Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1560
Views
0
Helpful
6
Replies

RADIUS password "cisco"

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3

‎12-30-2007 04:19 AM

I authenticate users establishing a ppp connection into a 12.4(17a) 2811 router. They have a password, however the router always sends "cisco" as password string to the freeradius server. Any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MATTHIAS SCHAERER

‎01-01-2008 05:43 PM

Mat

I see an issue and am not sure if it is really an issue in the config or just an issue with getting data into the posting. In the authentication statement for ppp:

aaa authentication ppp AAA-CLIENT-VPN2-GROUP group radius local

the group name AAA-CLIENT-VPN2-GROUP appears as the method name and not as the radius group. I wonder what would happen if you replace it with this:

aaa authentication ppp group AAA-CLIENT-VPN2-GROUP local

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-30-2007 06:35 PM

MATTHIAS

The 2811 will communicate with the Radius server to establish a connection using a shared key and then will send the authentication request to the Radius server which will include the user password. I am not clear from your post whether it is the first communication to establish the connection or the user authentication request which is sending the "cisco" password. Can you clarify?

Also how are you determining what password the 2811 is sending?

It might be helpful if you would post the config of the 2811.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3
In response to Richard Burts

‎12-31-2007 03:32 AM

Hi Rick,

it is the password in the authentication request that I am referring to. We can see it on the freeradius server and although it is set to something different in the clients the 2811 transfers "cisco". The clients are non cisco devices so it is very likely that they are not the source of this string.

Here's the RADIUS part of my config:

aaa new-model

!

aaa group server radius AAA-CLIENT-VPN2-GROUP

server 10.10.10.1 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication ppp AAA-CLIENT-VPN2-GROUP group radius local

aaa authorization network default group AAA-CLIENT-VPN2-GROUP local

aaa accounting update periodic 2

aaa accounting network default start-stop group AAA-CLIENT-VPN2-GROUP

!

aaa pod server auth-type any server-key

aaa session-id common

!

!

!

interface FastEthernet0/0

ip address 10.10.10.254 255.255.255.0

!

interface FastEthernet0/1

ip address x.x.x.114 255.255.255.248

!

interface Virtual-Template1

ip unnumbered FastEthernet0/0

peer default ip address dhcp-pool DHCP-POOL-CLIENT-VPN2

ppp authentication pap chap ms-chap

!

!

ip radius source-interface FastEthernet0/0

!

radius-server attribute 44 include-in-access-req

radius-server host 10.10.10.1 auth-port 1812 acct-port 1813 key

radius-server unique-ident 2

Thanks,

Mat

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MATTHIAS SCHAERER

‎01-01-2008 05:43 PM

Mat

I see an issue and am not sure if it is really an issue in the config or just an issue with getting data into the posting. In the authentication statement for ppp:

aaa authentication ppp AAA-CLIENT-VPN2-GROUP group radius local

the group name AAA-CLIENT-VPN2-GROUP appears as the method name and not as the radius group. I wonder what would happen if you replace it with this:

aaa authentication ppp group AAA-CLIENT-VPN2-GROUP local

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3
In response to Richard Burts

‎01-02-2008 01:43 AM

Hi Rick,

Thanks for your reply. You are right, I sort of mixed up the two lists. As soon as I can contact my peer on the RADIUS server side I'll check if this changes the behavior.

Regards,

Mat

vpn-03(config)#aaa authentication ppp ?

WORD Named authentication list.

default The default authentication list.

vpn-03(config)#aaa authentication ppp AAA-CLIENT-VPN2-GROUP group ?

WORD Server-group name

radius Use list of all Radius hosts.

tacacs+ Use list of all Tacacs+ hosts.

0 Helpful

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3
In response to MATTHIAS SCHAERER

‎01-02-2008 03:47 AM

Rick,

I tested it now with the syntax you proposed and it was successful. Thanks for your idea. I previously thought that not entering the list would default to any configured RADIUS server (which partly is the case). But for the password sending apparently there is a different mechanism with or without the right group name.

Thanks again. That's a good start for this year!

Regards,

Mat

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MATTHIAS SCHAERER

‎01-02-2008 04:26 AM

Mat

I am glad that my suggestion was able to resolve your issue. I believe that the issue has less to do with whether you supply the group name or not and was the fact that you had created a named method list. So ppp authentication had no default method configured, had a named method configured, but had nothing to tell ppp to use the named method.

Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can read what was successful in resolving the issue.

I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents