SLM224G4PS Radius and PoE

Similar Messages

• RADIUS and Nortel (Bay Networks)

  I have install BMAS 3.8 and the RADIUS server worrks fine with NTRadPing. I am tryig to use the RADIUS server to authenicate users to a Nortel (Bay Networks) 450. I have put a sniffer on the line and find the RADIUS server is sending an Access-Accept message, but the 450 shows access denied. The only thing I can figure is the 450 does not like the authenicator. I have tried just about all the options under Bay Networks in the RADIUS Profile, with no luck.
  Has anyone got Nortel switches to authenicate thru a Novell RADIUS server/
  John Curran

  John,
  I am interested in knowing if you found a solution to your problem? We
  are currently planning on setting up Radius and we use Nortel devices. Any
  information or tips you could provide would be appreciated. Thanks,
  Lee Anne
  > Your Nortel box is probably expecting an attribute in the access-accept
  > packet that is not there. You probably just need to configure this
  attribute
  > in your RADIUS Dial Access Profile, although it's possible that you need
  an
  > attribute that is not yet in our dictionary.
  >
  > I suggest that you check your Nortel documentation to see what
  attributes it
  > expects from the RADIUS server. If you require an attribute that is not
  in
  > our dictionary, post the details here and I'll see that it gets added.
  >
  > >>> John Curran<[email protected]> 12/23/2004 10:59 AM >>>
  > I have install BMAS 3.8 and the RADIUS server worrks fine with
  NTRadPing. I
  > am tryig to use the RADIUS server to authenicate users to a Nortel (Bay
  > Networks) 450. I have put a sniffer on the line and find the RADIUS
  server
  > is sending an Access-Accept message, but the 450 shows access denied.
  The
  > only thing I can figure is the 450 does not like the authenicator. I
  have
  > tried just about all the options under Bay Networks in the RADIUS
  Profile,
  > with no luck.
  >
  > Has anyone got Nortel switches to authenicate thru a Novell RADIUS
  server/
  >
  > John Curran
  >
  >
  >

• Authenticating against RADIUS *AND* TACACS

  G'day...
  Toys:
  Cisco Secure ACS 3.2
  Cisco 1242 Access Points
  I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
  The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
  Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
  Cheers,
  Andrew.

  Hi,
  The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
  If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
  I am using the same approach to authenticate remote access clients and network admin in my Access Server.
  Rgds,
  AK

• Novell Radius and Cisco 1841 router

  I tried to setup NW Radius and it all seems to be setup perfectly accoriding to this TID# http://support.novell.com/cgi-bin/se...?/10078616.htm
  But when someone tries to connect throgh my Cisco VPN I get this error:
  [2005-05-19 05:03:26 PM] Access request dropped
  <trusted IP>, <Cisco connect group>, Unkown radius client
  I entered the <trusted ip> as a client in Console One and chose Cisco as the vendor (also tried Generic radius).
  <cisco connect group> is the authentication group I setup in the router, and must be entered before connecting through VPN.
  Any clues would be appreciated.

  Jepe,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Radius and Diameter

  Please anyone tell me aboout Radius and Diameter....
  as far i know.... Radius and Diameter both for AAA (Authentication, Authorization, and Accounting) function.
  Is there any other purpose???

  This is a UC community, you should be asking this in the security community.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Radius and Billing

  Dear NetPros,
  I have configured the Radius & Billing Servers on my Cisco AS5350 which is terminating VoIP Traffic as given below. The First two are Mind Billing Primary and Secondary Billing Servers. The Third one is a billing server from another vendor. I want to send CDR information to all the three billing servers simultaneously. Currently the gateway is only sending the Radius and Billing information to the first available server. Is there any way for the gateway to send radius and billing information to all these three servers simultaneously???? Would appreciate any help or suggestion in this area. Thanx
  aaa group server radius mind
  server AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646
  server EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646
  server III.JJJ.KKK.LLL auth-port 1812 acct-port 1813
  radius-server host AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXXXX
  radius-server host EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646 key 7 YYYYYYYYYYYYYYYYYYYY
  radius-server host III.JJJ.KKK.LLL auth-port 1812 acct-port 1813 key 7 ZZZZZZZZZZZZZZZZZZZZ
  Cheers
  Rushabh
  Senior Project Researcher
  PP-Ontime Co., Ltd.
  Cellular ~ 669-2047331
  www.pp-ontime.co.th

  The AAA "Broadcast Accounting" feature allows accounting information to be sent to multiple AAA servers at the same time; that is, accounting information can be broadcast to one or more AAA servers simultaneously. This feature allows broadcasting among "groups of servers". And each server group can define its backup servers for fail over independently of other groups.
  However, the restriction is that Accounting information can be sent simultaneously to a maximum of four AAA servers.
  For the scenario mentioned, in order to send billing info to all the 3 servers simultaneously, the aaa accounting command can be configured globally, as in:
  aaa accounting network default start-stop broadcast group mind1 group mind2 group mind3
  The individual servers in the server group 'mind' may be split across different server groups.
  aaa group server radius mind1
  server AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646
  aaa group server radius mind2
  server EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646
  aaa group server radius mind3
  server III.JJJ.KKK.LLL auth-port 1812 acct-port 1813
  (Backup servers within each server-group may be defined)
  Simultaneously accounting records are sent to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.

• SG300-10P LACP and PoE

  Hi
  I am using SG300-10 and connected it to two SG200 with LACP and PoE
  When I tried to use ssh client to check poe status via cli, the switch suddenly rebooted.
  After this, the poe is dead.
  I reset the switch, reconfigured the settings but ..
  as soon as I set GE1+GE2 to a LACP group,
  the SG200-8 connected to GE1+GE2 is down, lost power
  when I remove the GE1+GE2 from LACP group, the poe is back ...
  same to any other port.
  only ports that not in LACP listed in "Port Management" "PoE" "Settings"
  is the hardware damanged? I am using the lasted 1.3.0.62 firmware.
  The physical connected is:
  L3 Mode
  GE1+GE2 = LACP <---> SG200-8 nr1
  GE3+GE4 = LACP <---> SG200-8 nr2
  GE5 <---> my pc
  Thanks for any hint/help!

  Thanks for the advice.
  I came home today and found out a power outage happened and somehow the SG300-10P stopped working partly, any device not directly connected to it can't ping the switch or communicated to it or its conncted devices. (even after reboot)
  So I decieded to reset it to the factory default and manually reapply all the setting from my memory, because last few times I tried to use backuped config file, it ended badly. ( the firmware is already updated to latest)
  After that, I followed your advice and set GE1 PoE active and GE2 PoE off, and so on, now both SG200-8 and SLM2008 are getting power from port GE1 and GE3.
  Still, as soon as I add a port to a LACP group, it will disappear from "
  Port Management", "PoE", "Settings" page ..., is that a normal behavior? or is it a problem on SG200 or/and SLM2008?

• Where is the 300 series switch with 48 gigabit ports and PoE?

  Love the 300 series but surprised that Cisco did not put out a 48 port model with gigabit and PoE.  Would love to hear from Cisco on the reasoning behind that and if there are any plans to introduce one?  Given that gigabit and VoIP is the future at many companies it only makes sense.

  The switches use the SFPs to link to each other. The SG500 has ports for 1G or 5G and the SG500X has 10G ports. Whichever port you select will be the speed at which the switches pass traffic and stack control information. These same ports can be 'reclaimed' if you were to set the switch to stand alone mode. I have put a chart below which details the ports you can use and the speed of these ports.
  Header 1
  Header 2
  Header 3
  Header 4
  Header 5
  Units in Stack
  SG500X
  SG500X
  SG500
  SG500
  Stack Port Name
  S1,S2-XG
  S1,S2-5G
  S1,S2
  S3,S4
  Stack Port Speeds
  10G/1G
  1G/5G
  1G
  1G/5G

• ASA 5505 VPN Group Policies (RADIUS) and tunnel group

  I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
  I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
  Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
  I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
  Session Type: WebVPN
  Username     : kaisaron78             Index        : 1
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 518483                 Bytes Rx     : 37549
  Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 10:59:33 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:23s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000100053f1c075
  Security Grp : none
  Asa5505# sh vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : manintra               Index        : 2
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 238914                 Bytes Rx     : 10736
  Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 11:01:02 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:05s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000200053f1c0ce
  Security Grp : none
  As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
  ! ADDRESS POOLS AND NAT
  names
  ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_27
   subnet 192.168.10.0 255.255.255.224
  access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
  ! RADIUS SETUP
  aaa-server OpenOTP protocol radius
  aaa-server OpenOTP (inside) host 192.168.1.8
   key ******
   authentication-port 1812
   accounting-port 1814
   radius-common-pw ******
   acl-netmask-convert auto-detect
  webvpn
   port 10443
   enable outside
   dtls port 10443
   anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
   anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
   anyconnect enable
  ! LOCAL POLICIES
  group-policy SSLPolicy internal
  group-policy SSLPolicy attributes
   vpn-tunnel-protocol ssl-clientless
   vlan 3
   dns-server value 10.5.1.5
   default-domain value management.local
   webvpn
    url-list value Management_List
  group-policy RemoteAC internal
  group-policy RemoteAC attributes
   vpn-tunnel-protocol ikev2 ssl-client
   vlan 1
   address-pools value AnyConnect_Pool
   dns-server value 192.168.1.4
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value Split_Tunnel_Anyconnect
   default-domain value home.local
   webvpn
    anyconnect profiles value AnyConnect_Profile_client_profile type user
  group-policy SSLLockdown internal
  group-policy SSLLockdown attributes
    vpn-simultaneous-logins 0
  ! DEFAULT TUNNEL
  tunnel-group DefaultRAGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group VPN_Tunnel type remote-access
  tunnel-group VPN_Tunnel general-attributes
   authentication-server-group OpenOTP
   default-group-policy SSLLockdown
  !END
  I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
  Any help will be more than appreciated.
  Cesare Giuliani

  Ok, it makes sense.
  Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
  Thank you again for your precious and kind help, and for your patience as well!
  Cesare Giuliani

• Problem with radius and wep/wpa

  Hi
  I have problem with wrv200 (1.0.38) +freeradius (2.0.5) +wpc54g v3.1 with wxp with patch to use wpa/wpa2
  I think that authentication in my radius pass correct but there is some problem with wpa mode or wpa compatibility
  In my wrv200 I try mode: wpa-enterprise, wpa2-enterprise, wpa2 enterpise-mix and radius. In my wirless card a try: wpa and wpa2 my
  freeradius.conf:
  andy Auth-Type := Accept, User-Password == "andy"
  and log from radius:
  rad_check_password: Auth-Type = Accept, accepting the user Login OK: [andy] (from client wrv200 port 0 cli 00-18-F8-aa-aa-aa)
  Sending Access-Accept of id 4 to 10.0.0.6 port 1026
  my wrv200 still send to syslog:
  klogd: @ = Add Host : [00:18:f8:aa:aa:aa] VID 9 LinkID 1 PortNumber 6 klogd: @ = Add Host : [00:18:f8:aa:aa:aa] VID 9 LinkID 1 PortNumber 6
  klogd: @ = Add Host : [00:18:f8:aa:aa:aa] VID 9 LinkID 1 PortNumber 6
  and i never connect to network and i must still (every 30s) type login and password to authenticate When i use only wep, without radius,it's works
  I have dwl900ap+ from dlink and when I use radius + wep 64bit everything works
  i don't have any idea
  thanks for any help
  popo

  Hey try disabling the security & try connecting to the network if it works fine, if not i mean if you want to connect using the secured network then would suggest you to upgrade the firmware of the router & keep on holding tightly
  the reset button in such a way that power light is blinking on the
  router & then do a complete network power cycle i.e., unplug the power
  cables from the modem & from the router & then plug in the power cable
  to the modem first once all the lights are solid green you could plug
  in the power cable to the router & check out it will definately work!!

• Radius and Internet sharing not compatible

  I have 2 MBPs connected to a Leopard Server via an AEBS.
  I want to connect a third ethernet device using internet sharing on one of the MBPs
  Couldn't get it to work unless I switched of RADIUS authentication and downgrade to WPA/WPA2 personal key.
  What am I doing wrong. Does it need additional settings on the AEBS or the server?

