RADIUS and CHECKPOINT and NORTEL

Similar Messages

• RADIUS and Nortel (Bay Networks)

  I have install BMAS 3.8 and the RADIUS server worrks fine with NTRadPing. I am tryig to use the RADIUS server to authenicate users to a Nortel (Bay Networks) 450. I have put a sniffer on the line and find the RADIUS server is sending an Access-Accept message, but the 450 shows access denied. The only thing I can figure is the 450 does not like the authenicator. I have tried just about all the options under Bay Networks in the RADIUS Profile, with no luck.
  Has anyone got Nortel switches to authenicate thru a Novell RADIUS server/
  John Curran

  John,
  I am interested in knowing if you found a solution to your problem? We
  are currently planning on setting up Radius and we use Nortel devices. Any
  information or tips you could provide would be appreciated. Thanks,
  Lee Anne
  > Your Nortel box is probably expecting an attribute in the access-accept
  > packet that is not there. You probably just need to configure this
  attribute
  > in your RADIUS Dial Access Profile, although it's possible that you need
  an
  > attribute that is not yet in our dictionary.
  >
  > I suggest that you check your Nortel documentation to see what
  attributes it
  > expects from the RADIUS server. If you require an attribute that is not
  in
  > our dictionary, post the details here and I'll see that it gets added.
  >
  > >>> John Curran<[email protected]> 12/23/2004 10:59 AM >>>
  > I have install BMAS 3.8 and the RADIUS server worrks fine with
  NTRadPing. I
  > am tryig to use the RADIUS server to authenicate users to a Nortel (Bay
  > Networks) 450. I have put a sniffer on the line and find the RADIUS
  server
  > is sending an Access-Accept message, but the 450 shows access denied.
  The
  > only thing I can figure is the 450 does not like the authenicator. I
  have
  > tried just about all the options under Bay Networks in the RADIUS
  Profile,
  > with no luck.
  >
  > Has anyone got Nortel switches to authenicate thru a Novell RADIUS
  server/
  >
  > John Curran
  >
  >
  >

• Authenticating against RADIUS *AND* TACACS

  G'day...
  Toys:
  Cisco Secure ACS 3.2
  Cisco 1242 Access Points
  I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
  The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
  Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
  Cheers,
  Andrew.

  Hi,
  The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
  If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
  I am using the same approach to authenticate remote access clients and network admin in my Access Server.
  Rgds,
  AK

• Novell Radius and Cisco 1841 router

  I tried to setup NW Radius and it all seems to be setup perfectly accoriding to this TID# http://support.novell.com/cgi-bin/se...?/10078616.htm
  But when someone tries to connect throgh my Cisco VPN I get this error:
  [2005-05-19 05:03:26 PM] Access request dropped
  <trusted IP>, <Cisco connect group>, Unkown radius client
  I entered the <trusted ip> as a client in Console One and chose Cisco as the vendor (also tried Generic radius).
  <cisco connect group> is the authentication group I setup in the router, and must be entered before connecting through VPN.
  Any clues would be appreciated.

  Jepe,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Radius and Diameter

  Please anyone tell me aboout Radius and Diameter....
  as far i know.... Radius and Diameter both for AAA (Authentication, Authorization, and Accounting) function.
  Is there any other purpose???

  This is a UC community, you should be asking this in the security community.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Radius and Billing

  Dear NetPros,
  I have configured the Radius & Billing Servers on my Cisco AS5350 which is terminating VoIP Traffic as given below. The First two are Mind Billing Primary and Secondary Billing Servers. The Third one is a billing server from another vendor. I want to send CDR information to all the three billing servers simultaneously. Currently the gateway is only sending the Radius and Billing information to the first available server. Is there any way for the gateway to send radius and billing information to all these three servers simultaneously???? Would appreciate any help or suggestion in this area. Thanx
  aaa group server radius mind
  server AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646
  server EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646
  server III.JJJ.KKK.LLL auth-port 1812 acct-port 1813
  radius-server host AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXXXX
  radius-server host EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646 key 7 YYYYYYYYYYYYYYYYYYYY
  radius-server host III.JJJ.KKK.LLL auth-port 1812 acct-port 1813 key 7 ZZZZZZZZZZZZZZZZZZZZ
  Cheers
  Rushabh
  Senior Project Researcher
  PP-Ontime Co., Ltd.
  Cellular ~ 669-2047331
  www.pp-ontime.co.th

