2511 Access router configuration help

[tuks]

Hi,

I think most of you people out there are tired of seeing my post on this. However I really need this to work and any help given will be very much appreciated. I m employing the above router for our dialup users. I did change my configuration to the one below:

SuvaDialUpRouter02#sho conf
Using 1639 out of 32762 bytes
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SuvaDialUpRouter02
!
aaa new-model
aaa authentication login use-radius local radius
aaa authentication ppp use-radius if-needed local radius
aaa authorization exec radius local if-authenticated
aaa authorization network radius local if-authenticated
enable secret 5 $1$bqWV$wMaKBOd6n4jimQWbzn.g0.
enable password 7 045802150C2E
!
username usaia password 7 104D011C061C1B1F03113E
ip name-server 10.1.85.156
async-bootp dns-server 10.1.85.156
async-bootp nbns-server 10.1.85.156
chat-script cisco-default ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 30 \c CONNc
!
!
interface Ethernet0
ip address 10.1.85.3 255.255.255.0
no mop enabled
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Group-Async1
ip unnumbered Ethernet0
encapsulation ppp
no ip route-cache
no ip mroute-cache
keepalive 10
async dynamic address
async mode interactive
peer default ip address pool dialin
ppp reliable-link
ppp authentication chap use-radius
group-range 1 16
!
ip local pool dialin 10.1.86.65 10.1.86.80
ip default-gateway 10.1.85.22
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.85.22
!
radius-server host 10.1.85.156 auth-port 1645 acct-port 1646
no radius-server attribute nas-port
radius-server key Rolalabalavu29
!
line con 0
line 1 16
autoselect during-login
autoselect ppp
script dialer cisco-default
login authentication use-radius
modem InOut
transport input all
flowcontrol hardware
line aux 0
line vty 0 4
password 7 15181E1F102E242D3C
!
end

I do a test by dialing in but it all goes as far as verifying username and password, and after that it gives an error message like "disconnected" then it redials. When I enable the show terminal window on the client end, it shows the terminal window without the usual username and password prompt. It shows some weird characters.

On the router end I on debug on the aaa part and this is the result i got:
SuvaDialUpRouter02#debug aaa per-user
AAA Per-user attributes debugging is on
SuvaDialUpRouter02#debug aaa accounting
AAA Accounting debugging is on
SuvaDialUpRouter02#debug aaa authentication
AAA Authentication debugging is on
SuvaDialUpRouter02#debug aaa authorization
AAA Authorization debugging is on
SuvaDialUpRouter02#terminal monitor
SuvaDialUpRouter02#
00:34:33: AAA/AUTHEN: create_user (0xFBC78) user='' ruser='' port='tty2' rem_ad1
00:34:33: AAA/AUTHEN/START (2960691245): port='tty2' list='use-radius' action=LN
00:34:33: AAA/AUTHEN/START (2960691245): found list use-radius
00:34:33: AAA/AUTHEN/START (2960691245): Method=LOCAL
00:34:33: AAA/AUTHEN (2960691245): status = GETUSER
00:34:34: AAA/AUTHEN: create_user (0x7409C) user='' ruser='' port='tty10' rem_a1
00:34:34: AAA/AUTHEN/START (2802032696): port='tty10' list='use-radius' action=N
00:34:34: AAA/AUTHEN/START (2802032696): found list use-radius
00:34:34: AAA/AUTHEN/START (2802032696): Method=LOCAL
00:34:34: AAA/AUTHEN (2802032696): status = GETUSER
00:34:35: AAA/AUTHEN/ABORT: (2960691245) because CTRL-C pressed.
00:34:37: AAA/AUTHEN: free_user (0xFBC78) user='' ruser='' port='tty2' rem_addr1
00:34:37: AAA/AUTHEN: create_user (0xFBC78) user='' ruser='' port='tty2' rem_ad1
00:34:37: AAA/AUTHEN/START (3487802211): port='tty2' list='use-radius' action=LN
00:34:37: AAA/AUTHEN/START (3487802211): found list use-radius
00:34:37: AAA/AUTHEN/START (3487802211): Method=LOCAL
00:34:37: AAA/AUTHEN (3487802211): status = GETUSER
00:34:38: AAA/AUTHEN/CONT (3487802211): continue_login (user='(undef)')
00:34:38: AAA/AUTHEN (3487802211): status = GETUSER
00:34:38: AAA/AUTHEN/CONT (3487802211): Method=LOCAL
00:34:38: AAA/AUTHEN (3487802211): status = GETPASS
00:34:42: AAA/AUTHEN/CONT (3487802211): continue_login (user='A|||$xyxxxx~zY~~~)
00:34:42: AAA/AUTHEN (3487802211): status = GETPASS
00:34:42: AAA/AUTHEN/CONT (3487802211): Method=LOCAL
00:34:42: AAA/AUTHEN (3487802211): password incorrect
00:34:42: AAA/AUTHEN (3487802211): status = ERROR
00:34:42: AAA/AUTHEN/START (959529206): port='tty2' list='' action=LOGIN servicN
00:34:42: AAA/AUTHEN/START (959529206): Restart
00:34:42: AAA/AUTHEN/START (959529206): Method=RADIUS
00:34:42: AAA/AUTHEN (959529206): status = GETPASS
00:34:42: AAA/AUTHEN/CONT (959529206): continue_login (user='A|||$xyxxxx~zY~~~~)
00:34:42: AAA/AUTHEN (959529206): status = GETPASS
00:34:42: AAA/AUTHEN (959529206): Method=RADIUS
00:35:02: AAA/AUTHEN (959529206): status = ERROR
00:35:02: AAA/AUTHEN/START (636129582): port='tty2' list='' action=LOGIN servicN
00:35:02: AAA/AUTHEN/START (636129582): Restart
00:35:02: AAA/AUTHEN/START (636129582): no methods left to try
00:35:02: AAA/AUTHEN (636129582): status = ERROR
00:35:02: AAA/AUTHEN/START (636129582): failed to authenticate