  I have the same problem only on mobile. Keeps asking to upgrade. Its like the phone doesn't know I have this service. Or the tmo,servers do not know that my account has paid for this. Funny part is,the customer services people say they can see I,have this feature on my acct. Pls jeep me,posted if you get a fix for this

• Aironet 1310, power injector and poe cable

  Hello,
  Can the power injector delivered with aironet 1310 be supplied by a PoE RJ45 cable rather than the traditionnel DC adapter?
  The problem is, i thought Aironet 1310 was PoE. Which means it can be power supplied by a rj45 cable.
  But, when i openned my brand new 1310 box, i realized that 1st, it needs that Power Injector to work and that 2nd, Power injector needs a power supply...
  Usually when i buy a PoE access point, I just plug in my PoE rj45 cable and its power supplied :)
  Anyway, i hope there's an issue for this because where the 1310 should be placed, there's only a PoE rj45 cable arriving.
  Thanks in advance,
  lachapelle

  Hi lachapelle,
  Sadly the 1310 cannot be powered by PoE ,but, the Power Injector can be up to 100 meters away from the unit.
  Dual coaxial cable to run from the power injector to the 1300. See attached notes:
  Cisco Aironet 1300 Series
  Cisco Aironet 1300 Series Access Point/Bridge Power Injector
  The Cisco Aironet 1300 Series Outdoor Access Point/Bridge Power Injector,converts the standard 10/100 BaseT Ethernet interface that is suitable for weather protected areas to a dual F-Type connector interface for coax cables that are more suitable for harsh outdoor environments. The Power Injector also provides power to the outdoor unit over the same cables with a power discover feature and surge protection. To support longer cable runs from your wireless network switch or router, the Power Injector LR is designed to accommodate up to a 100 meter coaxial cable run plus 100 meters of indoor cat5 cable?enabling total cable runs up to 200 meters. The Cisco Aironet 1300 Series Outdoor Access Point/Bridge ships with the Power Injector LR2 and an AC power supply.
  From this link:
  http://www.cisco.com/en/US/products/ps5861/products_data_sheet09186a008022551d.html
  Cisco Aironet 1300 Series Outdoor Access Point/Bridge Hardware Installation Guide
  Ethernet Ports
  The access point/bridge dual-coax Ethernet ports consists of a pair of 75-ohm F-type connectors, linking the unit to your 100BASE-T Ethernet LAN through the power injector. The dual-coax cables are used to send and receive Ethernet data and to supply inline 48-VDC power from the power injector to the access point/bridge.
  Power
  The access point/bridge receives inline power from the Cisco Aironet Power Injector (hereafter called the power injector). Dual-coax cables are used to provide Ethernet data and power from the power injector to the access point/bridge. The power injector is an external unit designed for operation in a sheltered environment, such as inside a building or vehicle. The power injector also functions as an Ethernet repeater by connecting to a Category 5 LAN backbone and using the dual-coax cable interface to the access point/bridge.
  From this link:
  http://www.cisco.com/en/US/products/ps5861/products_installation_guide_book09186a00804d3095.html
  AIR-PWRINJ-BLR2
  F-Type Connectors
  Dual coaxial cable carries full-duplex Ethernet, DC power, and full-duplex console port (RS-232 connection)
  From this link:
  http://www.cisco.com/en/US/products/ps5861/products_data_sheet09186a00802252e1.html
  Hope this helps!
  Rob

• RADIUS and Vendor-Specific attributes

  Hi,
  I'm trying to add a vendor specific attribute (Cisco AV Pair) to BMAS
  (NMAS 3.1.2 on NetWare 6.5 SP6). I can add any generic attribute I
  want, but any of the vendor-specific attributes are not sent back in the
  radius access-accept packet. Is there some configuration change I need
  to make to support vendor specific attributes? They all show up in
  ConsoleOne, I can add them, and they are saved when I hit OK.
  Thanks for any suggestions!
  Greg

