1. Home
  2. Cisco Systems
  3. Cisco login and Windows 2003 SP1 IAS radius

Cisco login and Windows 2003 SP1 IAS radius

Hi firends,

I have a problem which I try to solve for the past 4 days, and unable to understand why this doesn't work.

I have a Cisco router running with the following commands:

aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius if-authenticated aaa session-id common ! radius-server host 192.168.104.49 auth-port 1645 acct-port 1646 key 0 forradius radius-server vsa send authentication

and an IAS configured as following:

Remote Access Policies >c-router >Client IP-Address matches "the cisco ip" AND >Windows Group matches "DOMAIN\\Domain Admins" AND >Framed-Protocol matches "PPP" AND >Service-Type matches "Framed"

*if a connection request matches the specified conditions: >Grant remote access permissions

----- Edit Profile... >Dial-in constraints: (nothing is checked) >IP: Server settings determine IP address assignment (checked) >Multilink: Do not allow multilink connections (checked) >Authentication: Unencrypted authentication (PAP,SPAP) (checked) >EAP Methods: (nothing is configured inside) >Encryption: No encryption (checked) >Advanced: >Attribute name: Vendor-Specific >Attribute number: 26 >Attribute format: OctetString >Specify network access server vendor. >Select from list: Cisco >Specify whether the attribute conforms to the RADIUS RFC specification for vendor specific attributes. >Yes. It conforms (checked) >Configure Attribute - Configure VSA (RFC Compliant) >Vendor-assigned attribute number: 1 >Attribute format: String >Attribute value: shell:priv-lvl=3D15 >Attribute name: Reply-Message >Attribute number: 18 >Attribute format: String >Attribute value: Welcome to cisco router >Attribute name: Service-type >Attribute number: 6 >Attribute format: Enumerator >Attribute value: Login

*** This is the only Remote Access Policy I have, and it's order is 1 (because its the only one LOL) *** Now... When I try to login to the cisco router I get "Access Denied" and I started debugging:

At the "Event Viewer" I see this:

User ciscoa was denied access. Fully-Qualified-User-Name =3D DOMAIN\\ciscoa NAS-IP-Address =3D 192.168.104.50 NAS-Identifier =3D Called-Station-Identifier =3D Calling-Station-Identifier =3D 192.168.104.49 Client-Friendly-Name =3D C1841 Client-IP-Address =3D 192.168.104.50 NAS-Port-Type =3D Virtual NAS-Port =3D 195 Proxy-Policy-Name =3D Use Windows authentication for all users Authentication-Provider =3D Windows Authentication-Server =3D Policy-Name =3D Authentication-Type =3D PAP EAP-Type =3D Reason-Code =3D 16 Reason =3D Authentication was not successful because an unknown user name or incorrect password was used.

Now... the Reason is... in no chance!!! the wrong use of user/pass!! I checked and dubbled checked the user/pass and it's not the reason, not in this lifetime!

I also checked the user properties to make sure I checked: Dial-in tab >Control Access through Remote Access Policy (checked)

And yeap, it is checked!

*** So... I started sniffing, used Ethereal for sniffing and saw this:

No. Time Source Destination Protocol Info 10 5.699731 192.168.104.50 192.168.104.49 RADIUS Access-Request(1) (id=3D52, l=3D133)

Frame 10 (175 bytes on wire, 175 bytes captured) Arrival Time: Apr 15, 2006 16:00:46.848414000 Time delta from previous packet: 3.929897000 seconds Time since reference or first frame: 5.699731000 seconds Frame Number: 10 Packet Length: 175 bytes Capture Length: 175 bytes Protocols in frame: eth:ip:udp:radius Ethernet II, Src: 212.143.37.86 (00:12:80:7a:6d:cf), Dst:

192.168.104.49 (00:20:ed:8e:bf:ba) Destination: 192.168.104.49 (00:20:ed:8e:bf:ba) Source: 212.143.37.86 (00:12:80:7a:6d:cf) Type: IP (0x0800) Internet Protocol, Src: 192.168.104.50 (192.168.104.50), Dst: 192.168.104.49 (192.168.104.49) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. =3D Differentiated Services Codepoint: Default (0x00) .... ..0. =3D ECN-Capable Transport (ECT): 0 .... ...0 =3D ECN-CE: 0 Total Length: 161 Identification: 0x092e (2350) Flags: 0x00 0... =3D Reserved bit: Not set .0.. =3D Don't fragment: Not set ..0. =3D More fragments: Not set Fragment offset: 0 Time to live: 254 Protocol: UDP (0x11) Header checksum: 0x9b2b [correct] Source: 192.168.104.50 (192.168.104.50) Destination: 192.168.104.49 (192.168.104.49) User Datagram Protocol, Src Port: 1645 (1645), Dst Port: 1645 (1645) Source port: 1645 (1645) Destination port: 1645 (1645) Length: 141 Checksum: 0x1719 [correct] Radius Protocol Code: Access-Request (1) Packet identifier: 0x34 (52) Length: 133 Authenticator: 24B9B3D06A231136330F06BF52062304 Attribute Value Pairs AVP: l=3D8 t=3DUser-Name(1): ciscoa Length: 6 User-Name: ciscoa AVP: l=3D30 t=3DReply-Message(18): Please enter your password: Length: 28 Reply-Message: Please enter your password: AVP: l=3D34 t=3DUser-Password(2): Encrypted Length: 32 User-Password: C=2EqG\\237;|\\016m\\343\\271\\[\\3131\\276+\\\\002\\206\\2321\\023\\026l{L\\307\\245\\355\\= 032\\235 AVP: l=3D6 t=3DNAS-Port(5): 195 Length: 4 NAS-Port: 195 AVP: l=3D8 t=3DNAS-Port-Id(87): tty195 Length: 6 NAS-Port-Id: tty195 AVP: l=3D6 t=3DNAS-Port-Type(61): Virtual(5) Length: 4 NAS-Port-Type: Virtual (5) AVP: l=3D15 t=3DCalling-Station-Id(31): 192.168.104.49 Length: 13 Calling-Station-Id: 192.168.104.49 AVP: l=3D6 t=3DNAS-IP-Address(4): 192.168.104.50 Length: 4 NAS-IP-Address: 192.168.104.50 (192.168.104.50)

0000 00 20 ed 8e bf ba 00 12 80 7a 6d cf 08 00 45 00 . .=2E.....zm...E.

0010 00 a1 09 2e 00 00 fe 11 9b 2b d4 8f 49 81 d4 8f .=2E.......+..I... 0020 25 52 06 6d 06 6d 00 8d 17 19 01 34 00 85 24 b9 %R.m.m.....4..$. 0030 b3 d0 6a 23 11 36 33 0f 06 bf 52 06 23 04 01 08 .=2Ej#.63...R.#... 0040 6d 6f 72 64 75 6b 12 1e 50 6c 65 61 73 65 20 65 ciscoa..Please e 0050 6e 74 65 72 20 79 6f 75 72 20 70 61 73 73 77 6f nter your passwo 0060 72 64 3a 20 02 22 43 2e 71 47 9f 3b 7c 0e 6d e3 rd: ."C.qG.;|.m. 0070 b9 5c 5b cb 31 be 2b 5c 02 86 9a 31 13 16 6c 7b .\\[.1.+\\...1..l{ 0080 4c c7 a5 ed 1a 9d 05 06 00 00 00 c3 57 08 74 74 L=2E..........W.tt 0090 79 31 39 35 3d 06 00 00 00 05 1f 0f 32 31 32 2e y195=3D.......212. 00a0 31 34 33 2e 33 37 2e 38 32 04 06 d4 8f 49 81 143.37.82....I.

No. Time Source Destination Protocol Info 11 5.728148 192.168.104.49 192.168.104.50 RADIUS Access-Reject(3) (id=3D52, l=3D20)

Frame 11 (62 bytes on wire, 62 bytes captured) Arrival Time: Apr 15, 2006 16:00:46.876831000 Time delta from previous packet: 0.028417000 seconds Time since reference or first frame: 5.728148000 seconds Frame Number: 11 Packet Length: 62 bytes Capture Length: 62 bytes Protocols in frame: eth:ip:udp:radius Ethernet II, Src: 192.168.104.49 (00:20:ed:8e:bf:ba), Dst:

212.143.37.86 (00:12:80:7a:6d:cf) Destination: 212.143.37.86 (00:12:80:7a:6d:cf) Source: 192.168.104.49 (00:20:ed:8e:bf:ba) Type: IP (0x0800) Internet Protocol, Src: 192.168.104.49 (192.168.104.49), Dst: 192.168.104.50 (192.168.104.50) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. =3D Differentiated Services Codepoint: Default (0x00) .... ..0. =3D ECN-Capable Transport (ECT): 0 .... ...0 =3D ECN-CE: 0 Total Length: 48 Identification: 0xcb67 (52071) Flags: 0x00 0... =3D Reserved bit: Not set .0.. =3D Don't fragment: Not set ..0. =3D More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x5763 [correct] Source: 192.168.104.49 (192.168.104.49) Destination: 192.168.104.50 (192.168.104.50) User Datagram Protocol, Src Port: 1645 (1645), Dst Port: 1645 (1645) Source port: 1645 (1645) Destination port: 1645 (1645) Length: 28 Checksum: 0x7afb [correct] Radius Protocol Code: Access-Reject (3) Packet identifier: 0x34 (52) Length: 20 Authenticator: 97FCA76742D0A0CDE44C256BAD2A82C1

0000 00 12 80 7a 6d cf 00 20 ed 8e bf ba 08 00 45 00 ...zm.. .=2E....E.

0010 00 30 cb 67 00 00 80 11 57 63 d4 8f 25 52 d4 8f .0.g....Wc..%R.. 0020 49 81 06 6d 06 6d 00 1c 7a fb 03 34 00 14 97 fc I=2E.m.m..z..4.... 0030 a7 67 42 d0 a0 cd e4 4c 25 6b ad 2a 82 c1 .gB....L%k.*..

***

This is so weird... and I am starting to feel that I am running out of options... so any help will be appriciated... realy,

Thanks alot guys, I hope one of you knows how to solve this, + maybe there is a connection to the 2003 server "Routing and Remote Access" but I'm not realy sure.

Thanks again.

LORD-MORDUK

Reply to
lord-morduk
Loading thread data ...

how about the NAS password ? try re-enter radiuskeys in both ends

"lord-morduk" wrote in message news: snipped-for-privacy@t31g2000cwb.googlegroups.com... Hi firends,

I have a problem which I try to solve for the past 4 days, and unable to understand why this doesn't work.

I have a Cisco router running with the following commands:

aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius if-authenticated aaa session-id common ! radius-server host 192.168.104.49 auth-port 1645 acct-port 1646 key 0 forradius radius-server vsa send authentication

and an IAS configured as following:

Remote Access Policies >c-router >Client IP-Address matches "the cisco ip" AND >Windows Group matches "DOMAIN\\Domain Admins" AND >Framed-Protocol matches "PPP" AND >Service-Type matches "Framed"

*if a connection request matches the specified conditions: >Grant remote access permissions

----- Edit Profile... >Dial-in constraints: (nothing is checked) >IP: Server settings determine IP address assignment (checked) >Multilink: Do not allow multilink connections (checked) >Authentication: Unencrypted authentication (PAP,SPAP) (checked) >EAP Methods: (nothing is configured inside) >Encryption: No encryption (checked) >Advanced: >Attribute name: Vendor-Specific >Attribute number: 26 >Attribute format: OctetString >Specify network access server vendor. >Select from list: Cisco >Specify whether the attribute conforms to the RADIUS RFC specification for vendor specific attributes. >Yes. It conforms (checked) >Configure Attribute - Configure VSA (RFC Compliant) >Vendor-assigned attribute number: 1 >Attribute format: String >Attribute value: shell:priv-lvl=15 >Attribute name: Reply-Message >Attribute number: 18 >Attribute format: String >Attribute value: Welcome to cisco router >Attribute name: Service-type >Attribute number: 6 >Attribute format: Enumerator >Attribute value: Login

*** This is the only Remote Access Policy I have, and it's order is 1 (because its the only one LOL) *** Now... When I try to login to the cisco router I get "Access Denied" and I started debugging:

At the "Event Viewer" I see this:

User ciscoa was denied access. Fully-Qualified-User-Name = DOMAIN\\ciscoa NAS-IP-Address = 192.168.104.50 NAS-Identifier = Called-Station-Identifier = Calling-Station-Identifier = 192.168.104.49 Client-Friendly-Name = C1841 Client-IP-Address = 192.168.104.50 NAS-Port-Type = Virtual NAS-Port = 195 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = Policy-Name = Authentication-Type = PAP EAP-Type = Reason-Code = 16 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

Now... the Reason is... in no chance!!! the wrong use of user/pass!! I checked and dubbled checked the user/pass and it's not the reason, not in this lifetime!

