Turn Cisco 877 Router into RADIUS Server?
Hi Guys,
I was just wondering if it was possible to turn a cisco 887 Router into a RADIUS Server. What i wanted to do was setup my wireless AP to authenticate using RADIUS, but didn't want to setup another server for the purpose.
Any ideas?
Thanks
Peter
Nope, but you can turn a wireless AP into a radius server your AP could be the client and the server at the same time
P.S. Cisco autonomous AP that is
Similar Messages
-
Cisco 877 router - Cisco IP phone won't register with SIP provider
Hi all,
I'm having a problem with a Cisco SPA504G phone not registering with the SIP carrier over the Internet. We've recently rolled out a Cisco 877 router onto a new NBN business connection and can't get the pre-configured IP phone to register.
When we tested the phone with the NBN-provided Netgear router, it worked fine, as it did with the previous Cisco 1841 router we were using on a different link.
The way it's setup is using VLANs to define the internal subnets, which are then assigned to the physical interfaces (since the 887 doesn't allow IP assignments to the interfaces directly).
VLAN 100 is the internal network and has a SBS2011 server – assigned to F0 – IP range is 192.168.1.0
VLAN 200 is the guest network and has Internet access only – assigned to F1 – IP range is 10.1.1.0
VLAN 500 is the WAN network and connects to the NBN upstream box – assigned to F3 – external IP address assigned by DHCP
I've been playing around with access lists, nat rules, basically everything in my limited Cisco knowledge to try and figure this out, but to no avail. I have even configured what I believe is unrestricted access to IP, UDP and TCP outbound and inbound to all VLANs and still can't get it to register.
Tried isolating the issue by creating a new VLAN and assigning it to the spare interface and basically allowing everything in and out, but still no luck.
The problem has to be something on the router – probably some small line of config I haven’t removed or added.
I am going to pull my hair out soon, so would really appreciate some assistance from the Cisco gurus out there.
My client has just purchased about 10 of these handsets from their provider so I need to fix this ASAP. The guy who provided them wasn't very helpful, and basically said I'm on my own once we tested using the NBN-provided Netgear router.
Happy to post my config as well.
Please help!!!!Current configuration : 4912 bytes
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router1
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
no ip source-route
ip dhcp excluded-address 10.1.1.1
ip dhcp pool GUEST
network 10.1.1.0 255.255.255.0
dns-server 10.1.1.1 203.50.2.71 139.130.4.4
default-router 10.1.1.1
ip cef
no ip domain lookup
ip domain name network.local
ip name-server 192.168.1.123
ip name-server 203.23.53.12
ip name-server 197.12.32.86
ip name-server 8.8.8.8
no ipv6 cef
license udi pid CISCO887VA-K9 sn FGL171220XY
username admin privilege 15 secret 5 $1$aNsm$N1BCQYkoi8gnURyvloYEX/
controller VDSL 0
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
bridge-group 10
pvc 8/35
interface FastEthernet0
description NAC - Internal network
switchport access vlan 100
no ip address
interface FastEthernet1
description NAC - Guest network
switchport access vlan 200
no ip address
interface FastEthernet2
no ip address
shutdown
interface FastEthernet3
description **** WAN Port ****
switchport access vlan 500
no ip address
interface Vlan1
no ip address
bridge-group 10
hold-queue 100 out
interface Vlan100
description NAC - Internal Vlan
ip address 192.168.1.1 255.255.255.0
ip access-group IN-100 in
ip access-group OUT-100 out
ip nat inside
ip virtual-reassembly in
interface Vlan200
description NAC - Guest Vlan
ip address 10.1.1.1 255.255.255.0
ip access-group IN-200 in
ip access-group OUT-200 out
ip nat inside
ip virtual-reassembly in
interface Vlan500
description **** WAN Vlan ****
ip address dhcp
ip nat outside
no ip virtual-reassembly in
no ip forward-protocol nd
ip http server
ip http access-class 23
ip http secure-server
ip dns server
ip nat inside source list NAT-100 interface Vlan500 overload
ip nat inside source list NAT-200 interface Vlan500 overload
ip nat inside source static tcp 192.168.1.123 25 interface Vlan500 25
ip nat inside source static tcp 192.168.1.123 443 interface Vlan500 443
