(0000001A): Started 5 sec timeout
Apr 12 21:33:19.745: RADIUS: Received from id 1645/13 x.x.x.x:1812, Access-Reject, len 20
Apr 12 21:33:19.745: RADIUS: authenticator A9 5A 39 F6 D9 C9 81 69 - 7F 6E BC 13 D7 FF F7 04
Apr 12 21:33:19.745: RADIUS(0000001A): Received from id 1645/13
Apr 12 21:33:21.752: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'default'
Apr 12 21:33:21.752: RADIUS/ENCODE(0000001A): ask "Password: "
Apr 12 21:33:21.752: RADIUS/ENCODE(0000001A): send packet; GET_PASSWORD
Apr 12 21:33:27.460: RADIUS/ENCODE(0000001A):Orig. component type = Exec
Apr 12 21:33:27.460: RADIUS/ENCODE(0000001A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Apr 12 21:33:27.460: RADIUS(0000001A): Config NAS IP: 0.0.0.0
Apr 12 21:33:27.460: RADIUS(0000001A): Config NAS IPv6: ::
Apr 12 21:33:27.460: RADIUS/ENCODE(0000001A): acct_session_id: 6
Apr 12 21:33:27.460: RADIUS(0000001A): sending
Apr 12 21:33:27.460: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x
Apr 12 21:33:27.460: RADIUS(0000001A): Send Access-Request to x.x.x.x:1812 id 1645/14, len 68
Apr 12 21:33:27.460: RADIUS: authenticator EC D0 EC 4E 63 33 A3 F1 - 20 56 3E D5 42 6A C1 89
Apr 12 21:33:27.460: RADIUS: User-Name [1] 6 "6038"
Apr 12 21:33:27.463: RADIUS: User-Password [2] 18 *
Apr 12 21:33:27.463: RADIUS: NAS-Port [5] 6 2
Apr 12 21:33:27.463: RADIUS: NAS-Port-Id [87] 6 "tty2"
Apr 12 21:33:27.463: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Apr 12 21:33:27.463: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
Apr 12 21:33:27.463: RADIUS(0000001A): Sending a IPv4 Radius Packet
Apr 12 21:33:27.463: RADIUS(0000001A): Started 5 sec timeout
Apr 12 21:33:27.470: RADIUS: Received from id 1645/14 x.x.x.x:1812, Access-Reject, len 20
Apr 12 21:33:27.470: RADIUS: authenticator 59 4A F8 6F 95 7A D7 01 - 0A 35 11 71 44 6B 6C A7
Apr 12 21:33:27.470: RADIUS(0000001A): Received from id 1645/14
Apr 12 21:33:29.476: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'default'
Apr 12 21:33:29.476: RADIUS/ENCODE(0000001A): ask "Password: "
Apr 12 21:33:29.476: RADIUS/ENCODE(0000001A): send packet; GET_PASSWORD