{"id":686,"date":"2012-08-21T23:38:45","date_gmt":"2012-08-21T21:38:45","guid":{"rendered":"http:\/\/diablo.craem.net\/wordpress\/?p=686"},"modified":"2012-08-21T23:38:45","modified_gmt":"2012-08-21T21:38:45","slug":"testear-aaa-radius-en-cisco-ios","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=686","title":{"rendered":"Testear aaa radius en cisco IOS"},"content":{"rendered":"

Esta entrada es otro apunte.
\nEn el acceso de clientes por vpn, suelo usar la validaci\u00f3n radius contra el active directory, con lo que, para conceder acceso, tan s\u00f3lo hay que activar en cada usuario el permiso de \u00abmarcado\u00bb.
\nSuponemos que tenemos un router con IOS cisco 12.4 y que hemos configurado toda la parte de AAA como de costumbre…. ahora toca depurar…
\nDesde la consola del router, hacemos:
\n
\n# terminal monitor
\n# debug radius
\n<\/code>
\nEl comando en cuesti\u00f3n es:
\n
\ntest aaa group radius pruebas prueba new-code<\/strong>
\n<\/code>
\nLo que hace es probar el usuario pruebas \/ password pruebas con la configuraci\u00f3n que tengamos en el radius, siendo la definici\u00f3n en el router:
\n
\nradius-server host 172.26.2.100 auth-port 1812 acct-port 1813
\nradius-server key clavePrecompartida
\n<\/code>
\nY suponemos que el resto de AAA lo tenemos correcto, teniendo el usuario \/ password: pruebas\/pruebas
\n
\nrouter#test aaa group radius pruebas prueba new-code <\/strong>
\nTrying to authenticate with Servergroup radius
\nrouter#Aug 21 21:23:40.506: RADIUS\/ENCODE(00000000):Orig. component type = INVALID
\nAug 21 21:23:40.506: RADIUS: AAA Unsupported Attr: interface [157] 0
\nAug 21 21:23:40.506: RADIUS\/ENCODE: Skip encoding 0 length AAA attribute interface
\nAug 21 21:23:40.506: RADIUS\/ENCODE(00000000): dropping service type, \"radius-server attribute 6 on-for-login-auth\" is off
\nAug 21 21:23:40.506: RADIUS(00000000): Config NAS IP: 0.0.0.0
\nAug 21 21:23:40.506: RADIUS(00000000): sending
\nAug 21 21:23:40.506: RADIUS\/ENCODE: Best Local IP-Address 172.26.2.250 for Radius-Server 172.26.2.100
\nAug 21 21:23:40.506: RADIUS(00000000): Send Access-Request to 172.26.2.100:1812 id 1645\/230, len 59
\nAug 21 21:23:40.506: RADIUS: authenticator 80 B3 48 6D 92 D0 D4 03 - 62 CB A0 57 7B 3F 2E 50
\nAug 21 21:23:40.506: RADIUS: User-Password [2] 18 *
\nAug 21 21:23:40.506: RADIUS: User-Name [1] 9 \"pruebas\"
\nAug 21 21:23:40.506: RADIUS: NAS-Port [5] 6 60000
\nAug 21 21:23:40.506: RADIUS: NAS-IP-Address [4] 6 172.26.2.250
\nAug 21 21:23:40.510: RADIUS: Received from id 1645\/230 172.26.2.100:1812, Access-Reject, len 20
\nAug 21 21:23:40.510: RADIUS: authenticator C0 01 36 A9 46 B2 C0 EA - 1B 61 58 DF 87 C3 9C E4
\nAug 21 21:23:40.510: RADIUS(00000000): Received from id 1645\/230User rejected<\/strong>
\n<\/code>
\nEn este caso, el servidor radius nos ha respondido y ha rechazado el usuario, con lo que, tenemos buenas y malas not\u00ed\u00adcias :
\n– Buena not\u00ed\u00adcia: El router es capaz de llegar al radius y atiende nuestras peticiones, con lo que la clave pre-compartida en principio es correcta.