Folks, I really need this to be up and running and any help will be very much appreciated.

Best regards

 

[pplewis]

Have you checked the messages you get on your radius server, the problem may be there?

 

[OCiTiLLO]

Hi Tuks,
Couple things here caught my attention that may very well be your problem.

aaa authentication login use-radius local radius
aaa authentication ppp use-radius if-needed local radius

these two lines of your config instruct the router to look at the local database 1st and then the RADIUS server 2nd, so when you are promted for a username, use must use the username/password combo from router, NOT radius.

username usaia password 7 104D011C061C1B1F03113E

You can see this happening in your debug output below:

00:34:33: AAA/AUTHEN/START (2960691245): found list use-radius
00:34:33: AAA/AUTHEN/START (2960691245): Method=LOCAL
00:34:33: AAA/AUTHEN (2960691245): status = GETUSER
00:34:34: AAA/AUTHEN: create_user (0x7409C) user='' ruser='' port='tty10' rem_a1

So what I would try is the following:
Rewrite the method list 'use-radius' and put radius 1st and
local 2nd and try to login with a username/password from radius.If that doesn't work, then I would disable the radius server and use the local router username/password, because if that works then you know there is something funky with the radius config.

Hope this helps ya

 

[tuks]

Thanks for the response. My configuration was meant that way. First it checks the local database as we have some users who dial in locally and then connect to our VAX VMS servers by telneting. If its not on the local database then authentication goes through the Radius server. These are users who have Windows NT accounts with us. They use e-mail and Internet facilities.

Even when I dial test in, I got funny characters on my terminal window instead of the the normal username and password prompt. Byt the way, I ll try and reverse the order and let you know

 

[OCiTiLLO]

Usually when you get garbage on the screen, there is a problem with your speed,flowcontrol, and/or stopbit settings on the line config(line 1 16). Try tinkering with these settings to see if that works.

 

[tuks]

Manage to get to the username and password prompt. I can log in using my local account and get authenticated on the local database. However, when I try to use my Windows NT account (authenticated through the radius server) I cant get through. If u notice the debug result my local account is usaia and my NT account is utawakevou

Here is the result of debug I got:

