dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
665
phantam
join:2010-08-26
00000

1 edit

phantam

Member

[HELP] dhcp radius auth (ISG)

I'm by no means a Cisco guru we use them and I have my ccna but I honestly don't play with them enough to get thru...

After 2 days of trying and scrapping I can't get this to work...

I'm trying to re-create a scenario from one of our mikrotiks, cisco.com samples haven't helped

This is on a Cisco 3701 15.x

I want subscribers to request a dhcp, cisco will check radius if it's an allowed user or not by mac if it is, cisco give it an ip if failed give it a different ip pool ip that I'll route to a failed captive portal

Once ip is assigned add the app entry (no are learning to block people trying to use static ips)

Was super simple on the MT but for life of me can't make it work on the cisco...

Anyone have a sample of how to get started on this please

Would Greatly appreciate it
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Re: [HELP] dhcp radius auth heelllpppp

Got a copy of your config (minus passwords and non RFC1918 IP addresses)? What about the particular AAA guides you were following?

Are you sure about the make / model of equipment you're referring to? 3701 15.x?

Offhand, AAA for radius / tacacs configs are bog standard, but the ones I'm most used to are to authenticate to either to access
the Cisco device in question. The only other thing I can think of you're referring to is something called dot1x, but that's usually
done on (multilayer) switches.

My 00000010bits

Regards
phantam
join:2010-08-26
00000

phantam

Member

It's 15.something and it's a 7301 I fat fingerd it

And no I don't want 802.1x I want l2 mac address authentication against radius and accounting by dhcp

Cisco ISG is supposed to do it but for the life of me I can't figure out how to get it to work and theirs no pre-made sample config for it and the 1-2 I found were partial and didn't work
phantam

phantam

Member

Re: [HELP] dhcp radius auth (ISG)

ok im on my pc now typing from my phone is a b*tch... see the above, as for the sites i was trying to follow were.

»docwiki.cisco.com/wiki/I ··· _Example

and

»www.cisco.com/c/en/us/td ··· _ge.html

as they sort of do what i am looking to do, but like i said for the life of me i can't piece together a working config, i'm using freeradius for my aaa/radius endpoint... my config is a disaster actually i think last thing i did before i left was to wipe it to start fresh monday, because it had devolved into spaghetti after the 15th time redoing it.

i'm not lieing about easy in Mikrotik either, literally all i had to do under dhcp was "use radius" add my radius server to the radius menu, and i was pretty much done... oh and set the ARP to reply-only on the interface....

So i think somewhere i'm overcomplicating or missing something on the cisco to make it work.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to phantam

MVM

to phantam
...will have to take a look at this further, first time I've seen it before.

Don't know if anyone else can weigh in on this in the meantime.

Regards
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to HELLFIRE

Premium Member

to HELLFIRE

Re: [HELP] dhcp radius auth heelllpppp

said by HELLFIRE:

The only other thing I can think of you're referring to is something called dot1x, but that's usually
done on (multilayer) switches

Whilst the command may say DOT1X, the rest of the config will point to a radius group/server.
phantam
join:2010-08-26
00000

1 edit

phantam

Member

Re: [HELP] dhcp radius auth (ISG)

i took a step back, and im doing DHCP Radius Relay which is actually the first thing i need working, and i got it working, Radius is issueing the IP to cisco which is relaying the ip to the clients if they are authorized.

But somethings wrong

Radius is replying with

Attributes:
Service-Type = Framed-User
Framed-Route = "0.0.0.0 0.0.0.0 192.168.0.1"
Cisco-AVPair = "session-duration=7200"
Session-Timeout = 3600
PoolHint = restricted
Framed-IP-Netmask = 255.255.255.0
Framed-IP-Address = 192.168.0.3

but its not working, if i removed the Framed-Route the client gets the IP but no default-gateway

if i add the framed-route and a wireshark

i can see the default gateway (opt 33) is set, but is see theirs an ERROR right after it for classless routing (opt 121) with some different 192.192.0.1-default... (not even 192.168, 192.192, i dont understand where that value is coming from its no where on radius or the cisco config.

I don't get why the cisco is sending a classless route AND default route when i add the framed-route to the radius.

(As a note im following »www.cisco.com/c/en/us/td ··· -xe.html for my configuration..., i'll work on the ISG stuff for bandwidth control/session control later, but need the radius to work first).