0

I need to configure local radius authentication on my cisco router. I have web application in which we have implemented dual factor authentication it works fine with other radius server like freeRadius.

I managed to send Access-Request to the cisco router, but the router always sends back Access-Reject packet.

show running-config 

aaa new-model
aaa session-id common

radius-server local
  no authentication mac
  nas 192.168.0.8 key 0 testing_new
  user test2 nthash 0 0CB6948805F797BF2A82807973B89537

!
radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key testing_new

When I run show radius local-server statistics I get

Successes              : 0           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Unknown NAS            : 16          Invalid packet from NAS: 11

NAS : 192.168.0.8
Successes              : 0           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Corrupted packet       : 0           Unknown RADIUS message : 6
No username attribute  : 1           Missing auth attribute : 0
Shared key mismatch    : 0           Invalid state attribute: 0
Unknown EAP message    : 0           Unknown EAP auth type  : 0
Auto provision success : 0           Auto provision failure : 0
PAC refresh            : 0           Invalid PAC received   : 0

I didn't manage to find a configuration for my case nor I know if it is possible? Any ideas what am I missing in my cisco configuration?

ananetworking
  • 33
  • 1
  • 6

1 Answers1

4

You are missing the server. No you can't set the router as a server. Local auth is not RADIUS. The whole point of a RADIUS is to use a different machine for authentication purpose. The IP you set with radius-server host must be that of the RAIDUS server.

Even if your router would somehow support this (some new models support built-in RADIUS server but this is usable only for LEAP), it would not be a recommended practice since most of the commonly used routers barely have enough resources to do their primary tasks. Making one do RADIUS could turn into a significant performance degradation.

If you don't want to use a physical machine you could cheat by turning a wireless AP into a RADIUS server.

Overmind
  • 3,076
  • 2
  • 16
  • 25