This chapter presents troubleshooting tasks for the Cisco Access Registrar (AR) as they relate to the Cisco ASAP Solution. Cisco AR is discussed in "Operating and Maintaining the Cisco Access Registrar."

Note This chapter does not apply to the Cisco SS7 Interconnect for Voice Gateways Solution.

Cisco Access Registrar supports RADIUS proxy. This means that, instead of directly authenticating and authorizing users against a directory, the server selectively proxies the AAA request to another service provider's RADIUS server or a customer's RADIUS server, which in turn authenticates and authorizes users against another directory or database.

Troubleshooting Procedures

Useful IOS Commands

References

For detailed information about how to install and configure the Cisco Access Registrar, see the Cisco Access Registrar 1.7 Installation and Configuration Guide at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/1_7/install/index.htm

For a description of the Cisco Access Registrar (AR) components and how to use them, including information of how to use the Cisco AR as a proxy server and details about the using the aregcmd and radclient commands, refer to the Cisco Access Registrar 1.7 User's Guide at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/1_7/users/index.htm

For description of the concepts in the Cisco AR, including understanding RADIUS, authentication and authorization, and accounting refer to the Cisco Access Registrar 1.7 Concepts and Reference Guide at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/1_7/referenc/index.htm

For a description of features and functions that were implemented in Cisco AR Release 1.7, refer to the Cisco Access Registrar 1.7 Release Notes:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/1_7/relnote/index.htm

RADIUS Server Not Defined

Description

Summary	This error is seen when users are unable to get connected. The following is an example of system output indicating a "No radius servers defined!" error. 00:34:23: %LINK-3-UPDOWN: Interface Async2/05, changed state to up 00:34:25: RADIUS: ustruct sharecount=1 00:34:25: RADIUS: No radius servers defined! 00:34:25: RADIUS: No valid server found. Trying any viable server 00:34:25: RADIUS: No radius servers defined! 00:34:25: %RADIUS-3-NOSERVERS: No Radius hosts configured. 00:34:25: RADIUS: No response from server 00:34:25: RADIUS: ustruct sharecount=4 00:34:25: RADIUS: No radius servers defined! 00:34:25: RADIUS: No radius servers defined! 00:34:25: RADIUS: No valid server found. Trying any viable server 00:34:25: RADIUS: No radius servers defined!
Target Platform(s)	Sun SPARC systems
Application	See Introduction
Frequency	As needed

Reference

For all related documentation, see References.

Procedure

To resolve an archive extraction error, perform the following steps to verify and debug a RADIUS server:

Step 1 Verify that the RADIUS server(s) defined under the AAA groups are defined globally on the access server, by using the following command:

radius-server hostname_ip key key

Where:

hostname_ip—The host name or IP address of the system
key—Associated key

If the RADIUS server(s) are not globally defined, update the definition on the access server.

Step 2 Debug RADIUS using the following command:

debug radius

Step 3 If an error is indicated, correct it. If that resolves the problem, the procedure is complete. Otherwise, proceed to Step 4.

Step 4 Contact the Cisco TAC for assistance in resolving this problem.

Notes

Related documents: Cisco Resource Pool Manager Server Installation Guide. See References.

RADIUS Keys Mismatched

Description

Summary	Use this procedure when users cannot get connected to the RADIUS server. This occurs when the access server is unable to understand a response it received from the RADIUS server. The following is an example of system output indicating that the RADIUS keys are mismatched: 004180: Nov 6 14:53:00.995 PST: RADIUS: Initial Transmit Async3/01*Serial1/0:23 id 85 172.19.50.123:1645, Access-Request, len 129 004181: Nov 6 14:53:00.995 PST: Attribute 4 6 AC13322D 004182: Nov 6 14:53:00.995 PST: Attribute 5 6 00004017 004183: Nov 6 14:53:00.995 PST: Attribute 26 30 0000000902184173 004184: Nov 6 14:53:00.995 PST: Attribute 61 6 00000000 004185: Nov 6 14:53:00.995 PST: Attribute 1 11 6D6F6465 004186: Nov 6 14:53:00.995 PST: Attribute 30 9 35353531 004187: Nov 6 14:53:00.995 PST: Attribute 3 19 01D1CAD7 004188: Nov 6 14:53:00.995 PST: Attribute 6 6 00000002 004189: Nov 6 14:53:00.995 PST: Attribute 7 6 00000001 004190: Nov 6 14:53:00.995 PST: Attribute 44 10 32413030 004191: Nov 6 14:53:00.999 PST: RADIUS: Received from id 85 172.19.50.123:1645, Access-Accept, len 64 004192: Nov 6 14:53:00.999 PST: Attribute 6 6 00000002 004193: Nov 6 14:53:00.999 PST: Attribute 7 6 00000001 004194: Nov 6 14:53:00.999 PST: Attribute 26 32 00000009011A6970 004195: Nov 6 14:53:00.999 PST: RADIUS: Response (85) failed decrypt 004196: Nov 6 14:53:00.999 PST: RADIUS: Reply for 85 fails decrypt 004197: Nov 6 14:53:00.999 PST: AAA/AUTHEN (3934272825): status = ERROR
Target Platform(s)	Sun SPARC systems
Application	See Introduction
Frequency	As needed

Reference

For all related documentation, see References.