ip nat inside source static tcp 192.168.1.123 3389 interface Vlan500 3399
ip nat inside source static tcp 192.168.1.123 80 interface Vlan500 80
ip nat inside source static tcp 192.168.1.123 4125 interface Vlan500 4125
ip nat inside source static tcp 192.168.1.124 3389 interface Vlan500 3390
ip nat inside source static tcp 192.168.1.123 987 interface Vlan500 987
ip nat inside source static tcp 192.168.1.123 1723 interface Vlan500 1723
ip route 0.0.0.0 0.0.0.0 55.234.52.43
ip access-list extended IN-100
permit udp any any range bootps bootpc
deny ip 10.1.1.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended IN-200
permit udp any any range bootps bootpc
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended NAT-100
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended NAT-200
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended OUT-100
permit udp any range bootps bootpc any
deny ip 10.1.1.0 0.0.0.255 any
permit ip any 192.168.1.0 0.0.0.255
ip access-list extended OUT-200
permit udp any range bootps bootpc any
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any 10.1.1.0 0.0.0.255
access-list 23 permit 59.23.164.52
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 120.146.0.0 0.0.255.255
access-list 23 permit 149.185.12.0 0.0.0.255
access-list 23 permit 110.44.28.0 0.0.0.255
access-list 23 permit 110.44.26.0 0.0.0.255
access-list 23 permit 103.25.212.0 0.0.0.255
access-list 23 permit any
bridge 10 protocol ieee
banner motd ^C
* Authorized personnel only! *
^C
line con 0
login local
no modem enable
line aux 0
line vty 0 4
password password01
login local
transport input all
end -
Eem on cisco 877, trouble with mail server action and smtp auth
hello all,
i'm using a router 877 at home and i really need to check out what this router do during the day.
So some time ago i configured it using some eem actions and sending to me email, without any problems.
Yesterday I changed my internet provider and now i need to use smtp autheticantion to send emails.
I read about how to authenticate, like username:password@host and also made a fast search here, without solve my problem.
I need to put as username the email of the provider like: [email protected]:[email protected]
So, i want to know if someone had the same problem and solved it. Of course i couldn't use @ two times or eem would think that host.com is my smtp server! And right now is going in this way!
My IOS version is 15.1(2)T2, eem version is 3.1.
Hope someone could help me!
Thank you in advance.
SandroHello,
Thank you very much in advance for any help you can offer. Debugging I get this but stunnel.conf is edited and started
%HA_EM-3-FMPD_SMTP: Error occured when sending mail to SMTP server: smtp.gmail.com : error in reply from SMTP server
Router Cisco 877 with IOS version is 12.4(15)T16
Router Config:
ip host gmail.com pc_host*
track 1 rtr 1 reachability
delay down 10 up 60
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer0
timeout 2000
frequency 4
ip sla schedule 1 life forever start-time now
event manager environment to@gmail
event manager environment [email protected]
event manager environment smtp.gmail.com*
event manager applet TRACK-1-OK
event track 1 state up
action 1.0 mail server "smtp.gmail.com" to "[email protected]" from "[email protected]" subject "E2E up/down" body "DSL is UP"*
* I use several possible key combinations:
ip host smtp.gmail.com pc_host
event manager environment [email protected]:[email protected]
action 1.0 mail server "[email protected]:[email protected]" to "[email protected]" from "[email protected]" subject "E2E up/down" body "DSL is UP"*
stunnel.conf config:
cert = stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client = yes
options = NO_SSLv2
[pop3s]
accept = 110
connect = pop.gmail.com:995
[imaps]
accept = 143
connect = pop.gmail.com:993
[ssmtp]
accept = 25
connect = smtp.gmail.com:465
Greetings,
Guiller -
Cisco Switch connecting to Radius Server
Hello Team,
I discovered that anytime the Uplink of my Cisco C2960CG-8TC-L goes down and reconnects, before the switch connects with the Radius Server, the access ports starts to connect into Guest VLAN, which is not the correct production VLAN that has been assigned to the Mac addresses.
I thought I could resolve this with Link state track Upstream and Downstream, but it's not working effectively.