\n– Mala not\u00ed\u00adcia: Ha rechazado la petici\u00f3n de nuestro usuario, bien por user \/ password mal escrito o porque no tiene derecho de \u00abmarcado\u00bb.
\nNos aseguramos del user \/ pass y lo volvemos a probar:
\n
\nrouter#test aaa group radius pruebas pruebas new-code<\/strong>
\nTrying to authenticate with Servergroup radius
\nUser successfully authenticated
\nrouter#
\nAug 21 21:28:10.779: RADIUS\/ENCODE(00000000):Orig. component type = INVALID
\nAug 21 21:28:10.783: RADIUS: AAA Unsupported Attr: interface [157] 0
\nAug 21 21:28:10.783: RADIUS\/ENCODE: Skip encoding 0 length AAA attribute interface
\nAug 21 21:28:10.783: RADIUS\/ENCODE(00000000): dropping service type, \"radius-server attribute 6 on-for-login-auth\" is off
\nAug 21 21:28:10.783: RADIUS(00000000): Config NAS IP: 0.0.0.0
\nAug 21 21:28:10.783: RADIUS(00000000): sending
\nAug 21 21:28:10.783: RADIUS\/ENCODE: Best Local IP-Address 172.26.2.250 for Radius-Server 172.26.2.100
\nAug 21 21:28:10.783: RADIUS(00000000): Send Access-Request to 172.26.2.100:1812 id 1645\/231, len 59
\nAug 21 21:28:10.783: RADIUS: authenticator B4 A2 AB 32 2A 2D 2D 94 - 0E 9F 01 76 D3 11 C9 9C
\nAug 21 21:28:10.783: RADIUS: User-Password [2] 18 *
\nAug 21 21:28:10.787: RADIUS: User-Name [1] 9 \"pruebas\"
\nAug 21 21:28:10.787: RADIUS: NAS-Port [5] 6 60000
\nAug 21 21:28:10.787: RADIUS: NAS-IP-Address [4] 6 172.26.2.250
\nAug 21 21:28:10.807: RADIUS: Received from id 1645\/231 172.26.2.100:1812, Access-Accept, len 64
\nAug 21 21:28:10.807: RADIUS: authenticator 0F ED 4B 8C 4F DA B3 C9 - 0A 4F 3A 8B 66 E6 0D 57<\/strong>
\nAug 21 21:28:10.807: RADIUS: Framed-Protocol [7] 6 PPP [1]
\nAug 21 21:28:10.807: RADIUS: Service-Type [6] 6 Framed [2]
\nAug 21 21:28:10.811: RADIUS: Class [25] 32
\nAug 21 21:28:10.811: RADIUS: 52 76 05 8F 00 00 01 37 00 01 C0 A8 02 64 01 CD [Rv?????7?????d??]
\nAug 21 21:28:10.811: RADIUS: 7F E0 20 13 31 ED 00 00 00 00 00 00 00 09 [?? ?1?????????]
\nAug 21 21:28:10.811: RADIUS(00000000): Received from id 1645\/231
\nAug 21 21:28:10.811: RADIUS(00000000): Unique id not in use
\nAug 21 21:28:10.811: RADIUS\/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
\nAug 21 21:28:10.811: RADIUS: Constructed \" ppp negotiate\"
\n<\/code>
\nAhora s\u00ed\u00ad que ha funcionado; hemos escrito correctamente el user \/ pass<\/p>\n","protected":false},"excerpt":{"rendered":"

Esta entrada es otro apunte. En el acceso de clientes por vpn, suelo usar la validaci\u00f3n radius contra el active directory, con lo que, para conceder acceso, tan s\u00f3lo hay que activar en cada usuario el permiso de \u00abmarcado\u00bb. Suponemos que tenemos un router con IOS cisco 12.4 y que hemos configurado toda la parte […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[14,46,61,152],"class_list":["post-686","post","type-post","status-publish","format-standard","hentry","category-cisco","tag-aaa","tag-cisco-ios","tag-debug","tag-radius"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/686","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=686"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/686\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}