Re: Dialup authentification error with Cisco 2811

jessiedong · ‎02-22-2006

Hello,

We have a Cisco 2610 router with 8-port analogue module. The dialup users access to the modem pool and passes the RSA Radius server for authentication. The IOS version of Cisco 2610 is 12.0(9).

Now we want to replace the older Cisco 2610 by Cisco 2811 with 8-port V.92 analogue module. I put the same configuration in the Cisco 2811 (IOS version is 4(3b)), but meet an authentication error from the Radius server. From the Syslog messages, I see that the passcode is accepted but the Radius server has returned.

%RADIUS-4-RADIUS_ALIVE: RADIUS server 192.9.64.141:1645,1646 has returned.

It seems that the new router does not use the same Radius attribute format as the older one. How can I change the Radius protocol format to the older format?

Thank you.

Jessie Dong

nethelper · ‎02-23-2006

Hello Jessie,

which ports do you have configured for authentication and accounting ? From your log message, it appears that you are using 1645 and 1646, respectively. Try 1812 and 1813 instead, and check if that makes a difference.

Regards,

Nethelper

jessiedong · ‎02-27-2006

Hi Nethelper,

I captured a trace with Cisco 2611 and one with Cisco 2811. The difference is the Radius access request Id format(see the trace below). Could you tell me how I can change the Radius Access request Id format?

Thank your.

Jessie

Dailout-S09-02 with Cisco 2610

Feb 27 15:42:02.897: RADIUS: ustruct sharecount=1

Feb 27 15:42:02.901: RADIUS: Initial Transmit tty33 id 1 192.9.64.141:1645, Access-Request, len 78

Feb 27 15:42:02.901: Attribute 4 6 AC164CDF

Feb 27 15:42:02.901: Attribute 5 6 00000021

Feb 27 15:42:02.901: Attribute 61 6 00000000

Feb 27 15:42:02.901: Attribute 1 8 6475626F

Feb 27 15:42:02.901: Attribute 31 14 3131312E

Feb 27 15:42:02.901: Attribute 2 18 DA9C2091

Feb 27 15:42:04.972: RADIUS: Received from id 1 172.22.76.131:1645, Access-Accept, len 49

Feb 27 15:42:04.972: Attribute 18 21 50415353

Feb 27 15:42:04.972: Attribute 1 8 6475626F

Feb 27 15:42:04.972: RADIUS: saved authorization data for user 8092E094 at 80A53250

Feb 27 15:43:55.932: RADIUS: ustruct sharecount=1

Feb 27 15:43:55.932: RADIUS: Initial Transmit tty33 id 2 192.9.64.141:1645, Access-Request, len 78

Feb 27 15:43:55.936: Attribute 4 6 AC164CDF

Feb 27 15:43:55.936: Attribute 5 6 00000021

Feb 27 15:43:55.936: Attribute 61 6 00000000

Feb 27 15:43:55.936: Attribute 1 8 6475626F

Feb 27 15:43:55.936: Attribute 31 14 3131312E

Feb 27 15:43:55.936: Attribute 2 18 E58F6733

Feb 27 15:43:57.984: RADIUS: Received from id 2 172.22.76.131:1645, Access-Accept, len 49

Feb 27 15:43:57.984: Attribute 18 21 50415353

Feb 27 15:43:57.984: Attribute 1 8 6475626F

Feb 27 15:43:57.988: RADIUS: saved authorization data for user 80A53250 at 80B172BC

Dailout-S09-02 with Cisco 2811

Feb 27 21:52:03.788: RADIUS/ENCODE(00000009):Orig. component type = TCPVTY

Feb 27 21:52:03.788: RADIUS: AAA Unsupported Attr: interface [156] 6

Feb 27 21:52:03.788: RADIUS: 74 74 79 31 [tty1]

Feb 27 21:52:03.788: RADIUS(00000009): Storing nasport 66 in rad_db

Feb 27 21:52:03.788: RADIUS/ENCODE(00000009): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

Feb 27 21:52:03.788: RADIUS(00000009): Config NAS IP: 0.0.0.0

Feb 27 21:52:03.788: RADIUS/ENCODE(00000009): acct_session_id: 9

Feb 27 21:52:03.788: RADIUS(00000009): sending

Feb 27 21:52:03.788: RADIUS/ENCODE: Best Local IP-Address 172.22.76.223 for Radius-Server 192.9.64.141

Feb 27 21:52:03.788: RADIUS(00000009): Send Access-Request to 192.9.64.141:1645 id 1645/8, len 78

Feb 27 21:52:03.788: RADIUS: authenticator A7 D6 32 BA 6C 28 26 6A - 83 C3 3C 5E 24 1A 4E 3E

Feb 27 21:52:03.788: RADIUS: User-Name [1] 8 "duboa9"

Feb 27 21:52:03.788: RADIUS: User-Password [2] 18 *

Feb 27 21:52:03.788: RADIUS: NAS-Port [5] 6 66

Feb 27 21:52:03.788: RADIUS: NAS-Port-Type [61] 6 Async [0]

Feb 27 21:52:03.788: RADIUS: Calling-Station-Id [31] 14 "111.16.9.198"

Feb 27 21:52:03.788: RADIUS: NAS-IP-Address [4] 6 172.22.76.223

Feb 27 21:52:05.844: RADIUS: Received from id 1645/8 172.22.76.131:1645, Access-Accept, len 49

Feb 27 21:52:05.844: RADIUS: Response for non-existent request ident

Feb 27 21:52:09.188: RADIUS: no sg in radius-timers: ctx 0x4320519C sg 0x0000

Feb 27 21:52:09.188: RADIUS: Retransmit to (192.9.64.141:1645,1646) for id 1645/8

Feb 27 21:52:14.596: RADIUS: no sg in radius-timers: ctx 0x4320519C sg 0x0000

Feb 27 21:52:14.596: RADIUS: Retransmit to (192.9.64.141:1645,1646) for id 1645/8

Feb 27 21:52:19.892: RADIUS: no sg in radius-timers: ctx 0x4320519C sg 0x0000

Feb 27 21:52:19.892: RADIUS: Retransmit to (192.9.64.141:1645,1646) for id 1645/8

nethelper · ‎02-27-2006

Hello,

I am not sure which attribute you need, but check this link, which describes the possible attributes that you can configure:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_r1h.htm

Regards,

Nethelper

jessiedong · ‎02-27-2006

Hello,

I talk about the Raduis access request Id format (see the info below).

Wthie Cisco 2610, Id = 1

Feb 27 15:42:02.901: RADIUS: Initial Transmit tty33 id 1 192.9.64.141:1645, Access-Request, len 78

Feb 27 15:42:04.972: RADIUS: Received from id 1 172.22.76.131:1645, Access-Accept, len 49

Withe cisco 2811, Id = 1645/8

Feb 27 21:52:03.788: RADIUS(00000009): Send Access-Request to 192.9.64.141:1645 id 1645/8, len 78

Feb 27 21:52:05.844: RADIUS: Received from id 1645/8 172.22.76.131:1645, Access-Accept, len 49

Feb 27 21:52:05.844: RADIUS: Response for non-existent request ident

It seems that Cisco 2811 (IOS 12.3.8T11) does not use the same request Id format as Cisco 2610 (12.0.9). How can I change the request Id format?

Thank you.

Jessie