  In article <UG2Jm.1195$[email protected]>, Greg Palumbo
  wrote:
  > I read the other two recent threads on this, it does sort of sound like
  > a snapin issue, but those are usually under the 1.2\snapins directory I
  > thought. what about installing a fresh copy of C1 on the C:\ drive from
  > the BMAS CD or from NW65SP7? Also, wouldn't all the replaced sys/public
  > files be in SYS/SYSTEM:\BACKSP7? Maybe something like Beyond Compare or
  > WinMerge could flag all the changed files easily...
  >
  My latest thinking is that this is related to security. The failing
  attribute contains an encryption of the DAS client password. I'm assuming
  that ConsoleOne relies on some background process to do the encryption, and
  that between SP7 and SP8, it changed. The new attributes are longer than
  the old ones, so the snapin-related issue may simply be that it cannot read
  what was stored.
  I don't know if there is a particular security-related component that can
  be reversed to allow changes to the DAS object, then updated again to put
  things back to SP8.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• WLC with ISE as radius and also external web server

  Hi friends,
  I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
  I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
  So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
  any suggestions would be higly appreciated guys!
  Regards,
  Mohit

  Hi mohit,
  Please make sure the below steps for guest auth thru ISE,
  1)Add the WLC in your ISE as netork devices.
  2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
      a. any to ISE
      b.ISE to any
      c.any to dns server
      d.dns to any
  3)The external redirect url will be 
  https://ip address:8443/guestportal/Login.action
  4)AAA server for that SSId would be your ISE ip with port number 1812.
  5)In advanced tab please choose the AAA override. No need of radius nac.
  6)Create appropriate authorization profile in ISE for guest.Example is below ,

• RADIUS and Cisco 2611 router

  Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
  Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
  Using 2297 out of 29688 bytes
  ! Last configuration change at 17:20:27 PDT Tue May 20 2008
  ! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
  version 12.1
  no service single-slot-reload-enable
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname Tester
  logging buffered 10000 debugging
  aaa new-model
  aaa group server radius RadiusServers
  server 172.26.0.2 auth-port 1812 acct-port 1813
  aaa authentication login default group RadiusServers local
  aaa authentication login localauth local
  aaa authentication ppp default if-needed group radius local
  aaa authorization exec default group radius local
  aaa authorization network default group radius local
  aaa accounting delay-start
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa processes 6
  enable secret xxx
  username test password xxx
  clock timezone PST -8
  clock summer-time PDT recurring
  ip subnet-zero
  no ip domain-lookup
  no ip bootp server
  interface Loopback0
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/0
  description To Main Network
  ip address X.X.X.X 255.255.255.128
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  full-duplex
  no cdp enable
  interface Ethernet0/1
  description To Internal Network
  ip address 172.26.0.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  load-interval 30
  full-duplex
  no cdp enable
  ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
  ip nat inside source list 3 pool test overload
  ip nat inside destination list 3 pool test
  ip classless
  ip route 0.0.0.0 0.0.0.0 X.X.X.X
  no ip http server
  ip radius source-interface Ethernet0/1
  access-list 3 permit 172.26.0.0 0.0.0.255
  no cdp run
  snmp-server community public RO 15
  radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
  radius-server retransmit 3
  radius-server key secret
  line con 0
  password xxx
  logging synchronous
  line aux 0
  line vty 0 4
  access-class 10 in
  password 7 1234567890
  logging synchronous
  ntp clock-period 17208108
  ntp server 192.43.244.18
  end
  My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
  I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
  Thank you for any assistance you may be able to provide.

  I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
  The command I shared:
  aaa authentication enable default group radius local
  ... was erroneous. The keyword should have been "enable", as you have discovered.
  Therefore use:
  aaa authentication enable default group radius enable
  When I view a Wireshark trace I see the following:
  AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
  Like you, I see the user password appended with the group of \000 grouping's.
  Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
  I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
  The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
  My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
  However, there are other mainstream authentication methods that I think you should investigate as well.
  You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
  I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
  The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
  I think you should:
  1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
  2. Investigate whether PPPoE support exists on your router's interfaces.
  3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
  4. Decide which methods appeals to you.
  5. Dive in.
  I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
  I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
  Good luck.