RADIUS and Cisco 3640 remote access router

[MelchiorKD]

I have a 3640 with a t1, 8 port analog modem and 32 port mica modem bank. i am using an ACE/server RADIUS for authentication but it is not authenticating and i am stumped. i can use any input on this.

version 12.1
service timestamps debug datetime msec
service timestamps log datetime msec localtime
service password-encryption
!
hostname NJWCRA-2
!
no logging buffered
aaa new-model
aaa authentication password-prompt "Enter PASSCODE : "
aaa authentication username-prompt "Enter USERNAME : "
aaa authentication login default group radius
aaa authentication login LOCAL local
aaa authentication ppp default if-needed group radius
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
enable password 7 yyyyyyyyyyyyyyyyyyy
!
username aaaaaaaaaa privilege 0 password 7 zzzzzzzzzzzzzzzzzzzzzz
username bbbbbbbbbb password 7 aaaaaaaaaaaaaaaaaaaaa
username cccccccccc password 7 bbbbbbbbbbbbbbbbbbbbb
username dddddddddd password 7 ccccccccccccccccccccc
!
!
!
!
memory-size iomem 25
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain-name wc.ricoh.com
ip name-server 172.16.3.10
ip name-server 172.16.4.10
!
ip dhcp-server 172.16.3.10
ip dhcp-server 172.16.4.10
ipx routing 0007.ebf3.8d50
async-bootp dns-server 172.16.3.10
async-bootp nbns-server 172.16.19.9
isdn switch-type primary-5ess
!
controller T1 1/0
framing esf
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1/1
!
!
!
!
!
interface Loopback1
no ip address
ipx network 51
!
interface FastEthernet1/0
ip address 172.16.53.1 255.255.255.0
speed 100
full-duplex
ipx network 53
!
interface Serial1/0:23
no ip address
encapsulation ppp
dialer rotary-group 1
isdn switch-type primary-5ess
isdn incoming-voice modem
no cdp enable
ppp authentication chap pap
!
interface Group-Async1
ip unnumbered FastEthernet1/0
ip helper-address 172.16.3.10
ip helper-address 172.16.4.10
ip tcp header-compression passive
no ip mroute-cache
dialer in-band
dialer rotary-group 1
async mode interactive
ipx ppp-client Loopback1
ipx update interval sap passive
peer default ip address pool RemoteAccess
no cdp enable
ppp authentication chap pap
group-range 65 88
!
interface Group-Async2
ip unnumbered FastEthernet1/0
ip helper-address 172.16.3.10
ip helper-address 172.16.4.10
ip tcp header-compression passive
no ip mroute-cache
dialer in-band
dialer rotary-group 1
async mode interactive
ipx ppp-client Loopback1
ipx update interval sap passive
peer default ip address pool RemoteAccess
no cdp enable
ppp authentication chap pap
group-range 1 8
!
interface Dialer1
ip unnumbered FastEthernet1/0
ip helper-address 172.16.3.10
ip helper-address 172.16.4.10
encapsulation ppp
no keepalive
dialer in-band
dialer idle-timeout 1800
dialer wait-for-carrier-time 120
dialer hold-queue 100
dialer-group 1
ipx network 172
ipx update interval sap passive
peer default ip address pool RemoteAccess
no cdp enable
ppp authentication chap pap
!
router eigrp 222
passive-interface Dialer1
network 172.16.0.0
default-metric 10000 1000 255 1 1500
no auto-summary
no eigrp log-neighbor-changes
!
ip local pool RemoteAccess 172.16.53.50 172.16.53.199
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.53.254
ip http server
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
snmp-server community medusa RO
snmp-server trap-source FastEthernet1/0
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps config
snmp-server enable traps envmon
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server host 172.16.13.237 public
!
!
ipx router eigrp 3
network all
!
!
!
radius-server host 172.16.3.10 auth-port 1645 acct-port 1646 key cisco
radius-server host 172.16.4.10 auth-port 1645 acct-port 1646 key cisco
radius-server retransmit 3
radius-server timeout 180
banner motd ^C
banner motd ^C
This is a PRIVATE use network. Unauthorized access
beyond this point is STRICTLY PROHIBITED. ^C
!
line con 0
password 7 ffffffffffffffffff
login authentication LOCAL
line 1 8
session-timeout 20
session-disconnect-warning 120 message No user input, session will disconnect in 2 minutes
refuse-message ^C
Line in use, please try again. ^C
modem InOut
modem autoconfigure discovery
transport input all
autoselect during-login
autoselect ppp
autohangup
stopbits 1
flowcontrol hardware
line 65 88
session-timeout 20
session-disconnect-warning 120 message No user input, session will disconnect .
refuse-message ^C
flowcontrol hardware
line 65 88
session-timeout 20
session-disconnect-warning 120 message No user input, session will disconnect .
refuse-message ^C
Line in use, please try again. ^C
modem InOut
modem autoconfigure type mica
transport input all
autoselect during-login
autoselect ppp
autohangup
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
password 7 fffffffffffffffff
login authentication LOCAL
!
ntp clock-period 17180015
ntp server 172.16.3.10
end


debug:

Aug 15 13:14:12.584: %ISDN-6-CONNECT: Interface Serial1/0:0 is now connected to 9834468787
Aug 15 17:14:34.472: AAA: parse name=tty79 idb type=10 tty=79
Aug 15 17:14:34.472: AAA: name=tty79 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=79 channel=0
Aug 15 17:14:34.472: AAA: parse name=Serial1/0:0 idb type=12 tty=-1
Aug 15 17:14:34.472: AAA: name=Serial1/0:0 flags=0x55 type=1 shelf=0 slot=1 adapter=0 port=0 channel=0
Aug 15 17:14:34.472: AAA/MEMORY: create_user (0x61E879E0) user='' ruser='' port='tty79' rem_addr='9834468787/8009253301' authen_typ1
Aug 15 17:14:34.472: AAA/AUTHEN/START (3362104239): port='tty79' list='' action=LOGIN service=LOGIN
Aug 15 17:14:34.472: AAA/AUTHEN/START (3362104239): using "default" list
Aug 15 17:14:34.476: AAA/AUTHEN/START (3362104239): Method=radius (radius)
Aug 15 17:14:34.476: AAA/AUTHEN (3362104239): status = GETUSER
Aug 15 17:14:40.536: AAA/AUTHEN/CONT (3362104239): continue_login (user='(undef)')
Aug 15 17:14:40.536: AAA/AUTHEN (3362104239): status = GETUSER
Aug 15 17:14:40.536: AAA/AUTHEN (3362104239): Method=radius (radius)
Aug 15 17:14:40.536: AAA/AUTHEN (3362104239): status = GETPASS
Aug 15 17:15:01.360: AAA/AUTHEN/ABORT: (3362104239) because Autoselected.
Aug 15 17:15:01.360: AAA/MEMORY: free_user (0x61E879E0) user='melchiorkd' ruser='' port='tty79' rem_addr='9738478727/8009453391' auth1
Aug 15 17:15:01.368: Di1 IPCP: Install route to 172.16.53.57
Aug 15 17:15:03.356: As79 LCP: I CONFREQ [Closed] id 1 len 23
Aug 15 17:15:03.356: As79 LCP: ACCM 0x00000000 (0x020600000000)
Aug 15 17:15:03.356: As79 LCP: MagicNumber 0x57E4695F (0x050657E4695F)
Aug 15 17:15:03.356: As79 LCP: PFC (0x0702)
Aug 15 17:15:03.360: As79 LCP: ACFC (0x0802)
Aug 15 17:15:03.360: As79 LCP: Callback 6 (0x0D0306)
Aug 15 17:15:03.360: As79 LCP: Lower layer not up, Fast Starting
Aug 15 17:15:03.360: As79 PPP: Treating connection as a callin
Aug 15 17:15:03.360: As79 PPP: Phase is ESTABLISHING, Passive Open
Aug 15 17:15:03.360: As79 LCP: State is Listen
Aug 15 17:15:03.360: As79 LCP: O CONFREQ [Listen] id 5 len 25
Aug 15 17:15:03.360: As79 LCP: ACCM 0x000A0000 (0x0206000A0000)
Aug 15 17:15:03.360: As79 LCP: AuthProto CHAP (0x0305C22305)
Aug 15 17:15:03.360: As79 LCP: MagicNumber 0xC1B361C0 (0x0506C1B361C0)
Aug 15 17:15:03.360: As79 LCP: PFC (0x0702)
Aug 15 17:15:03.360: As79 LCP: ACFC (0x0802)
Aug 15 17:15:03.360: As79 LCP: O CONFREJ [Listen] id 1 len 7
Aug 15 17:15:03.360: As79 LCP: Callback 6 (0x0D0306)
Aug 15 13:15:03.364: %LINK-3-UPDOWN: Interface Async79, changed state to up
Aug 15 17:15:03.572: As79 LCP: I CONFREQ [REQsent] id 2 len 20
Aug 15 17:15:03.572: As79 LCP: ACCM 0x00000000 (0x020600000000)
Aug 15 17:15:03.572: As79 LCP: MagicNumber 0x57E4695F (0x050657E4695F)
Aug 15 17:15:03.572: As79 LCP: PFC (0x0702)
Aug 15 17:15:03.572: As79 LCP: ACFC (0x0802)
Aug 15 17:15:03.572: As79 LCP: O CONFACK [REQsent] id 2 len 20
Aug 15 17:15:03.572: As79 LCP: ACCM 0x00000000 (0x020600000000)
Aug 15 17:15:03.572: As79 LCP: MagicNumber 0x57E4695F (0x050657E4695F)