I also checked the user properties to make sure I checked: Dial-in tab >Control Access through Remote Access Policy (checked)

And yeap, it is checked!

*** So... I started sniffing, used Ethereal for sniffing and saw this:

No. Time Source Destination Protocol Info 10 5.699731 192.168.104.50 192.168.104.49 RADIUS Access-Request(1) (id=52, l=133)

Frame 10 (175 bytes on wire, 175 bytes captured) Arrival Time: Apr 15, 2006 16:00:46.848414000 Time delta from previous packet: 3.929897000 seconds Time since reference or first frame: 5.699731000 seconds Frame Number: 10 Packet Length: 175 bytes Capture Length: 175 bytes Protocols in frame: eth:ip:udp:radius Ethernet II, Src: 212.143.37.86 (00:12:80:7a:6d:cf), Dst:

192.168.104.49 (00:20:ed:8e:bf:ba) Destination: 192.168.104.49 (00:20:ed:8e:bf:ba) Source: 212.143.37.86 (00:12:80:7a:6d:cf) Type: IP (0x0800) Internet Protocol, Src: 192.168.104.50 (192.168.104.50), Dst: 192.168.104.49 (192.168.104.49) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 161 Identification: 0x092e (2350) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 254 Protocol: UDP (0x11) Header checksum: 0x9b2b [correct] Source: 192.168.104.50 (192.168.104.50) Destination: 192.168.104.49 (192.168.104.49) User Datagram Protocol, Src Port: 1645 (1645), Dst Port: 1645 (1645) Source port: 1645 (1645) Destination port: 1645 (1645) Length: 141 Checksum: 0x1719 [correct] Radius Protocol Code: Access-Request (1) Packet identifier: 0x34 (52) Length: 133 Authenticator: 24B9B3D06A231136330F06BF52062304 Attribute Value Pairs AVP: l=8 t=User-Name(1): ciscoa Length: 6 User-Name: ciscoa AVP: l=30 t=Reply-Message(18): Please enter your password: Length: 28 Reply-Message: Please enter your password: AVP: l=34 t=User-Password(2): Encrypted Length: 32 User-Password: C.qG\\237;|\\016m\\343\\271\\[\\3131\\276+\\\\002\\206\\2321\\023\\026l{L\\307\\245\\355\\032 \\235 AVP: l=6 t=NAS-Port(5): 195 Length: 4 NAS-Port: 195 AVP: l=8 t=NAS-Port-Id(87): tty195 Length: 6 NAS-Port-Id: tty195 AVP: l=6 t=NAS-Port-Type(61): Virtual(5) Length: 4 NAS-Port-Type: Virtual (5) AVP: l=15 t=Calling-Station-Id(31): 192.168.104.49 Length: 13 Calling-Station-Id: 192.168.104.49 AVP: l=6 t=NAS-IP-Address(4): 192.168.104.50 Length: 4 NAS-IP-Address: 192.168.104.50 (192.168.104.50)

0000 00 20 ed 8e bf ba 00 12 80 7a 6d cf 08 00 45 00 . .......zm...E.

