Guest

Authentication Protocols

Configuring RADIUS Dial-Up with Livingston Server Authentication

Cisco - Configuring RADIUS Dial-Up with Livingston Server Authentication

Document ID: 8537

Updated: Jan 19, 2006

   Print

Introduction

This document assists the first-time RADIUS user in how to set up and debug a dial-in RADIUS configuration with authentication to a Livingston RADIUS server. It is not an exhaustive description of the Cisco IOS® Software RADIUS capabilities. Livingston documentation is available from the Lucent Technologies web site. The router configuration is the same no matter what server you use.

Cisco offers RADIUS code in Cisco Secure ACS for Windows, Cisco Secure UNIX, or Cisco Access Registrar. The router configuration in this document was developed on a router running Cisco IOS Software Release 11.3.3. Cisco IOS Software Release 12.0.5.T and later uses group radius instead of radius. Therefore, statements such as aaa authentication login default radius enable appear as aaa authentication login default group radius enable. Refer to the RADIUS information in Cisco IOS documentation for details on RADIUS router commands.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IOS Software Release 11.3.3

  • Livingston RADIUS

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to find more information on the commands used in this document.

Configuration

This document uses this configuration:

Router Configuration
!
aaa new-model
aaa authentication login default radius enable
aaa authentication ppp default if-needed radius
aaa authorization network default radius
enable password cisco
!
chat-script default "" at&fls0=1&h1&r2&c1&d2&b1e0q2 OK
!
interface Ethernet0
 ip address 10.29.1.3 255.255.255.0
!

!--- CHAP/PPP authentication user:

 interface Async1
 ip unnumbered Ethernet0
 encapsulation ppp
 async mode dedicated
 peer default ip address pool async
 no cdp enable
 ppp authentication chap
!

!--- PAP/PPP authentication user:

 interface Async2
 ip unnumbered Ethernet0
 encapsulation ppp
 async mode dedicated
 peer default ip address pool async
 no cdp enable
 ppp authentication pap
!

!--- Login authentication user with autocommand PPP:

 interface Async3
 ip unnumbered Ethernet0
 encapsulation ppp
 async mode interactive
 peer default ip address pool async
 no cdp enable
!
ip local pool async 10.6.100.101 10.6.100.103
radius-server host 171.68.118.101
radius-server timeout 10
radius-server key cisco
!
line 1
 session-timeout 20
 exec-timeout 120 0
 script startup default
 script reset default
 modem Dialin
 transport input all
 stopbits 1
 rxspeed 115200
 txspeed 115200
 flowcontrol hardware
!
line 2
 session-timeout 20
 exec-timeout 120 0
 script startup default
 script reset default
 modem Dialin
 transport input all
 stopbits 1
 rxspeed 115200
 txspeed 115200
 flowcontrol hardware
!
line 3
 session-timeout 20
 exec-timeout 120 0
 autoselect during-login
 autoselect ppp
 script startup default
 script reset default
 modem Dialin
 autocommand ppp
 transport input all
 stopbits 1
 rxspeed 115200
 txspeed 115200
 flowcontrol hardware
!
end

Clients File on Server

Note: This assumes Livingston RADIUS.

# Handshake with router--router needs "radius-server key cisco":
10.29.1.3 cisco

Users File on Server

Note: This assumes Livingston RADIUS.

# User who can telnet in to configure:
admin Password = "admin"
User-Service-Type = Login-User

# ppp/chap authentication line 1 - password must be cleartext per chap rfc 1994
# address assigned from pool on router
chapuser Password = "chapuser"
User-Service-Type = Framed-User,
Framed-Protocol = PPP

# ppp/pap authentication line 2
# address assigned from pool on router
# Can also have 'Password = "UNIX" which uses /etc/passwd
papuser Password = "papuser"
User-Service-Type = Framed-User,
Framed-Protocol = PPP

# ppp/chap authentication line 1 - password must be cleartext per chap rfc 1994
# address assigned by server
chapadd Password = "chapadd"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 10.10.10.10

# ppp/pap authentication line 2
# address assigned by server
papadd Password = "papadd"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 10.10.10.11

# authentication user line 3
# address assigned from pool on router
# Can also have 'Password = "UNIX" which uses /etc/passwd
authauto = "authauto"
User-Service-Type = Login-User

Microsoft Windows Setup for Users Lines 1 and 2

Note: The PC configuration can vary slightly based on the operating system version you use.

  1. Select Start > Programs > Accessories > Dial-Up Networking.

  2. Select Connections > Make New Connection and enter a name for your connection.

  3. Enter your modem-specific information. Under Configure > General choose the highest speed of your modem, but do not check the box below this.

  4. Select Configure > Connection, and use 8 data bits, no parity, and 1 stop bit. For Call preferences, select Wait for dial tone before dialing, and Cancel the call if not connected after 200 seconds.

  5. Select only Hardware Flow Control and Modulation Type Standard for Advanced.

  6. Under Configure > Options nothing should be checked except under status control. Click OK.

  7. Enter the telephone number of the destination, then click Next and Finish.

  8. Once the new connection icon appears, right-click on it and select Properties > Server Type.

  9. Choose PPP:WINDOWS 95, WINDOWS NT 3.5, Internet and do not check any advanced options. Check at least TCP/IP under allowed network protocols.

  10. Choose Server assigned IP address, Server assigned name server addresses, and Use default gateway on remote network under TCP/IP settings. Click OK.

  11. When the user double-clicks the icon to bring up the Connect To window to dial, the user must fill in the User name and Password fields, and then click Connect.

Microsoft Windows Setup for User Line 3

The configuration for User Line 3 (authentication user with autocommand PPP) is the same as for Users Line 1 and 2. The exception is to check Bring up terminal window after dialing from the Configure > Options window.

When you double-clicks the icon to bring up the Connect To window to dial, do not fill in the User name and Password fields. Click Connect. After the connection to the router is made, the enter the username and password in the black window that appears. Click Continue (F7) after authentication.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

Router Troubleshooting Commands

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before you use debug commands.

  • terminal monitor—Displays debug command output and system error messages for the current terminal and session.

  • debug ppp negotiation—Displays PPP packets sent during PPP startup, where PPP options are negotiated.

  • debug ppp packet—Displays PPP packets that are sent and received. (This command displays low-level packet dumps.)

  • debug ppp chap—Displays information about whether a client passes authentication (for Cisco IOS Software Releases earlier than 11.2).

  • debug aaa authentication—Displays information on AAA/TACACS+ authentication.

  • debug aaa authorization—Displays information on AAA/TACACS+ authorization.

Server

Note: This assumes Livingston's UNIX server code.

radiusd -x -d <full_path_to_users_clients_dictionary>

Related Information

Updated: Jan 19, 2006
Document ID: 8537