The solution to the problem should be when the UPLINK port does down for whatsoever reason and comes back up, it should communicate with the Radius Server first, thereafter the access ports comes up and connect to the assigned Production VLAN not the Guest VLAN.
How do I achieve this? Any positive advise would be highly appreciated. Configuration can be uploaded if needed.
Thanks
PeterI haven't ever done it, but I think you can set up the Access point as a radius server. Then configure Mac authentication and either filter with the local list or an access list.
Thanks,
Alex -
Turning router into Media Server
Hi All, I am not experienced at all when it comes to networking. I just swtiched ISP's today and got a very good wireless router as part of the service, another Cisco it works with cable internet. My problem is that it doesn't have a media server like the EA4500 does (which I was using previously with ADSL) is there a way to get the EA4500 to just act as a media server on the same network as everything else? Would appreciate any help.
Setup the EA4500 in LAN to LAN configuration
Cascading or Connecting a Linksys router to another router
Please remember to Kudo those that help you.
Linksys
Communities Technical Support -
Can I turn my old router into a Wireless Acess Point?
I have recently found my old BEFW11S4 V4 Wireless Router. It has the latest firmware. What I was wondering is it possible to turn it into an Access Point, so that I can increase the range of my Wireless Network. I currently have A wireless router on my network. Any help would be great. Thank you.
Never mind, I figured it out on my own
-
Turning my Macbook Pro into a server
I have read over and over (MacX -Missing Manual) on how to let people access your computer as server or FTP sever,Host my own sites etc... No matter what I try nothing works.
My goal is to have files on my Mac and let my band members access them when thy need them then reload them to my comuter when they finish their modifications. We were using my .Mac acct. but we are working with .WAV files and they are on the larger size.
I also want to host my own .coms that I already have from my Mac.
Can anybody direct me to the proper setup info?Not sure that this will work:
firstly the personal web sharing thing is only for
computers on a network or intranet not across the
internet.
That's not true - I used it for years to host my own website. The button in System Preferences simply issues the command 'sudo apachectl start' to start the Apache webserver.
Anyway, to host your website, you'll need to not only turn on Personal Web Sharing (the relevant firewall ports on the G5 should open up automatically) on the G5, but you'll need to set up your router as well.
Hopefully there's some place on your router where it shows you its WAN IP, i.e., the address that it has for the "outside world". That's the address that any visitor would need to connect to. Of course, this could change if you have a dynamic IP connection with your ISP.
The router also needs to be configured to forward traffic to your G5 if that traffic arrives on port 80 (the standard port for http traffic), and maybe on port 443 (for https connections). This may be called port forwarding or virtual servers or something like that, depending on whose router you have. You'll also need open up those ports on the router's built-in firewall.
If you want to use "proper words" in the URL, you need a domain name. Preferably, you'll have a static IP address to use with this, or if you don't, you can use a service such as DynDNS.
This is the setup in a nutshell. Work with getting this configured and see if someone can successfully connect to your server from the outside.
Feel free to post back with questions as much as you like. It will work; I had my old PM9600 (running OS X) operating as a webserver/mailserver for several years. -
Turning older g4 tower into a server at work
At my work we have a 466mhz g4 tower with 640mb of ram running os9. Some people were wondering if we could turn it into somewhat of a server. I was thinking of putting two large hard drives in it and hooking it up to our network. We would just use it in our graphics department to place our clip art images and things like that on. Would this be worth it or should it just get the boot out of the office. Any suggestions welcome. Thanks guys.
Hi,
Sure, you could do that easily. Just install the drives, the OS and connect it to the network. For a few dollars more though, you could buy a network drive (ethernet) that would be less trouble (and cheaper) to run and probably faster too.
John -
Turning my PM G5 into a server
How do i do this? can i do this?
i have a powermac G5 and i want it to host my website. It is connected via ethernet to a modem/router (which also has wireless capability) and then through tiscali.
Is there anyway to set up my G5 as a server to host my website so that i do not have to pay someone else to do it? my mac says its IP address is 192.168.1.2 which i know is only the local address. how do i find out the actual IP address so others can access it from the internet. is it possible to set it up so that you can access my site by using proper words in the URL?
Thanks
jbjNot sure that this will work:
firstly the personal web sharing thing is only for
computers on a network or intranet not across the
internet.