0010 00 a1 09 2e 00 00 fe 11 9b 2b d4 8f 49 81 d4 8f .........+..I... 0020 25 52 06 6d 06 6d 00 8d 17 19 01 34 00 85 24 b9 %R.m.m.....4..$. 0030 b3 d0 6a 23 11 36 33 0f 06 bf 52 06 23 04 01 08 ..j#.63...R.#... 0040 6d 6f 72 64 75 6b 12 1e 50 6c 65 61 73 65 20 65 ciscoa..Please e 0050 6e 74 65 72 20 79 6f 75 72 20 70 61 73 73 77 6f nter your passwo 0060 72 64 3a 20 02 22 43 2e 71 47 9f 3b 7c 0e 6d e3 rd: ."C.qG.;|.m. 0070 b9 5c 5b cb 31 be 2b 5c 02 86 9a 31 13 16 6c 7b .\\[.1.+\\...1..l{ 0080 4c c7 a5 ed 1a 9d 05 06 00 00 00 c3 57 08 74 74 L...........W.tt 0090 79 31 39 35 3d 06 00 00 00 05 1f 0f 32 31 32 2e y195=.......212. 00a0 31 34 33 2e 33 37 2e 38 32 04 06 d4 8f 49 81 143.37.82....I.

No. Time Source Destination Protocol Info 11 5.728148 192.168.104.49 192.168.104.50 RADIUS Access-Reject(3) (id=52, l=20)

Frame 11 (62 bytes on wire, 62 bytes captured) Arrival Time: Apr 15, 2006 16:00:46.876831000 Time delta from previous packet: 0.028417000 seconds Time since reference or first frame: 5.728148000 seconds Frame Number: 11 Packet Length: 62 bytes Capture Length: 62 bytes Protocols in frame: eth:ip:udp:radius Ethernet II, Src: 192.168.104.49 (00:20:ed:8e:bf:ba), Dst:

212.143.37.86 (00:12:80:7a:6d:cf) Destination: 212.143.37.86 (00:12:80:7a:6d:cf) Source: 192.168.104.49 (00:20:ed:8e:bf:ba) Type: IP (0x0800) Internet Protocol, Src: 192.168.104.49 (192.168.104.49), Dst: 192.168.104.50 (192.168.104.50) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 48 Identification: 0xcb67 (52071) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x5763 [correct] Source: 192.168.104.49 (192.168.104.49) Destination: 192.168.104.50 (192.168.104.50) User Datagram Protocol, Src Port: 1645 (1645), Dst Port: 1645 (1645) Source port: 1645 (1645) Destination port: 1645 (1645) Length: 28 Checksum: 0x7afb [correct] Radius Protocol Code: Access-Reject (3) Packet identifier: 0x34 (52) Length: 20 Authenticator: 97FCA76742D0A0CDE44C256BAD2A82C1

0000 00 12 80 7a 6d cf 00 20 ed 8e bf ba 08 00 45 00 ...zm.. ......E.

0010 00 30 cb 67 00 00 80 11 57 63 d4 8f 25 52 d4 8f .0.g....Wc..%R.. 0020 49 81 06 6d 06 6d 00 1c 7a fb 03 34 00 14 97 fc I..m.m..z..4.... 0030 a7 67 42 d0 a0 cd e4 4c 25 6b ad 2a 82 c1 .gB....L%k.*..

***

This is so weird... and I am starting to feel that I am running out of options... so any help will be appriciated... realy,

Thanks alot guys, I hope one of you knows how to solve this, + maybe there is a connection to the 2003 server "Routing and Remote Access" but I'm not realy sure.

Thanks again.

LORD-MORDUK

Reply to
Martin Bilgrav

also check MS for patches on this one ,,, seem to recall this issue has been seen before ...

"lord-morduk" wrote in message news: snipped-for-privacy@t31g2000cwb.googlegroups.com... Hi firends,

I have a problem which I try to solve for the past 4 days, and unable to understand why this doesn't work.

I have a Cisco router running with the following commands:

aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius if-authenticated aaa session-id common ! radius-server host 192.168.104.49 auth-port 1645 acct-port 1646 key 0 forradius radius-server vsa send authentication

and an IAS configured as following:

Remote Access Policies >c-router >Client IP-Address matches "the cisco ip" AND >Windows Group matches "DOMAIN\\Domain Admins" AND >Framed-Protocol matches "PPP" AND >Service-Type matches "Framed"

*if a connection request matches the specified conditions: >Grant remote access permissions

