From owner-freebsd-questions Fri Feb 14 07:01:06 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA09951 for questions-outgoing; Fri, 14 Feb 1997 07:01:06 -0800 (PST) Received: from merit.edu (merit.edu [35.1.1.42]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA09946 for ; Fri, 14 Feb 1997 07:00:54 -0800 (PST) Received: from ohm.merit.edu (ohm.merit.edu [198.108.60.65]) by merit.edu (8.8.5/merit-2.0) with ESMTP id KAA10876; Fri, 14 Feb 1997 10:00:46 -0500 (EST) From: William Bulley Received: (web@localhost) by ohm.merit.edu (8.6.9/8.6.5) id KAA14215; Fri, 14 Feb 1997 10:01:08 -0500 Message-Id: <199702141501.KAA14215@ohm.merit.edu> Subject: Re: radius and cisco To: steve@vic.cioe.com (Steve Ames) Date: Fri, 14 Feb 1997 10:01:07 -0500 (EST) Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <199702132357.SAA19011@vic.cioe.com> from "Steve Ames" at Feb 13, 97 06:57:34 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to Steve Ames: > > I've got a cisco 2511 running Cisco IOS 11.1.9. I've got it configured to > run radius. Compile radius straight out of the ports directory. Modified > the clients and users files and ran radiusd. So far so good. Telnetted over > to the 2511 and got %Access Denied. *sigh* The RADIUS server in the "ports" directory is our server (Merit) and it is very, very old now. There is a newer on you can grab from our FTP site. > Added tons of debugging information to the authentication.c and funcs.c > files and ran it it again. Near as I can track down the encryption used > by the radius port and the cisco 2511 are different... or their keys are. Our server conforms to the RADIUS RFC and so does the Cisco RADIUS client (I am quite sure) so this stuff is meant to work together. In fact we use the 2511 here in several places. > My users file looks thustly (basically just used the sample): > > ----CUT HERE--- > > fred Password = "flint" > Filter-Id = "unlim" > > steve Authentication-Type = Unix-PW > Filter-Id = "unlim" > > DEFAULT Authentication-Type = Unix-PW > Filter-Id = "unlim" The sample users file in our distribution uses the Filter-Id "unlim" just as an example. Maybe the Cisco concept of filters is different. Maybe you don't have any filters configured. You don't need that reply-item unless you are planning to use packet filtering on the NAS (you say router). Please don't be tempted to modify the slipuser, dumbuser and pppuser pseudo user entries in the users file. These are there for a reason and unless you really understand what is going on it is better not to fix that which ain't broken. There is built in debugging and you needn't "add tons of debugging" code to see what is going on. You need only add one or more "-x" options to the command line when you start the daemon, or if the daemon is already running you may send it USR1 signals to increase the debugging level (one USR1 equals one "-x" option) and the USR2 signal turns off debugging. Once debugging is enabled, there is a file radius.debug created next to the other configuration files (clients, users, authfile). Look in here and the logfile for reasons why things aren't working. For Merit RADIUS specific questions, I am a fairly good resource... :-) Regards, web... -- William Bulley, N8NXN Senior Systems Research Programmer Merit Network, Inc. Email: web@merit.edu 4251 Plymouth Road, Suite C Phone: (313) 764-9993 Ann Arbor, Michigan 48105-2785 Fax: (313) 647-3185 [ What's all the fuss over the end of the century with mission critial ] [ programs failing due to dates? If people simply started using Roman ] [ Numerials the problem vanishes! MCM = 1900 MCMXCIX = 1999 MM = 2000 ]