That's not true - I used it for years to host my own website. The button in System Preferences simply issues the command 'sudo apachectl start' to start the Apache webserver.
Anyway, to host your website, you'll need to not only turn on Personal Web Sharing (the relevant firewall ports on the G5 should open up automatically) on the G5, but you'll need to set up your router as well.
Hopefully there's some place on your router where it shows you its WAN IP, i.e., the address that it has for the "outside world". That's the address that any visitor would need to connect to. Of course, this could change if you have a dynamic IP connection with your ISP.
The router also needs to be configured to forward traffic to your G5 if that traffic arrives on port 80 (the standard port for http traffic), and maybe on port 443 (for https connections). This may be called port forwarding or virtual servers or something like that, depending on whose router you have. You'll also need open up those ports on the router's built-in firewall.
If you want to use "proper words" in the URL, you need a domain name. Preferably, you'll have a static IP address to use with this, or if you don't, you can use a service such as DynDNS.
This is the setup in a nutshell. Work with getting this configured and see if someone can successfully connect to your server from the outside.
Feel free to post back with questions as much as you like. It will work; I had my old PM9600 (running OS X) operating as a webserver/mailserver for several years. -
Turning a wired router into wireless?
The router in my house is downstairs, and I run an ethernet cable to my bedroom. Now that I got my Macbook, I really don't wanna have the ethernet plugged in all the time, kind of defeats the point. I talked to my dad and for some reason he doesn't wanna switch the wired router to a wireless. I talked to my cousin, and he said something about an adapter piece that I just have to put in the back of my dad's router and it'll let off a wireless signal for me, and I don't have to change the actual router. Does anyone know what piece he's talking about? Or if he's even right?
I work at Best Buy but in cameras so I don't know TOO much about computers, but if you can get me a link to exactly what I'd need from Best Buy it'd be really appreciated.Wow I really wish I knew about that earlier. I spent about a half hour trying to set up a network bridge from my wired linksys to my wireless linksys, and couldn't even get it to work. I just looked up the Airport Express Base Station and it seems like exactly what I need, and more because my printer's in the living room and my Macbook is in my room. It's a pain when I have to save my Pages documents to Word format just to send it to my dad's PC and print it out.
Basically all I do is connect the ethernet going from my wired router to the AEBS and plug it into the wall right? -
Using Cisco Router as terminal server
Dear Experts,
I would like to use Cisco 2800 Router as terminal server. I use 2T-WIC (Serial) in asynchronous mode, while the remote computer connects to router's port by dial up, using PPP protocol get IP address and access the network. What configuration should be set in router in order to implemented such service. Should any authentication be implemented and if so, what is the right setup?Hi
From your explaination, I assume that you want the router to be a dial-in access server for your HARDDISK client (not diskless).
username cisco password cisco
int e0
ip add
interface Serial 0
physical-layer async
ip unnumbered Ethernet 0
async mode dedicated
dialer rotary-group 1
interface Dialer 1
ip unnumbered Ethernet 0
encapsulation ppp
dialer in-band
dialer-group 1
ppp authentication chap
peer default ip address pool test
ip local pool test
line 1
exec
autoselect ppp
autoselect during-login
login local
modem InOut
transport input all
stopbits 1
speed 38400
flowcontrol hardware
Hope that will help.
Pls rate helpful posts.
Regards
JD -
Cisco 878 router for ADSL connectivity
Hi All,
I got a Cisco 878-k9 G.SHDSL router. I am trying to configure to get connectivity to my Service Provider.
Earlier i have configured Cisco 877 router serval times. But Cisco 878 for the first time. There is a DSL
controller in 878 rtr. I think i m missing something somewhere.