----- Edit Profile... >Dial-in constraints: (nothing is checked) >IP: Server settings determine IP address assignment (checked) >Multilink: Do not allow multilink connections (checked) >Authentication: Unencrypted authentication (PAP,SPAP) (checked) >EAP Methods: (nothing is configured inside) >Encryption: No encryption (checked) >Advanced: >Attribute name: Vendor-Specific >Attribute number: 26 >Attribute format: OctetString >Specify network access server vendor. >Select from list: Cisco >Specify whether the attribute conforms to the RADIUS RFC specification for vendor specific attributes. >Yes. It conforms (checked) >Configure Attribute - Configure VSA (RFC Compliant) >Vendor-assigned attribute number: 1 >Attribute format: String >Attribute value: shell:priv-lvl=15 >Attribute name: Reply-Message >Attribute number: 18 >Attribute format: String >Attribute value: Welcome to cisco router >Attribute name: Service-type >Attribute number: 6 >Attribute format: Enumerator >Attribute value: Login

*** This is the only Remote Access Policy I have, and it's order is 1 (because its the only one LOL) *** Now... When I try to login to the cisco router I get "Access Denied" and I started debugging:

At the "Event Viewer" I see this:

User ciscoa was denied access. Fully-Qualified-User-Name = DOMAIN\\ciscoa NAS-IP-Address = 192.168.104.50 NAS-Identifier = Called-Station-Identifier = Calling-Station-Identifier = 192.168.104.49 Client-Friendly-Name = C1841 Client-IP-Address = 192.168.104.50 NAS-Port-Type = Virtual NAS-Port = 195 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = Policy-Name = Authentication-Type = PAP EAP-Type = Reason-Code = 16 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

Now... the Reason is... in no chance!!! the wrong use of user/pass!! I checked and dubbled checked the user/pass and it's not the reason, not in this lifetime!

I also checked the user properties to make sure I checked: Dial-in tab >Control Access through Remote Access Policy (checked)

And yeap, it is checked!

*** So... I started sniffing, used Ethereal for sniffing and saw this:

No. Time Source Destination Protocol Info 10 5.699731 192.168.104.50 192.168.104.49 RADIUS Access-Request(1) (id=52, l=133)

Frame 10 (175 bytes on wire, 175 bytes captured) Arrival Time: Apr 15, 2006 16:00:46.848414000 Time delta from previous packet: 3.929897000 seconds Time since reference or first frame: 5.699731000 seconds Frame Number: 10 Packet Length: 175 bytes Capture Length: 175 bytes Protocols in frame: eth:ip:udp:radius Ethernet II, Src: 212.143.37.86 (00:12:80:7a:6d:cf), Dst:

192.168.104.49 (00:20:ed:8e:bf:ba) Destination: 192.168.104.49 (00:20:ed:8e:bf:ba) Source: 212.143.37.86 (00:12:80:7a:6d:cf) Type: IP (0x0800) Internet Protocol, Src: 192.168.104.50 (192.168.104.50), Dst: 192.168.104.49 (192.168.104.49) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 161 Identification: 0x092e (2350) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 254 Protocol: UDP (0x11) Header checksum: 0x9b2b [correct] Source: 192.168.104.50 (192.168.104.50) Destination: 192.168.104.49 (192.168.104.49) User Datagram Protocol, Src Port: 1645 (1645), Dst Port: 1645 (1645) Source port: 1645 (1645) Destination port: 1645 (1645) Length: 141 Checksum: 0x1719 [correct] Radius Protocol Code: Access-Request (1) Packet identifier: 0x34 (52) Length: 133 Authenticator: 24B9B3D06A231136330F06BF52062304 Attribute Value Pairs AVP: l=8 t=User-Name(1): ciscoa Length: 6 User-Name: ciscoa AVP: l=30 t=Reply-Message(18): Please enter your password: Length: 28 Reply-Message: Please enter your password: AVP: l=34 t=User-Password(2): Encrypted Length: 32 User-Password: C.qG\\237;|\\016m\\343\\271\\[\\3131\\276+\\\\002\\206\\2321\\023\\026l{L\\307\\245\\355\\032 \\235 AVP: l=6 t=NAS-Port(5): 195 Length: 4 NAS-Port: 195 AVP: l=8 t=NAS-Port-Id(87): tty195 Length: 6 NAS-Port-Id: tty195 AVP: l=6 t=NAS-Port-Type(61): Virtual(5) Length: 4 NAS-Port-Type: Virtual (5) AVP: l=15 t=Calling-Station-Id(31): 192.168.104.49 Length: 13 Calling-Station-Id: 192.168.104.49 AVP: l=6 t=NAS-IP-Address(4): 192.168.104.50 Length: 4 NAS-IP-Address: 192.168.104.50 (192.168.104.50)

0000 00 20 ed 8e bf ba 00 12 80 7a 6d cf 08 00 45 00 . .......zm...E.

