PDA

View Full Version : Nho cac cao thu debug giup RADIUS


binhnn
31-12-2003, 03:39 PM
Toi co the telnet vao Cisco 2620 su dung RADIUS authentication
Nhung khong the quay so modem bao duoc.
Xin cac cao thu chi giup loi trong phan cau hinh cua toi (duoi phan debug)
Xin cam on.


Username: test
Password:

Cisco2620>ena
Password:
Cisco2620#
Cisco2620#
Cisco2620#
Cisco2620#terminal monitor
Cisco2620#
02:28:00: %LINK-3-UPDOWN: Interface Async33, changed state to up
02:28:00: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
02:28:24: %LINK-5-CHANGED: Interface Async33, changed state to reset
02:28:29: %LINK-3-UPDOWN: Interface Async33, changed state to down
02:28:35: %LINK-3-UPDOWN: Interface Async33, changed state to up
02:28:35: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
02:28:46: %LINK-5-CHANGED: Interface Async33, changed state to reset
02:28:51: %LINK-3-UPDOWN: Interface Async33, changed state to down
02:29:15: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
02:29:15: %LINK-3-UPDOWN: Interface Async33, changed state to up
02:29:16: AAA: parse name=Async33 idb type=10 tty=33
02:29:16: AAA: name=Async33 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=33 c
hannel=0
02:29:16: AAA/MEMORY: create_user (0x80CD711C) user='test' ruser='' port='Async3
3' rem_addr='async' authen_type=CHAP service=PPP priv=1
02:29:16: AAA/AUTHEN/START (327574709): port='Async33' list='' action=LOGIN serv
ice=PPP
02:29:16: AAA/AUTHEN/START (327574709): using "default" list
02:29:16: AAA/AUTHEN (327574709): status = UNKNOWN
02:29:16: AAA/AUTHEN/START (327574709): Method=radius (radius)
02:29:16: RADIUS: ustruct sharecount=1
02:29:16: RADIUS: Initial Transmit Async33 id 89 192.168.4.141:1645, Access-Requ
est, len 75
02:29:16: Attribute 4 6 C0A8040A
02:29:16: Attribute 5 6 00000021
02:29:16: Attribute 61 6 00000000
02:29:16: Attribute 1 6 74657374
02:29:16: Attribute 3 19 27440611
02:29:16: Attribute 6 6 00000002
02:29:16: Attribute 7 6 00000001
02:29:16: RADIUS: Received from id 89 192.168.4.141:1645, Access-Accept, len 44
02:29:16: Attribute 6 6 00000002
02:29:16: Attribute 7 6 00000001
02:29:16: Attribute 27 6 0098967F
02:29:16: Attribute 28 6 0000000A
02:29:16: AAA/AUTHEN (327574709): status = PASS
02:29:16: As33 AAA/AUTHOR/LCP: Authorize LCP
02:29:16: As33 AAA/AUTHOR/LCP (1939832978): Port='Async33' list='' service=NET
02:29:16: AAA/AUTHOR/LCP: As33 (1939832978) user='test'
02:29:16: As33 AAA/AUTHOR/LCP (1939832978): send AV service=ppp
02:29:16: As33 AAA/AUTHOR/LCP (1939832978): send AV protocol=lcp
02:29:16: As33 AAA/AUTHOR/LCP (1939832978): found list "default"
02:29:16: As33 AAA/AUTHOR/LCP (1939832978): Method=radius (radius)
02:29:16: As33 AAA/AUTHOR (1939832978): Post authorization status = PASS_REPL
02:29:16: As33 AAA/AUTHOR/LCP: Processing AV service=ppp
02:29:16: As33 AAA/AUTHOR/LCP: Processing AV timeout=9999999
02:29:16: As33 AAA/AUTHOR/LCP: timeout failed
02:29:16: As33 AAA/AUTHOR/LCP: Denied
02:29:16: AAA/MEMORY: free_user (0x80CD711C) user='test' ruser='' port='Async33'
rem_addr='async' authen_type=CHAP service=PPP priv=1
02:29:18: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
02:29:20: %LINK-5-CHANGED: Interface Async33, changed state to reset
02:29:25: %LINK-3-UPDOWN: Interface Async33, changed state to down




************************************************** ***********
! Cisco2620.cfg - Cisco router configuration file
! Automatically created by Cisco ConfigMaker v2.6 Build 6
! Wednesday, December 31, 2003, 01:58:10 PM
!
! Hostname: Cisco2620
! Model: 2620
! ************************************************** ***********
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Cisco2620
!
enable password a
username dong password ly
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface FastEthernet 0/0
no shutdown
description connected to EthernetLAN
ip address 192.168.4.10 255.255.255.0
no keepalive
!
interface Async 33
no shutdown
description connected to Dial-inPCs(modem)
ip unnumbered FastEthernet 0/0
ip tcp header-compression passive
encapsulation ppp
async mode dedicated
! group-range 33 33
ppp authentication chap pap
no cdp enable
peer default ip address pool Cisco2620-Group-1
!
router rip
version 2
network 192.168.4.0
no auto-summary
!
!
ip local pool Cisco2620-Group-1 10.10.10.10 10.10.10.10
ip classless
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password a
login
!
line vty 0 4
password a
login
!
line 33
exec
autoselect ppp
autoselect during-login
login local
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
!

aaa new-model
aaa authentication login default radius local
aaa authentication login no_radius enable
aaa authentication ppp default if-needed radius
aaa authorization network radius
aaa accounting exec start-stop radius
aaa accounting network start-stop radius

radius-server host 192.168.4.11 auth-port 1645 acct-port 1646


radius-server key ubtq
chipchipzzz
31-12-2003, 04:14 PM
Hi
log file trên radius server của bạn báo kết quả thế nào? có thể post lên đây ko?