  The AAA "Broadcast Accounting" feature allows accounting information to be sent to multiple AAA servers at the same time; that is, accounting information can be broadcast to one or more AAA servers simultaneously. This feature allows broadcasting among "groups of servers". And each server group can define its backup servers for fail over independently of other groups.
  However, the restriction is that Accounting information can be sent simultaneously to a maximum of four AAA servers.
  For the scenario mentioned, in order to send billing info to all the 3 servers simultaneously, the aaa accounting command can be configured globally, as in:
  aaa accounting network default start-stop broadcast group mind1 group mind2 group mind3
  The individual servers in the server group 'mind' may be split across different server groups.
  aaa group server radius mind1
  server AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646
  aaa group server radius mind2
  server EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646
  aaa group server radius mind3
  server III.JJJ.KKK.LLL auth-port 1812 acct-port 1813
  (Backup servers within each server-group may be defined)
  Simultaneously accounting records are sent to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.

• 802.1x and MS IAS and Nortel IP phone

  hi,
  i have setup 802.1x MS IAS. All seems to work fine when i am using a plain pc connection to switch but the moment IP phone is involved i start facing issues.
  I am using cisco 3750 switch with version 12.2(25)SEB4
  dhcp server is on windows which is on a different network i.e. 10.50.1.9
  dhcp relay agent is defined on firewall subinterces
  All works when phone is not involved. BTW i am using Nortel IP phone
  when the phone is plugged and cable is throug the phone, i provide the user name and credentials and also when i say show vlan on switch i can see i am aprt of corrent vlan but i do not get an ip address.
  This is the error i get on switch when is said debug radius:
  pls find two attachments of debug dot1x events and radius.
  pls help
  Regards
  AI

  Hi Adil,
  I'm testing with a Catalyst 3560 running IOS version 12.2(44)SE2.
  I have a Nortel-LG IP phone which does not have 802.1x supplicant.
  I tried configuring MDA on the switchport and use MAB to authenticate the phone.
  My questions:
  1. In the ACS, I created a group for the IP phone and specify "device-traffic-class=voice" as the cisco-av-pair. Is this what I should be doing for a non-Cisco phone?
  2. I know the phone's MAC address is 00-40-5A-17-C6-30. I created a user 00405a17c630 (password is also 00405a17c630) and assign it to the IP phone group I created above. Is this correct?
  My testing wasn't successful. I got the following output:
  Switch#sh dot1x int f0/48 de
  Dot1x Info for FastEthernet0/48
  PAE = AUTHENTICATOR
  PortControl = AUTO
  ControlDirection = Both
  HostMode = MULTI_DOMAIN
  Violation Mode = PROTECT
  ReAuthentication = Disabled
  QuietPeriod = 60
  ServerTimeout = 30
  SuppTimeout = 30
  ReAuthPeriod = 3600 (Locally configured)
  ReAuthMax = 2
  MaxReq = 2
  TxPeriod = 30
  RateLimitPeriod = 0
  Mac-Auth-Bypass = Enabled
  Inactivity Timeout = None
  Guest-Vlan = 999
  Dot1x Authenticator Client List
  Domain = UNKNOWN
  Supplicant = 0040.5a17.c630
  Auth SM State = AUTHENTICATING
  Auth BEND SM State = REQUEST
  Port Status = UNAUTHORIZED
  Authentication Method = Dot1x
  Domain = UNKNOWN
  Port Status = UNAUTHORIZED
  My switch config is as follows:
  aaa new-model
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 key cisco123
  radius-server source-ports 1645-1646
  radius-server vsa send authentication
  interface FastEthernet0/48
  description *** 802.1x Test Port ***
  switchport access vlan 70
  switchport mode access
  switchport voice vlan 71
  no snmp trap link-status
  dot1x mac-auth-bypass
  dot1x pae authenticator
  dot1x port-control auto
  dot1x host-mode multi-domain
  dot1x violation-mode protect
  dot1x guest-vlan 999
  spanning-tree portfast
  In the ACS' Failed Attempts logs, I saw entries for:
  User-Name = 00405a17c630
  Group-Name = IP_Phone_Test_Group
  Caller-ID = 00-40-5A-17-C6-30
  Authen-Failure-Code = Internal error
  ACS version is 4.1.
  what am I missing? Please advise.
  Thank you.
  B.Rgds,
  Lim TS

