This document assists the first-time RADIUS user in how to set up and debug a dial-in RADIUS configuration with authentication to a Livingston RADIUS server. It is not an exhaustive description of the Cisco IOS® Software RADIUS capabilities. Livingston documentation is available from the Lucent Technologies web site. The router configuration is the same no matter what server you use.
Cisco offers RADIUS code in Cisco Secure ACS for Windows, Cisco Secure UNIX, or Cisco Access Registrar. The router configuration in this document was developed on a router running Cisco IOS Software Release 11.3.3. Cisco IOS Software Release 12.0.5.T and later uses group radius instead of radius. Therefore, statements such as aaa authentication login default radius enable appear as aaa authentication login default group radius enable. Refer to the RADIUS information in Cisco IOS documentation for details on RADIUS router commands.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
Cisco IOS Software Release 11.3.3
Livingston RADIUS
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to find more information on the commands used in this document.
This document uses this configuration:
Router Configuration |
---|
! aaa new-model aaa authentication login default radius enable aaa authentication ppp default if-needed radius aaa authorization network default radius enable password cisco ! chat-script default "" at&fls0=1&h1&r2&c1&d2&b1e0q2 OK ! interface Ethernet0 ip address 10.29.1.3 255.255.255.0 ! !--- CHAP/PPP authentication user: interface Async1 ip unnumbered Ethernet0 encapsulation ppp async mode dedicated peer default ip address pool async no cdp enable ppp authentication chap ! !--- PAP/PPP authentication user: interface Async2 ip unnumbered Ethernet0 encapsulation ppp async mode dedicated peer default ip address pool async no cdp enable ppp authentication pap ! !--- Login authentication user with autocommand PPP: interface Async3 ip unnumbered Ethernet0 encapsulation ppp async mode interactive peer default ip address pool async no cdp enable ! ip local pool async 10.6.100.101 10.6.100.103 radius-server host 171.68.118.101 radius-server timeout 10 radius-server key cisco ! line 1 session-timeout 20 exec-timeout 120 0 script startup default script reset default modem Dialin transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware ! line 2 session-timeout 20 exec-timeout 120 0 script startup default script reset default modem Dialin transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware ! line 3 session-timeout 20 exec-timeout 120 0 autoselect during-login autoselect ppp script startup default script reset default modem Dialin autocommand ppp transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware ! end |
Note: This assumes Livingston RADIUS.
# Handshake with router--router needs "radius-server key cisco": 10.29.1.3 cisco
Note: This assumes Livingston RADIUS.
# User who can telnet in to configure: admin Password = "admin" User-Service-Type = Login-User # ppp/chap authentication line 1 - password must be cleartext per chap rfc 1994 # address assigned from pool on router chapuser Password = "chapuser" User-Service-Type = Framed-User, Framed-Protocol = PPP # ppp/pap authentication line 2 # address assigned from pool on router # Can also have 'Password = "UNIX" which uses /etc/passwd papuser Password = "papuser" User-Service-Type = Framed-User, Framed-Protocol = PPP # ppp/chap authentication line 1 - password must be cleartext per chap rfc 1994 # address assigned by server chapadd Password = "chapadd" User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.10.10.10 # ppp/pap authentication line 2 # address assigned by server papadd Password = "papadd" User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.10.10.11 # authentication user line 3 # address assigned from pool on router # Can also have 'Password = "UNIX" which uses /etc/passwd authauto = "authauto" User-Service-Type = Login-User
Note: The PC configuration can vary slightly based on the operating system version you use.
Select Start > Programs > Accessories > Dial-Up Networking.
Select Connections > Make New Connection and enter a name for your connection.
Enter your modem-specific information. Under Configure > General choose the highest speed of your modem, but do not check the box below this.
Select Configure > Connection, and use 8 data bits, no parity, and 1 stop bit. For Call preferences, select Wait for dial tone before dialing, and Cancel the call if not connected after 200 seconds.
Select only Hardware Flow Control and Modulation Type Standard for Advanced.
Under Configure > Options nothing should be checked except under status control. Click OK.
Enter the telephone number of the destination, then click Next and Finish.
Once the new connection icon appears, right-click on it and select Properties > Server Type.
Choose PPP:WINDOWS 95, WINDOWS NT 3.5, Internet and do not check any advanced options. Check at least TCP/IP under allowed network protocols.
Choose Server assigned IP address, Server assigned name server addresses, and Use default gateway on remote network under TCP/IP settings. Click OK.
When the user double-clicks the icon to bring up the Connect To window to dial, the user must fill in the User name and Password fields, and then click Connect.
The configuration for User Line 3 (authentication user with autocommand PPP) is the same as for Users Line 1 and 2. The exception is to check Bring up terminal window after dialing from the Configure > Options window.
When you double-clicks the icon to bring up the Connect To window to dial, do not fill in the User name and Password fields. Click Connect. After the connection to the router is made, the enter the username and password in the black window that appears. Click Continue (F7) after authentication.
There is currently no verification procedure available for this configuration.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
Note: Refer to Important Information on Debug Commands before you use debug commands.
terminal monitor—Displays debug command output and system error messages for the current terminal and session.
debug ppp negotiation—Displays PPP packets sent during PPP startup, where PPP options are negotiated.
debug ppp packet—Displays PPP packets that are sent and received. (This command displays low-level packet dumps.)
debug ppp chap—Displays information about whether a client passes authentication (for Cisco IOS Software Releases earlier than 11.2).
debug aaa authentication—Displays information on AAA/TACACS+ authentication.
debug aaa authorization—Displays information on AAA/TACACS+ authorization.
Note: This assumes Livingston's UNIX server code.
radiusd -x -d <full_path_to_users_clients_dictionary>