Ok, here is what we have found so far - We used a 3rd party RADIUS product - to troubleshoot this. They had a default "test user" name. When we used that, it worked - when we used a 2000 SAM or AD name, it did not. It appears I don't yet understand the realm function.
Anyway, to answer your questions Roger, cisco aaa debugs show that cisco is doing it's job by sending the radius request to the radius server - the server (using netmon) just gives us access reject (error 3 in radius RFC). The IAS logs are very useless, or at least cryptic, IMHO, that is why we installed a 3rd party product, and their logs helped. Now it is back to native IAS to see if the MS IAS will cut it for us. One note for all out there - when you install IAS, then uninstall to use some other radius, the ports for radius are still in use, you must reboot, this caused us much grief since all the other products wanted to open that port (1812). The reason for all this: we have at least 100 routers that we need to change passwords on every x days. With radius, we can just have the router admins use their NT/2000 accounts. Taking it further, with the alleged cisco/AD integration, we can set ACLs on a cisco router based on AD group/user accounts, so we can have help desk folks log into routers and have limited functionality (show running config for example) and still just use their NT accounts. That is the theory/project I am into right now! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roger Seielstad Sent: Friday, January 03, 2003 6:56 AM To: NT 2000 Discussions Subject: RE: WIN2K RADIUS from CISCO IS the shared secret set correctly? What's the Windows side error log saying? What does the Cisco logging show? ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: tuhlar [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 02, 2003 8:46 PM > To: NT 2000 Discussions > Subject: RE: WIN2K RADIUS from CISCO > > > True, been trying for a few days now, keep getting auth > failed from the > RADIUS server. We think we have the Cisco box set up > correctly, but have > not figured it out yet. We know the Radius (IAS) works cause > we can VPN in > from a WIN2K client - and have RRAS use RADIUS (IAS) for auth. > > But telneting to a router set up to use IAS is not working. > The packet > sniffer just shows the level "3" (access rejected) error, not > much else. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of David N. Precht > Sent: Thursday, January 02, 2003 8:19 PM > To: NT 2000 Discussions > Subject: RE: WIN2K RADIUS from CISCO > > Plenty of documentation at www.cisco.com > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of tuhlar > Sent: Thursday, January 02, 2003 20:14 > To: NT 2000 Discussions > Subject: WIN2K RADIUS from CISCO > > > Anyone have experience/white papers on win2K RADIUS with > CISCO? We are > trying to have telnet into a CICSO, and have the router auth > with RADIUS, on > Win2K. > > TIA> > > > > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