Aug 15 17:15:03.572: As79 LCP: PFC (0x0702)
Aug 15 17:15:03.572: As79 LCP: ACFC (0x0802)
Aug 15 17:15:05.360: As79 LCP: TIMEout: State ACKsent
Aug 15 17:15:05.360: As79 LCP: O CONFREQ [ACKsent] id 6 len 25
Aug 15 17:15:05.360: As79 LCP: ACCM 0x000A0000 (0x0206000A0000)
Aug 15 17:15:05.360: As79 LCP: AuthProto CHAP (0x0305C22305)
Aug 15 17:15:05.360: As79 LCP: MagicNumber 0xC1B361C0 (0x0506C1B361C0)
Aug 15 17:15:05.360: As79 LCP: PFC (0x0702)
Aug 15 17:15:05.360: As79 LCP: ACFC (0x0802)
Aug 15 17:15:05.476: As79 LCP: I CONFACK [ACKsent] id 6 len 25
Aug 15 17:15:05.476: As79 LCP: ACCM 0x000A0000 (0x0206000A0000)
Aug 15 17:15:05.480: As79 LCP: AuthProto CHAP (0x0305C22305)
Aug 15 17:15:05.480: As79 LCP: MagicNumber 0xC1B361C0 (0x0506C1B361C0)
Aug 15 17:15:05.480: As79 LCP: PFC (0x0702)
Aug 15 17:15:05.480: As79 LCP: ACFC (0x0802)
Aug 15 17:15:05.480: As79 LCP: State is Open
Aug 15 17:15:05.484: As79 PPP: Phase is AUTHENTICATING, by this end
Aug 15 17:15:05.484: As79 CHAP: O CHALLENGE id 2 len 29 from "NJWCRA-2"
Aug 15 17:15:05.492: As79 LCP: I IDENTIFY [Open] id 3 len 18 magic 0x57E4695F MSRASV5.00
Aug 15 17:15:05.508: As79 LCP: I IDENTIFY [Open] id 4 len 26 magic 0x57E4695F MSRAS-1-NJWCNTAS15
Aug 15 17:15:05.612: As79 CHAP: I RESPONSE id 2 len 26 from "xxxxxxxxx"
Aug 15 17:15:05.612: AAA: parse name=Async79 idb type=10 tty=79
Aug 15 17:15:05.612: AAA: name=Async79 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=79 channel=0
Aug 15 17:15:05.612: AAA: parse name=Serial1/0:0 idb type=12 tty=-1
Aug 15 17:15:05.612: AAA: name=Serial1/0:0 flags=0x55 type=1 shelf=0 slot=1 adapter=0 port=0 channel=0
Aug 15 17:15:05.612: AAA/MEMORY: create_user (0x6215BBBC) user='xxxxxxxx' ruser='' port='Async79' rem_addr='9738478727/8009453391' aut1
Aug 15 17:15:05.616: AAA/AUTHEN/START (3739795073): port='Async79' list='' action=LOGIN service=PPP
Aug 15 17:15:05.616: AAA/AUTHEN/START (3739795073): using "default" list
Aug 15 17:15:05.616: AAA/AUTHEN (3739795073): status = UNKNOWN
Aug 15 17:15:05.616: AAA/AUTHEN/START (3739795073): Method=radius (radius)
Aug 15 17:15:05.616: RADIUS: ustruct sharecount=1
Aug 15 17:15:05.616: RADIUS: Initial Transmit Async79 id 7 172.16.3.10:1645, Access-Request, len 100
Aug 15 17:15:05.616: Attribute 4 6 AC103501
Aug 15 17:15:05.616: Attribute 5 6 0000004F
Aug 15 17:15:05.616: Attribute 61 6 00000000
Aug 15 17:15:05.616: Attribute 1 7 7269636F
Aug 15 17:15:05.616: Attribute 30 12 38303039
Aug 15 17:15:05.616: Attribute 31 12 39373338
Aug 15 17:15:05.616: Attribute 3 19 028AD870
Aug 15 17:15:05.616: Attribute 6 6 00000002
Aug 15 17:15:05.616: Attribute 7 6 00000001
Aug 15 17:15:08.408: As79 CHAP: I RESPONSE id 2 len 26 from "xxxxxxxxx"
Aug 15 17:15:08.408: As79 AUTH: Duplicate authentication request id=2 already in progress
Aug 15 17:15:11.408: As79 CHAP: I RESPONSE id 2 len 26 from "xxxxxxxxx"
Aug 15 17:15:11.408: As79 AUTH: Duplicate authentication request id=2 already in progress
Aug 15 17:15:14.504: As79 CHAP: I RESPONSE id 2 len 26 from "xxxxxxxxx"