Below is the config that i have done
controller DSL 0
mode atm
loopback digital
dsl-mode shdsl symmetric annex A
line-rate auto
line-term cpe
line-mode 2-wire line-one
ip cef
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp pool INSIDE-Pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 212.77.192.59 212.77.192.60
lease 8
interface ATM0
description (Outside Public Interface)
no shutdown
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
ip address negotiated
no ip redirects
no ip proxy-arp
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname p4411XXXX
ppp chap password qatarXXXX
ppp pap sent-username p44114032 password 0 qatarXXXX
no sh
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip nat inside source list 101 interface Dialer0 overload
access-list 1 permit any
access-list 101 deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
dialer-list 1 protocol ip permiti have an adsl line
i try to configure the router 878
but no connection ,, kann u tel me how do u have resolve the probleme please
this is the running config
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname cisco2
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
ip cef
ip name-server 212.217.0.1
ip name-server 212.217.0.12
ip name-server 212.217.1.1
ip ddns update method sdm_ddns1
DDNS both
vpdn enable
vpdn-group pppoe
crypto pki trustpoint TP-self-signed-201735762
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-201735762
revocation-check none
rsakeypair TP-self-signed-201735762
crypto pki certificate chain TP-self-signed-201735762
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303137 33353736 32301E17 0D303230 33303130 32353235
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3230 31373335
37363230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A62304BC 27194971 2A4FAEB3 9D57240E 26EDED2A 1674FF9A 7CBBB8F2 85245C3B
C4DDBBF8 F8A67D31 5FDCBD11 72A2735D 9E8FC84B 17B55C71 43C10E41 ACC50BEC
FCE8D9EE 6D2B0B55 9BD5B62C 3981506F 04B92C25 CA4C307E BC6A6A5F 4FBEF0EE
05FEFA57 C7D879FD 79EF442F 121D6393 57E96F31 5414D1D5 4FADFBC0 95C9EAB3
02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D
11040B30 09820763 6973636F 322E301F 0603551D 23041830 16801418 6C8FED13
FFD7B2FB F6FA47E7 682B0093 FAE2AC30 1D060355 1D0E0416 0414186C 8FED13FF
D7B2FBF6 FA47E768 2B0093FA E2AC300D 06092A86 4886F70D 01010405 00038181
007C867C AC28A7F0 4BDD261C 81A71F1D E0671C28 F4724F5D ED1FE702 BCE234D9
1F85FE90 4D0AD23E 9904CBF9 D44A8CD5 0F5515BB 8FEEE4BB FF9795E1 7770B60A
E37455CC D6606EAF E0EAEEA4 932F55E6 91C6F87F 1D022203 08AD7C78 4DCF5AEA
819D2367 2B5054CC 695A4EF5 BC9ADA26 F7803106 E94BD666 179EB3DF 4CDE4CB8 1C
quit
username xxxxx privilege 15 password 0 xxxxx
controller DSL 0
mode atm
line-term co
line-mode 4-wire standard
dsl-mode shdsl symmetric annex B
ignore-error-duration 15
line-rate 4608
interface BRI0
no ip address
encapsulation hdlc
shutdown
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description lan
ip address 192.168.1.5 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
interface Dialer1
ip ddns update hostname xxxx.dyndns.org
ip ddns update sdm_ddns1
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp pap sent-username xxxxx password 0 xxxxx
interface Dialer0
no ip address
ip classless
ip http server
ip http access-class 24
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip access-list extended to-sip-servers
remark --- traffic to any sip server
permit udp 192.168.1.0 0.0.0.255 any eq 5060
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
control-plane
banner motd ^CINE welcome
banner ^C
line con 0
no modem enable
line aux 0
line vty 0 4
password cisco
scheduler max-task-time 5000
end -
Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
Using 2297 out of 29688 bytes
! Last configuration change at 17:20:27 PDT Tue May 20 2008
! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname Tester
logging buffered 10000 debugging
aaa new-model
aaa group server radius RadiusServers
server 172.26.0.2 auth-port 1812 acct-port 1813
aaa authentication login default group RadiusServers local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6
enable secret xxx
username test password xxx
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
no ip domain-lookup
no ip bootp server
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
description To Main Network
ip address X.X.X.X 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
full-duplex
no cdp enable
interface Ethernet0/1
description To Internal Network
ip address 172.26.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
load-interval 30
full-duplex
no cdp enable
ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
ip nat inside source list 3 pool test overload
ip nat inside destination list 3 pool test
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
no ip http server
ip radius source-interface Ethernet0/1
access-list 3 permit 172.26.0.0 0.0.0.255
no cdp run
snmp-server community public RO 15
radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
radius-server retransmit 3
radius-server key secret
line con 0
password xxx
logging synchronous
line aux 0
line vty 0 4
access-class 10 in
password 7 1234567890
logging synchronous
ntp clock-period 17208108
ntp server 192.43.244.18
end
My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
Thank you for any assistance you may be able to provide.I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
The command I shared:
aaa authentication enable default group radius local
... was erroneous. The keyword should have been "enable", as you have discovered.