• ASA 5505 VPN Group Policies (RADIUS) and tunnel group

  I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
  I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
  Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
  I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
  Session Type: WebVPN
  Username     : kaisaron78             Index        : 1
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 518483                 Bytes Rx     : 37549
  Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 10:59:33 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:23s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000100053f1c075
  Security Grp : none
  Asa5505# sh vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : manintra               Index        : 2
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 238914                 Bytes Rx     : 10736
  Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 11:01:02 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:05s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000200053f1c0ce
  Security Grp : none
  As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
  ! ADDRESS POOLS AND NAT
  names
  ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_27
   subnet 192.168.10.0 255.255.255.224
  access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
  ! RADIUS SETUP
  aaa-server OpenOTP protocol radius
  aaa-server OpenOTP (inside) host 192.168.1.8
   key ******
   authentication-port 1812
   accounting-port 1814
   radius-common-pw ******
   acl-netmask-convert auto-detect
  webvpn
   port 10443
   enable outside
   dtls port 10443
   anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
   anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
   anyconnect enable
  ! LOCAL POLICIES
  group-policy SSLPolicy internal
  group-policy SSLPolicy attributes
   vpn-tunnel-protocol ssl-clientless
   vlan 3
   dns-server value 10.5.1.5
   default-domain value management.local
   webvpn
    url-list value Management_List
  group-policy RemoteAC internal
  group-policy RemoteAC attributes
   vpn-tunnel-protocol ikev2 ssl-client
   vlan 1
   address-pools value AnyConnect_Pool
   dns-server value 192.168.1.4
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value Split_Tunnel_Anyconnect
   default-domain value home.local
   webvpn
    anyconnect profiles value AnyConnect_Profile_client_profile type user
  group-policy SSLLockdown internal
  group-policy SSLLockdown attributes
    vpn-simultaneous-logins 0
  ! DEFAULT TUNNEL
  tunnel-group DefaultRAGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group VPN_Tunnel type remote-access
  tunnel-group VPN_Tunnel general-attributes
   authentication-server-group OpenOTP
   default-group-policy SSLLockdown
  !END
  I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
  Any help will be more than appreciated.
  Cesare Giuliani

  Ok, it makes sense.
  Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
  Thank you again for your precious and kind help, and for your patience as well!
  Cesare Giuliani

• Problem with radius and wep/wpa

  Hi
  I have problem with wrv200 (1.0.38) +freeradius (2.0.5) +wpc54g v3.1 with wxp with patch to use wpa/wpa2
  I think that authentication in my radius pass correct but there is some problem with wpa mode or wpa compatibility
  In my wrv200 I try mode: wpa-enterprise, wpa2-enterprise, wpa2 enterpise-mix and radius. In my wirless card a try: wpa and wpa2 my
  freeradius.conf:
  andy Auth-Type := Accept, User-Password == "andy"
  and log from radius:
  rad_check_password: Auth-Type = Accept, accepting the user Login OK: [andy] (from client wrv200 port 0 cli 00-18-F8-aa-aa-aa)
  Sending Access-Accept of id 4 to 10.0.0.6 port 1026
  my wrv200 still send to syslog:
  klogd: @ = Add Host : [00:18:f8:aa:aa:aa] VID 9 LinkID 1 PortNumber 6 klogd: @ = Add Host : [00:18:f8:aa:aa:aa] VID 9 LinkID 1 PortNumber 6
  klogd: @ = Add Host : [00:18:f8:aa:aa:aa] VID 9 LinkID 1 PortNumber 6
  and i never connect to network and i must still (every 30s) type login and password to authenticate When i use only wep, without radius,it's works
  I have dwl900ap+ from dlink and when I use radius + wep 64bit everything works
  i don't have any idea
  thanks for any help
  popo