SuvaDialUpRouter02#
1d06h: AAA/AUTHEN: create_user (0x1387F8) user='' ruser='' port='tty9' rem_addr1
1d06h: AAA/AUTHEN/START (2165183286): port='tty9' list='use-radius' action=LOGIN
1d06h: AAA/AUTHEN/START (2165183286): found list use-radius
1d06h: AAA/AUTHEN/START (2165183286): Method=RADIUS
1d06h: AAA/AUTHEN (2165183286): status = GETUSER
1d06h: AAA/AUTHEN/CONT (2165183286): continue_login (user='(undef)')
1d06h: AAA/AUTHEN (2165183286): status = GETUSER
1d06h: AAA/AUTHEN (2165183286): Method=RADIUS
1d06h: AAA/AUTHEN (2165183286): status = GETPASS
1d06h: AAA/AUTHEN/CONT (2165183286): continue_login (user='utawakevou')
1d06h: AAA/AUTHEN (2165183286): status = GETPASS
1d06h: AAA/AUTHEN (2165183286): Method=RADIUS
1d06h: AAA/AUTHEN (2165183286): status = ERROR
1d06h: AAA/AUTHEN/START (1402087103): port='tty9' list='' action=LOGIN service=N
1d06h: AAA/AUTHEN/START (1402087103): Restart
1d06h: AAA/AUTHEN/START (1402087103): Method=LOCAL
1d06h: AAA/AUTHEN (1402087103): status = ERROR
1d06h: AAA/AUTHEN/START (1402087103): no methods left to try
1d06h: AAA/AUTHEN (1402087103): status = ERROR
1d06h: AAA/AUTHEN/START (1402087103): failed to authenticate
1d06h: AAA/AUTHEN: free_user (0x1387F8) user='utawakevou' ruser='' port='tty9' 1
1d06h: AAA/AUTHEN: create_user (0x1387F8) user='' ruser='' port='tty9' rem_addr1
1d06h: AAA/AUTHEN/START (1538412585): port='tty9' list='use-radius' action=LOGIN
1d06h: AAA/AUTHEN/START (1538412585): found list use-radius
1d06h: AAA/AUTHEN/START (1538412585): Method=RADIUS
1d06h: AAA/AUTHEN (1538412585): status = GETUSER
1d06h: AAA/AUTHEN/CONT (1538412585): continue_login (user='(undef)')
1d06h: AAA/AUTHEN (1538412585): status = GETUSER
1d06h: AAA/AUTHEN (1538412585): Method=RADIUS
1d06h: AAA/AUTHEN (1538412585): status = GETPASS
1d06h: AAA/AUTHEN/CONT (1538412585): continue_login (user='usaia')
1d06h: AAA/AUTHEN (1538412585): status = GETPASS
1d06h: AAA/AUTHEN (1538412585): Method=RADIUS
1d06h: %RADIUS-3-ALLDEADSERVER: No active radius servers found. Id 153.
1d06h: AAA/AUTHEN (1538412585): status = ERROR
1d06h: AAA/AUTHEN/START (129857982): port='tty9' list='' action=LOGIN service=LN
1d06h: AAA/AUTHEN/START (129857982): Restart
1d06h: AAA/AUTHEN/START (129857982): Method=LOCAL
1d06h: AAA/AUTHEN (129857982): status = GETPASS
1d06h: AAA/AUTHEN/CONT (129857982): continue_login (user='usaia')
1d06h: AAA/AUTHEN (129857982): status = GETPASS
1d06h: AAA/AUTHEN/CONT (129857982): Method=LOCAL
1d06h: AAA/AUTHEN (129857982): status = PASS
1d06h: AAA/AUTHOR/EXEC: : (395351614): user='usaia'
1d06h: AAA/AUTHOR/EXEC: : (395351614): send AV service=shell
1d06h: AAA/AUTHOR/EXEC: : (395351614): send AV cmd*
1d06h: AAA/AUTHOR/EXEC: : (395351614): Method=RADIUS
1d06h: AAA/AUTHOR (395351614): Post authorization status = ERROR
1d06h: AAA/AUTHOR/EXEC: (395351614): Method=LOCAL
1d06h: AAA/AUTHOR (395351614): Post authorization status = PASS_ADD
1d06h: AAA/AUTHOR/EXEC: Authorization successful
1d06h: AAA/AUTHEN: free_user (0x1387F8) user='usaia' ruser='' port='tty9' rem_a1

I think Im near into ending my problem and may be there is something Im overseeing. BTW, I have reverse the order as suggested by OCiTiLLO but same thing. Only local accounts get thru and not server based accounts.

Please help

 

[tuks]

Thanks for all the imputs. Manage to get thru. It was a case sensitive issue with my radius-server key. The one define on the radius server is different from the one in my router config.

Well I do and thanks