Aug 15 17:15:14.504: As79 AUTH: Duplicate authentication request id=2 already in progress
Aug 15 17:15:17.500: As79 CHAP: I RESPONSE id 2 len 26 from "xxxxxxxxx"
Aug 15 17:15:17.500: As79 AUTH: Duplicate authentication request id=2 already in progress
Aug 15 17:15:20.500: As79 CHAP: I RESPONSE id 2 len 26 from "xxxxxxxxx"
Aug 15 17:15:20.500: As79 AUTH: Duplicate authentication request id=2 already in progress
Aug 15 17:15:23.496: As79 CHAP: I RESPONSE id 2 len 26 from "xxxxxxxxx"
Aug 15 17:15:23.496: As79 AUTH: Duplicate authentication request id=2 already in progress
Aug 15 17:15:26.500: As79 CHAP: I RESPONSE id 2 len 26 from "xxxxxxxxx"
Aug 15 17:15:26.500: As79 AUTH: Duplicate authentication request id=2 already in progress
Aug 15 17:15:29.500: As79 CHAP: I RESPONSE id 2 len 26 from "xxxxxxxxx"
Aug 15 17:15:29.500: As79 AUTH: Duplicate authentication request id=2 already in progress
Aug 15 17:15:32.504: As79 CHAP: I RESPONSE id 2 len 26 from "xxxxxxxxx"
Aug 15 17:15:32.504: As79 AUTH: Duplicate authentication request id=2 already in progress
Aug 15 13:15:35.616: %ISDN-6-DISCONNECT: Interface Serial1/0:0 disconnected from 9834468787 , call lasted 83 seconds
Aug 15 13:15:39.532: %LINK-5-CHANGED: Interface Async79, changed state to reset
Aug 15 17:15:39.532: As79 PPP: Phase is TERMINATING
Aug 15 17:15:39.536: As79 LCP: State is Closed
Aug 15 17:15:39.536: As79 PPP: Phase is DOWN
Aug 15 17:15:42.532: Di1 IPCP: Remove route to 172.16.53.57
Aug 15 13:15:44.532: %LINK-3-UPDOWN: Interface Async79, changed state to down
Aug 15 17:15:44.532: As79 LCP: State is Closed

 

[jimmyzz]

Change the authentication for PPP connections to:
aaa authentication ppp default group radius

I'm assuming you are using RSA secureID tokens with the ACE radius server. If so, you'll need to ensure that you:

1. Create a network object for this Access router in the ACE radius database.

2. Configure the logons and tokens correctly and allow the user logons to connect to the Access router via the "Agent Hosts Activation" option.

JimmyZ

 

[MelchiorKD]

I originally had aaa authentication ppp default group radius
, but it wasn't working so i changed it. We're using secureID. This debug is not accurate though. An accurate debug stops at the line:

Aug 15 17:15:05.616: Attribute 3 19 028AD870


We have a terminal window pop up to prompt for the secureID username and pass. If you enter the info and press the done button, the authentication goes to the local data on the router instead of using the secureID info....which is what i did with the debug above. when you hit enter (the proper way to do it) the debug stops and freezes at the line mentioned above. The only thing I cam up with when was the service type and frame type becuase those are the attributes where everything stops at. The ACE server has the NAS configured in its radius database. I will have to check on the "Agent Hosts Activation". Thanks for your help.

Kevin

 

[jimmyzz]

Kevin,

On your interface Group-Async[1&2] profiles, add the line: "encapsulation ppp"

JimmyZ