Is My RADIUS Configuration Working?

VN:F [1.9.6_1107]
Rating: 5.0/5 (2 votes cast)
By Marko Milivojevic on October 18th, 2010

In many CCIE labs, we are asked to configure authentication of various services using RADIUS server. In CCIE R&S lab, there is no RADIUS server and in many cases, we’re simply left to ourselves to figure out whether we configured things properly or not. But… how do we test if we did?

One of not so widely known features in most newer versions of IOS is the local RADIUS server. Yes, that’s right – we can configure a router to act as a, relatively basic, RADIUS server. While not on the blueprint for CCIE R&S, it may be worth knowing how to configure it, just to be able to test whether our RADIUS configuration is correct.

Let’s take a look at a very simple sample task:

  • Configure R5 to authenticate all incoming telnet sessions using RADIUS server at 22.22.22.22.
  • RADIUS key is “ipexpert”. Use port 1812 for authentication.

I will configure R5 quickly for this purpose.

R5: 

aaa new-model
aaa authentication login TELNET group radius
!
radius-server host 22.22.22.22 auth-port 1812 key ipexpert
!
line vty 0 15
 login authentication TELNET
!

That’s it. I trust that I did it right, but I would really like to verify this. Enter R2.

R2 is connected to R5. They run EIGRP. I will, for purely testing purposes, add Loopback22 on it with the IP address 22.22.22.22/32 and configure it to act as a local RADIUS server. After I test the configuration of R5, I can remove this. Here’s how I do it.

R2: 

interface Loopback22
 ip address 22.22.22.22 255.255.255.255
!
aaa new-model
!
radius-server local
 !
 ! 25.25.25.5 is R5's directly connected interface
 !
 nas 25.25.25.5 key 0 ipexpert
 user TEST password TEST
!

I will next turn on some debugging on R5 and telnet to R5 from R2. Here’s the output from R2.

R2: 

R2#telnet 25.25.25.5
Trying 25.25.25.5 ... Open

User Access Verification

Username: TEST
Password: imagine me typing TEST here

R5>

It worked! Let’s prove that by looking at what was happening on R5.

R5: 

R5#debug radius authentication
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol (authentication) debugging is on
Radius packet protocol (accounting) debugging is off
Radius elog debugging debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging debugging is off

 RADIUS/ENCODE(00000008):Orig. component type = EXEC
 RADIUS:  AAA Unsupported Attr: interface         [175] 6
 RADIUS:   74 74 79 35                                      [tty5]
 RADIUS(00000008): Config NAS IP: 0.0.0.0
 RADIUS/ENCODE(00000008): acct_session_id: 6
 RADIUS(00000008): sending
 RADIUS/ENCODE: Best Local IP-Address 25.25.25.5 for Radius-Server 22.22.22.22
 RADIUS(00000008): Send Access-Request to 22.22.22.22:1812 id 1645/8, len 82
 RADIUS:  authenticator 5C B8 3F 80 41 57 48 62 - D4 40 81 BA 74 0F 85 DA
 RADIUS:  User-Name           [1]   6   "TEST"
 RADIUS:  User-Password       [2]   18  *
 RADIUS:  NAS-Port            [5]   6   514
 RADIUS:  NAS-Port-Id         [87]  8   "tty514"
 RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
 RADIUS:  Calling-Station-Id  [31]  12  "25.25.25.2"
 RADIUS:  NAS-IP-Address      [4]   6   25.25.25.5
 RADIUS: Received from id 1645/8 22.22.22.22:1812, Access-Accept, len 88
 RADIUS:  authenticator 40 63 70 DF 2A 30 8B 0C - D9 11 73 2C 1E 54 98 4A
 RADIUS:  State               [24]  50
 RADIUS:   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  [????????????????]
 RADIUS:   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  [????????????????]
 RADIUS:   2D 29 33 72 1B 20 8D C7 10 44 F3 71 26 10 6C BC  [-)3r? ???D?q&?l?]
 RADIUS:  Message-Authenticato[80]  18
 RADIUS:   05 2D 2C 3F 7D FB D5 2A 5D 13 92 F6 4B B5 8A 54  [?-,?}??*]???K??T]
 RADIUS(00000008): Received from id 1645/8

Highlighted lines suggest successful RADIUS communication between R5 and R2. RADIUS configuration tested and verified. Next task, please!