  Hey try disabling the security & try connecting to the network if it works fine, if not i mean if you want to connect using the secured network then would suggest you to upgrade the firmware of the router & keep on holding tightly
  the reset button in such a way that power light is blinking on the
  router & then do a complete network power cycle i.e., unplug the power
  cables from the modem & from the router & then plug in the power cable
  to the modem first once all the lights are solid green you could plug
  in the power cable to the router & check out it will definately work!!

• Problem with PRI and Nortel Integration

  We have a Nortel Option 81C connected to a 3825 MGCP gateway and we had a weird problem with it. The PRI looked fine from CallManager's perspective, but the PBX was showing that the first nine channels were in a Far End Make Busy state (FE MBSY) instead of being in IDLE state like CCM thought.
  I did some checking around and found a weird "fix" for the problem that involved enabling and then disabled D-channel service messages on the PBX, but I'd like to find out more about this problem. I got the fix from a guy who has a LOT of experience with Nortel and with Cisco, and he said that 99 times out of 100, an FE MBSY problem like this is going to be because of the Cisco side, not the Nortel side.
  I just did a bug search through CCM 4.1(3) and IOS 12.4(8) and I didn't see anything about D-channels being incorrectly reported as unavailable on PRI.
  Have any of you ever heard of something like this?
  Thanks!
  John

  John,
  Our 81Cs are long gone, but the only ISDN switchtype that worked flawlessly for us was NI. We tried DMS100, and saw your problem. Nortel sees NI as a carrier side protocol and will not allow an inbound NI call to tandem through to another NI PRI. This forced us move all PSTN PRIs to CCM gateways early in out migration, but worked out well. I believe QSIG will also work, but it was a $20k upgrade for our PBXs, so was not an option.
  Dave

• Radius and Internet sharing not compatible

  I have 2 MBPs connected to a Leopard Server via an AEBS.
  I want to connect a third ethernet device using internet sharing on one of the MBPs
  Couldn't get it to work unless I switched of RADIUS authentication and downgrade to WPA/WPA2 personal key.
  What am I doing wrong. Does it need additional settings on the AEBS or the server?

  I have the same problem only on mobile. Keeps asking to upgrade. Its like the phone doesn't know I have this service. Or the tmo,servers do not know that my account has paid for this. Funny part is,the customer services people say they can see I,have this feature on my acct. Pls jeep me,posted if you get a fix for this

• RADIUS and Vendor-Specific attributes

  Hi,
  I'm trying to add a vendor specific attribute (Cisco AV Pair) to BMAS
  (NMAS 3.1.2 on NetWare 6.5 SP6). I can add any generic attribute I
  want, but any of the vendor-specific attributes are not sent back in the
  radius access-accept packet. Is there some configuration change I need
  to make to support vendor specific attributes? They all show up in
  ConsoleOne, I can add them, and they are saved when I hit OK.
  Thanks for any suggestions!
  Greg

  In article <UG2Jm.1195$[email protected]>, Greg Palumbo
  wrote:
  > I read the other two recent threads on this, it does sort of sound like
  > a snapin issue, but those are usually under the 1.2\snapins directory I
  > thought. what about installing a fresh copy of C1 on the C:\ drive from
  > the BMAS CD or from NW65SP7? Also, wouldn't all the replaced sys/public
  > files be in SYS/SYSTEM:\BACKSP7? Maybe something like Beyond Compare or
  > WinMerge could flag all the changed files easily...
  >
  My latest thinking is that this is related to security. The failing
  attribute contains an encryption of the DAS client password. I'm assuming
  that ConsoleOne relies on some background process to do the encryption, and
  that between SP7 and SP8, it changed. The new attributes are longer than
  the old ones, so the snapin-related issue may simply be that it cannot read
  what was stored.
  I don't know if there is a particular security-related component that can
  be reversed to allow changes to the DAS object, then updated again to put
  things back to SP8.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• Solaris 10 x86 and Nortel VPN?