Chip đã cấu hình trên tacacs+ sử dụng tên để check là dialin như sau:


aaa new-model
!
!
aaa authentication password-prompt Password:
aaa authentication username-prompt Username:
aaa authentication login noacs enable
aaa authentication login loginacs local group tacacs+
aaa authentication ppp dialin local group tacacs+
aaa authorization exec dialin local group tacacs+
aaa authorization network dialin local group tacacs+
aaa accounting exec dialin start-stop group tacacs+
aaa accounting network dialin start-stop group tacacs+

tacacs-server host 172.16.1.100
tacacs-server directed-request
tacacs-server key cisco
!
radius-server authorization permit missing Service-Type


trong phần cấu hình check user dial in có lệnh:
ppp authentication pap dialin

cấu hình đầy đủ của group async như sau:

interface Group-Async1
description for PC Dial-in
ip unnumbered FastEthernet0/0
ip access-group 101 in
encapsulation ppp
dialer in-band
dialer idle-timeout 600
async mode interactive
peer default ip address pool DIALIN
no keepalive
pulse-time 1
no fair-queue
ppp authentication pap dialin
group-range 37 40
!

Bạn thử thay đổi lại với cấu hình Radius nhé
Thân mến,
binhnn
02-01-2004, 02:35 PM
Cảm ơn bạn đã trả lời, tôi sẽ thử theo cấu hình của bạn và thông báo lại kết quả sau nhe.
binhnn
05-01-2004, 10:50 AM
02:29:16: RADIUS: Received from id 89 192.168.4.141:1645, Access-Accept, len 44
02:29:16: AAA/AUTHEN (327574709): status = PASS


Theo tôi RADIUS server đã "Access-Accept", tôi telnet net vào router cổng 2033 (async) thì đã vào được modem, gõ AT đã thấy OK, vậy Router-RADIUS đã thông.
Trong log của RADIUS báo "user authentication successed"


Tôi không hiểu đoạn sau lắm, xin được chỉ giáo

02:29:16: As33 AAA/AUTHOR/LCP: Authorize LCP
02:29:16: As33 AAA/AUTHOR/LCP (1939832978): Port='Async33' list='' service=NET
02:29:16: AAA/AUTHOR/LCP: As33 (1939832978) user='test'
02:29:16: As33 AAA/AUTHOR/LCP (1939832978): send AV service=ppp
02:29:16: As33 AAA/AUTHOR/LCP (1939832978): send AV protocol=lcp
02:29:16: As33 AAA/AUTHOR/LCP (1939832978): found list "default"
02:29:16: As33 AAA/AUTHOR/LCP (1939832978): Method=radius (radius)
02:29:16: As33 AAA/AUTHOR (1939832978): Post authorization status = PASS_REPL
02:29:16: As33 AAA/AUTHOR/LCP: Processing AV service=ppp
02:29:16: As33 AAA/AUTHOR/LCP: Processing AV timeout=9999999
02:29:16: As33 AAA/AUTHOR/LCP: timeout failed
02:29:16: As33 AAA/AUTHOR/LCP: Denied
02:29:16: AAA/MEMORY: free_user (0x80CD711C) user='test' ruser='' port='Async33'
rem_addr='async' authen_type=CHAP service=PPP priv=1
02:29:18: As33 AAA/AUTHOR/FSM: (0): LCP succeeds trivially
Neo
06-01-2004, 10:51 AM
Theo tôi RADIUS server đã "Access-Accept", tôi telnet net vào router cổng 2033 (async) thì đã vào được modem, gõ AT đã thấy OK, vậy Router-RADIUS đã thông.
Trong log của RADIUS báo "user authentication successed"



Chào anh, vấn đề của anh có thể do cấu hình line. Anh thử các trường hợp sau:
1.Vào line 33
Dùng modem autoconfigure discovery
hoặc modem autoconfigure type <loại modem>
Hồi mình gặp problem ở chỗ này: auto discovery ko chạy mà phải chỉ rõ loại modem anh đang dùng (mặc dù AT đã OK).

2. Nếu vẫn không chạy anh thử cấu hình thêm tham số exec-timeout

Thanks,
binhnn
06-01-2004, 01:20 PM
:roll:
binhnn
06-01-2004, 01:24 PM
Cảm ơn các bạn đã quan tâm.
tôi đã giải quyết vấn đề với sự giúp đỡ từ forum.cisco.com
Tôi post bài trả lời để các bạn tham khảo.


This looks to be the problem:

02:29:16: As33 AAA/AUTHOR/LCP: Processing AV timeout=9999999
02:29:16: As33 AAA/AUTHOR/LCP: timeout failed
02:29:16: As33 AAA/AUTHOR/LCP: Denied

You're doing authorization (not just authentication) on your dialup users, not sure if you really want that or not. If so, then you will have a session-timeout set in the Radius users profile, you can see the radius server replying with this:

02:29:16: Attribute 6 6 00000002
02:29:16: Attribute 7 6 00000001
02:29:16: Attribute 27 6 0098967F
02:29:16: Attribute 28 6 0000000A

which when decoded becomes:

02:29:16: Service-Type Framed
02:29:16: Framed-Protocol PPP
02:29:16: Session-Timeout 9999999
02:29:16: Idle-Timeout 10

I would say the NAS/router doesn't like the Session-Timeout being so high, try lowering it and see what happens.

Alternatively, if you don't really want to do authorization for your dialup users, then remove the line:

aaa authorization network radius

and the problem should also go away.