Therefore use:
aaa authentication enable default group radius enable
When I view a Wireshark trace I see the following:
AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
Like you, I see the user password appended with the group of \000 grouping's.
Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
However, there are other mainstream authentication methods that I think you should investigate as well.
You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
I think you should:
1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
2. Investigate whether PPPoE support exists on your router's interfaces.
3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
4. Decide which methods appeals to you.
5. Dive in.
I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
Good luck. -
Server 2008 R2 RADIUS Server with a Cisco Aironet 1040 Wireless AP
I am trying to get Server 2008 R2 RADIUS Server to work with a Cisco Aironet 1040 Wireless AP. I have installed the RADIUS server by MS standards and performed some searches on Google to configure the Cisco Aironet. I see others using a Wireless LAN Controller, which I do not have. I found this post below:
https://supportforums.cisco.com/discussion/11546056/wlc-2504-radius-2008-r2-server
But I have yet to locate a good step by step document on how to set it up and I have found so many different ways that others have set it up, but none have yet to work. I am having authentication issues that I have know of and I do not see any errors in the Windows Event Viewer and I do not know where the Acess Point stores it logs for any sort of error. Keep in mind this is the first time I am doing this. I do not have a Wireless LAN Controller and all my network / domain services are on individually built servers and not on one single server as I have seen with most of the documentation they all say the same thing by putting the Certificate Services, Domain Services (AD / ADS, etc), and NPS. I do not want that configuration and my setup should not be any different, but something is not right. I know from reading that this is not rocket science, but from someone who has never done it before this is difficult as I keep reading on and so many people do it different ways including what I have been reading according to what Cisco says to configure in the environment. Does anyone know where I can find good step by step documentation along with where I can look for logs on either device? I find that all the documentation I see on Cisco's website and from searching that it is old and outdated and not been updated in a long time so it is hard to determine what works and what does not work. I am stumped here and have been doing this for several weeks now with no luck. Thank you in advance.I did configure the Server 2008 R2 RADIUS Server using this video below:
https://www.youtube.com/watch?v=g-0MM_tK-Tk
I also referenced Technet to make sure it was configured correctly as well. I am still not sure if I am 100% setup correctly on the Windows Server side, but I for sure want to make sure I have the AP side setup correctly. Do you know of a better article for the Windows Server 2008 R2 setup? Does it matter that I do not have all the services installed on the same server? Instead I have them installed on multiple servers.
I have image number c1140-k9w7-tar.124.25d.JA1 on the AP. The part that confused me in that article, which I have seen before was the part about "Setting up access point must be configured in the authentication server as an AAA client." What is the AAA Client? I also am not aware of having Cisco Secure ACS anywhere built into the AP as that part through me off completely. Do I need to skip these steps? Thank you for help on this. -
Cisco 28xx easy vpn server & MS NPS (RADIUS server)
Здравстуйте.
Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
Ниже выдежка из сонфига cisco 2821:
aaa new-model
aaa authentication login rausrs local
aaa authentication login VPN-XAUTH group radius
aaa authorization network ragrps local
aaa authorization network VPN-GROUP local
aaa session-id common
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration address-pool local RAPOOL
crypto isakmp client configuration group ra1grp
key key-for-remote-access
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp client configuration group EasyVPN
key qwerty123456
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp profile RA-profile
description profile for remote access VPN
match identity group ra1grp
client authentication list rausrs
isakmp authorization list ragrps
client configuration address respond
crypto isakmp profile VPN-IKMP-PROFILE
description profile for remote access VPN via RADIUS
match identity group EasyVPN
client authentication list VPN-XAUTH
isakmp authorization list VPN-GROUP
client configuration address respond
crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
crypto dynamic-map dyn-cmap 100
set transform-set tset1
set isakmp-profile RA-profile
reverse-route
crypto dynamic-map dyn-cmap 101
set transform-set tset1
set isakmp-profile VPN-IKMP-PROFILE
reverse-route
crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
int Gi0/1
descrition -- to WAN --
crypto map stat-cmap
В результате на cisco вылезает следующая ошибка (выделено жирным):
RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
RADIUS: AAA Unsupported Attr: interface [157] 14
RADIUS: 31 39 34 2E 38 38 2E 31 33 39 2E 31 [194.88.139.1]
RADIUS(000089E0): Config NAS IP: 192.168.11.1
RADIUS/ENCODE(000089E0): acct_session_id: 35296
RADIUS(000089E0): sending
RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
RADIUS: authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
RADIUS: User-Name [1] 9 "EasyVPN"
RADIUS: User-Password [2] 18 *
RADIUS: Calling-Station-Id [31] 16 "aaa.bbb.ccc.137"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-Port [5] 6 1
RADIUS: NAS-Port-Id [87] 16 "aaa.bbb.ccc.136"
RADIUS: Service-Type [6] 6 Outbound [5]
RADIUS: NAS-IP-Address [4] 6 192.168.11.1
RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
RADIUS: authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
RADIUS(000089E0): Received from id 1645/61
MS NAS выдает ошибку 6273:
Сервер сетевых политик отказал пользователю в доступе.
За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
Пользователь:
ИД безопасности: domain\VladimirK
Имя учетной записи: VladimirK
Домен учетной записи: domain
Полное имя учетной записи: domain.local/Users/VladimirK
Компьютер клиента:
ИД безопасности: NULL SID
Имя учетной записи: -
Полное имя учетной записи: -
Версия ОС: -
Идентификатор вызываемой станции: -
Идентификатор вызывающей станции: aaa.bbb.ccc.137
NAS:
Адрес IPv4 NAS: 192.168.11.1
Адрес IPv6 NAS: -
Идентификатор NAS: -
Тип порта NAS: Виртуальная
Порт NAS: 0
RADIUS-клиент:
Понятное имя клиента: Cisco2821
IP-адрес клиента: 192.168.11.1
Сведения о проверке подлинности:
Имя политики запроса на подключение: Использовать проверку подлинности Windows для всех пользователей
Имя сетевой политики: Подключения к другим серверам доступа
Поставщик проверки подлинности: Windows
Сервер проверки подлинности: DC01.domain.local
Тип проверки подлинности: PAP
Тип EAP: -
Идентификатор сеанса учетной записи: -
Результаты входа в систему: Сведения об учетных данных были записаны в локальный файл журнала.
Код причины: 66
Причина: Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
Если кто практиковал подобное, прошу дать направление для поиска решения.Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
replace the authorization from radius to local
and
changing the encryption type in transform set
However, in your configuration, your configuration already have those changes.
Here you can check the same : https://supportforums.cisco.com/thread/2226065
Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
~BR
Jatin Katyal
**Do rate helpful posts**
Maybe you are looking for
-
Master-Detail Form - implementing some thing like Post-Query trigger
Hi all, I am struggling to implement an eqivalent of a post-query trigger in Oracle Forms. Please bear with me as I am trying to explain in detail what the problem is. Here is my situation. I have three tables EMP, DEPT and LOCATION. I created a Mast
-
ISE: Database Purge for Tables failed
Hi, I found out my ISE Admin/PSN node and iPEP node didn't showing any log. And it show me some message of "Database Purge for Tables failed" attache is the snapshot of it, anyone can comment? million thanks Noel
-
WRT54GS v6 Bad Display of Setup Page on Browser
When I access the router setup page on my browser via 192.168.1.1, I get an improperly displayed page. No menu items are readable at the top. I only see clearly a limited amount of data with the IP address, configuration choice, etc. This makes the p
-
Business Rules to Plain English
I remember hearing about this software to convert rules to plain English so users will understand them. Is this out there ? Thanks much for any help.
-
No audio after plugging x-mini speaker
After plugging in an x-mini speaker ( http://www.amazon.co.uk/Generation-Capsule-iPhone-Laptop-Speaker/dp/B0059ERNGG/r ef=sr_1_5?s=electronics&ie=UTF8&qid=1395491665&sr=1-5 ) i have lost both built-in and headphone output audio on my MacBook Air. I p