  Is it possible to connect to Nortel VPN (using IPSEC implementation provided in Solaris 10) ?
  Nortel doesn't provide client software for Unix/Linux
  but is it possible to connect from solaris 10, using it's IPSEC facilities?
  Nortel VPN authentication parameters include : group id, group password, user id and auth.code(password)

  Did you ever have any luck with this?

• WLC with ISE as radius and also external web server

  Hi friends,
  I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
  I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
  So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
  any suggestions would be higly appreciated guys!
  Regards,
  Mohit

  Hi mohit,
  Please make sure the below steps for guest auth thru ISE,
  1)Add the WLC in your ISE as netork devices.
  2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
      a. any to ISE
      b.ISE to any
      c.any to dns server
      d.dns to any
  3)The external redirect url will be 
  https://ip address:8443/guestportal/Login.action
  4)AAA server for that SSId would be your ISE ip with port number 1812.
  5)In advanced tab please choose the AAA override. No need of radius nac.
  6)Create appropriate authorization profile in ISE for guest.Example is below ,

• RADIUS and Cisco 2611 router

  Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
  Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
  Using 2297 out of 29688 bytes
  ! Last configuration change at 17:20:27 PDT Tue May 20 2008
  ! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
  version 12.1
  no service single-slot-reload-enable
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname Tester
  logging buffered 10000 debugging
  aaa new-model
  aaa group server radius RadiusServers
  server 172.26.0.2 auth-port 1812 acct-port 1813
  aaa authentication login default group RadiusServers local
  aaa authentication login localauth local
  aaa authentication ppp default if-needed group radius local
  aaa authorization exec default group radius local
  aaa authorization network default group radius local
  aaa accounting delay-start
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa processes 6
  enable secret xxx
  username test password xxx
  clock timezone PST -8
  clock summer-time PDT recurring
  ip subnet-zero
  no ip domain-lookup
  no ip bootp server
  interface Loopback0
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/0
  description To Main Network
  ip address X.X.X.X 255.255.255.128
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  full-duplex
  no cdp enable
  interface Ethernet0/1
  description To Internal Network
  ip address 172.26.0.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  load-interval 30
  full-duplex
  no cdp enable
  ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
  ip nat inside source list 3 pool test overload
  ip nat inside destination list 3 pool test
  ip classless
  ip route 0.0.0.0 0.0.0.0 X.X.X.X
  no ip http server
  ip radius source-interface Ethernet0/1
  access-list 3 permit 172.26.0.0 0.0.0.255
  no cdp run
  snmp-server community public RO 15
  radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
  radius-server retransmit 3
  radius-server key secret
  line con 0
  password xxx
  logging synchronous
  line aux 0
  line vty 0 4
  access-class 10 in
  password 7 1234567890
  logging synchronous
  ntp clock-period 17208108
  ntp server 192.43.244.18
  end
  My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
  I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
  Thank you for any assistance you may be able to provide.

  I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
  The command I shared:
  aaa authentication enable default group radius local
  ... was erroneous. The keyword should have been "enable", as you have discovered.
  Therefore use:
  aaa authentication enable default group radius enable
  When I view a Wireshark trace I see the following:
  AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
  Like you, I see the user password appended with the group of \000 grouping's.
  Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
  I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
  The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
  My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
  However, there are other mainstream authentication methods that I think you should investigate as well.
  You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
  I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
  The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
  I think you should:
  1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
  2. Investigate whether PPPoE support exists on your router's interfaces.
  3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
  4. Decide which methods appeals to you.
  5. Dive in.
  I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
  I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
  Good luck.