I hope you enjoyed this quick blog. Happy studies!


Marko Milivojevic – CCIE #18427
Senior Technical Instructor – IPexpert
Join our Online Study List

Is My RADIUS Configuration Working?, 5.0 out of 5 based on 2 ratings
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , , , , ,

This entry was posted on Monday, October 18th, 2010 at 8:01 am and is filed under CCIE, Routing & Switching, Security, Service Provider, Wireless. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

11 Responses to “Is My RADIUS Configuration Working?”

  1. Shoaib says:
    October 18, 2010 at 10:21 am

    Quite handy!!!
    :)

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  2. Tejas says:
    October 18, 2010 at 10:14 pm

    It was very informative. Thanks Marko :)

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  3. darkside says:
    October 19, 2010 at 3:15 am

    Hi Marko
    Thank you for your great posts!
    Sorry if my comment below is not relevant or the verification is not enough for CCIE.

    I just want to note that on 3750 and 2800 I’ve been using the following commands to test radius configuration and response from server: 

    SW#test aaa group radius server 1.2.3.4 auth-port 1645 user correctpass new-code
User successfully authenticated

SW#test aaa group radius server 1.2.3.4 auth-port 1645 user wrongpass new-code
User rejected
    R1#test aaa group radius user correctpass new-code
Trying to authenticate with Servergroup radius
User successfully authenticated

R1#test aaa group radius user wrongpass new-code
Trying to authenticate with Servergroup radius

    According to Cisco this command should be part of IOS since 12.2(28)SB.
    I’ve tested on C3750 Software (C3750-IPBASEK9-M), Version 12.2(46)SE and (C2800NM-ENTBASEK9-M), Version 12.4(13d)

    VA:F [1.9.6_1107]
    Rating: 5.0/5 (1 vote cast)
    Reply
  4. Ramcharan Arya says:
    October 20, 2010 at 7:32 am

    It is very useful information.

    Thank you Marko !

    Regards,
    Ramcharan

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  5. push bhatkoti says:
    November 17, 2010 at 7:51 am

    Great Marko.
    I didn’t know it till now. Thanks for publishing it.

    -push bhatkoti

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  6. Christian Biasibetti says:
    April 14, 2012 at 6:20 am

    I love your mind !!!

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  7. Christian Biasibetti says:
    April 14, 2012 at 10:34 am

    Hi Marko, I would like add a little contribution.
    I dont’t know if is bug IOS, but after trying some hours with the release c2800nm-adventerprisek9-mz.124-24.T3.bin and to be a little crazy … I discovered that only way to success is put the user & password with the same word.
    It’s incredible, but is true !!!

    Example don’t WORK:
    radius-server local
    nas 13.13.13.1 key 0 ipexpert
    user pippo password pluto

    Example that WORK:
    radius-server local
    nas 13.13.13.1 key 0 ipexpert
    user pippo password pippo

    What do you think about this?
    Thank you for attention

    Christian Biasibetti

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
    • Marko Milivojevic says:
      April 14, 2012 at 1:04 pm

      I haven’t seen this behavior myself, but you could as well be right. It shouldn’t be like that, but this is not for any sort of a serious use anyway. Have you tried a different version of IOS?

      -Marko.

      VN:F [1.9.6_1107]
      Rating: 0.0/5 (0 votes cast)
      Reply
  8. Christian Biasibetti says:
    April 14, 2012 at 5:41 pm

    I Marko, I tried with different routers and different IOS: real 1841, real 3825 and virtual 3745 (GNS), at the first attempt was a real 2811. Unfortunately, finding the same situation: if the username/password are the same work, otherwise don’t work.

    I tried with a new real CPE 2911, with the IOS 15.0 but there is not the command “radius-server local”, only the “radius-server load-balance”. How can do the test with the new IOS from 15.0 to up?

    I finished the routers at my disposal … you have any suggestions?

    Thanks in any case.
    Christian Biasibetti

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
    • Marko Milivojevic says:
      April 14, 2012 at 5:49 pm

      Nope, nothing on top of my head, but you’ve sparked my interest. I can’t test this on my pod now because I have one new One Week Lab Experience lab loaded on it, but I will as soon as I’m finished with that. I’m sure we’re missing something very basic.

      -Marko.

      VN:F [1.9.6_1107]
      Rating: 0.0/5 (0 votes cast)
      Reply

Leave a Reply