0010 00 a1 09 2e 00 00 fe 11 9b 2b d4 8f 49 81 d4 8f .........+..I... 0020 25 52 06 6d 06 6d 00 8d 17 19 01 34 00 85 24 b9 %R.m.m.....4..$. 0030 b3 d0 6a 23 11 36 33 0f 06 bf 52 06 23 04 01 08 ..j#.63...R.#... 0040 6d 6f 72 64 75 6b 12 1e 50 6c 65 61 73 65 20 65 ciscoa..Please e 0050 6e 74 65 72 20 79 6f 75 72 20 70 61 73 73 77 6f nter your passwo 0060 72 64 3a 20 02 22 43 2e 71 47 9f 3b 7c 0e 6d e3 rd: ."C.qG.;|.m. 0070 b9 5c 5b cb 31 be 2b 5c 02 86 9a 31 13 16 6c 7b .\\[.1.+\\...1..l{ 0080 4c c7 a5 ed 1a 9d 05 06 00 00 00 c3 57 08 74 74 L...........W.tt 0090 79 31 39 35 3d 06 00 00 00 05 1f 0f 32 31 32 2e y195=.......212. 00a0 31 34 33 2e 33 37 2e 38 32 04 06 d4 8f 49 81 143.37.82....I.

No. Time Source Destination Protocol Info 11 5.728148 192.168.104.49 192.168.104.50 RADIUS Access-Reject(3) (id=52, l=20)

Frame 11 (62 bytes on wire, 62 bytes captured) Arrival Time: Apr 15, 2006 16:00:46.876831000 Time delta from previous packet: 0.028417000 seconds Time since reference or first frame: 5.728148000 seconds Frame Number: 11 Packet Length: 62 bytes Capture Length: 62 bytes Protocols in frame: eth:ip:udp:radius Ethernet II, Src: 192.168.104.49 (00:20:ed:8e:bf:ba), Dst:

212.143.37.86 (00:12:80:7a:6d:cf) Destination: 212.143.37.86 (00:12:80:7a:6d:cf) Source: 192.168.104.49 (00:20:ed:8e:bf:ba) Type: IP (0x0800) Internet Protocol, Src: 192.168.104.49 (192.168.104.49), Dst: 192.168.104.50 (192.168.104.50) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 48 Identification: 0xcb67 (52071) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x5763 [correct] Source: 192.168.104.49 (192.168.104.49) Destination: 192.168.104.50 (192.168.104.50) User Datagram Protocol, Src Port: 1645 (1645), Dst Port: 1645 (1645) Source port: 1645 (1645) Destination port: 1645 (1645) Length: 28 Checksum: 0x7afb [correct] Radius Protocol Code: Access-Reject (3) Packet identifier: 0x34 (52) Length: 20 Authenticator: 97FCA76742D0A0CDE44C256BAD2A82C1

0000 00 12 80 7a 6d cf 00 20 ed 8e bf ba 08 00 45 00 ...zm.. ......E.

0010 00 30 cb 67 00 00 80 11 57 63 d4 8f 25 52 d4 8f .0.g....Wc..%R.. 0020 49 81 06 6d 06 6d 00 1c 7a fb 03 34 00 14 97 fc I..m.m..z..4.... 0030 a7 67 42 d0 a0 cd e4 4c 25 6b ad 2a 82 c1 .gB....L%k.*..

***

This is so weird... and I am starting to feel that I am running out of options... so any help will be appriciated... realy,

Thanks alot guys, I hope one of you knows how to solve this, + maybe there is a connection to the 2003 server "Routing and Remote Access" but I'm not realy sure.

Thanks again.

LORD-MORDUK

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.