Procedure

To resolve a mismatch in the RADIUS keys, perform the following steps:

Step 1 Ensure that the keys for the RADIUS server and the access server match, using the following command:

debug radius

If the response to the command indicates that the keys match, proceed to Step 3. Otherwise, proceed to Step 2.

Step 2 Modify the key on the access server to match the key on the RADIUS server.

If that resolves the problem, the procedure is complete. Otherwise, proceed to Step 3.

Step 3 Contact the Cisco TAC for assistance in resolving this problem.

Notes

Related documents: Cisco Resource Pool Manager Server Installation Guide. See References.

Authorization Incorrectly Configured

Description

Summary	Use this procedure when per-user attributes (for example, access lists, filters, and timeouts) are not being applied. The RADIUS server is returning attributes but you do not see them being applied. The following is an example of system output indicating that the session timeout is not being applied: 01:42:33: RADIUS: Received from id 49 171.71.3.40:1645, Access-Accept, len 38 01:42:33: Attribute 7 6 00000001 01:42:33: Attribute 6 6 00000002 01:42:33: Attribute 27 6 0000003C 01:42:33: AAA/AUTHEN (1378082205): status = PASS 01:42:33: As2/17 AAA/AUTHOR/LCP: Authorize LCP 01:42:33: As2/17 AAA/AUTHOR/LCP (122768983): Port='Async2/17' list='' service=NET 01:42:33: AAA/AUTHOR/LCP: As2/17 (122768983) user='1_1_2' 01:42:33: As2/17 AAA/AUTHOR/LCP (122768983): send AV service=ppp 01:42:33: As2/17 AAA/AUTHOR/LCP (122768983): send AV protocol=lcp 01:42:33: As2/17 AAA/AUTHOR/LCP (122768983): found list "default" 01:42:33: As2/17 AAA/AUTHOR/LCP (122768983): Method=IF_AUTHEN 01:42:33: As2/17 AAA/AUTHOR (122768983): Post authorization status = PASS_ADD 5400#sh caller timeouts Session Idle Disconnect Line User Timeout Timeout User in vty 0 cisco - - - tty 344 1_1_2 - - - As2/20 1_1_2 00:00:00 3w3d 3w3d
	The example below shows a system response that indicates the session timeout is applied following an authorization setup from the AAA server. 02:04:09: RADIUS: Received from id 61 171.71.3.40:1645, Access-Accept, len 38 02:04:09: Attribute 7 6 00000001 02:04:09: Attribute 6 6 00000002 02:04:09: Attribute 27 6 0000003C 02:04:09: AAA/AUTHEN (3360630259): status = PASS 02:04:09: As2/21 AAA/AUTHOR/LCP: Authorize LCP 02:04:09: As2/21 AAA/AUTHOR/LCP (2560550781): Port='Async2/21' list='' service=NET 02:04:09: AAA/AUTHOR/LCP: As2/21 (2560550781) user='1_1_2' 02:04:09: As2/21 AAA/AUTHOR/LCP (2560550781): send AV service=ppp 02:04:09: As2/21 AAA/AUTHOR/LCP (2560550781): send AV protocol=lcp 02:04:09: As2/21 AAA/AUTHOR/LCP (2560550781): found list "default" 02:04:09: As2/21 AAA/AUTHOR/LCP (2560550781): Method=MyProxy (radius) 02:04:09: As2/21 AAA/AUTHOR (2560550781): Post authorization status = PASS_REPL 02:04:09: As2/21 AAA/AUTHOR/LCP: Processing AV service=ppp 02:04:09: As2/21 AAA/AUTHOR/LCP: Processing AV timeout=60
	`5400#sh caller timeouts Session Idle Disconnect Line User Timeout Timeout User in vty 0 cisco - - - tty 344 1_1_2 - - - As2/20 1_1_2 00:01:00 3w3d 00:00:46 ll.java:558) **ERROR failed to install`
Target Platform(s)	Sun SPARC systems
Application	See Introduction
Frequency	As needed

Reference

For all related documentation, see References.

Procedure

To correct an AAA authorization problem, perform the following steps:

Step 1 Enter the following command to debug the AAA authorization settings:

debug aaa authorization

Ensure that the AAA authorization method list points to the AAA server group that contains the per-user attribute information. If the list points to the correct AAA server group, proceed to Step 3. Otherwise, proceed to Step 2.

Step 2 Modify the AAA authorization method list to point to the AAA server group that contains the per-user attribute information.

If that resolves the problem, the procedure is complete. Otherwise, proceed to Step 3.

Step 3 Verify the user profile settings on the AAA server.

If the user profile settings are correct, proceed to Step 5. Otherwise, proceed to Step 4.

Step 4 Correct the user profile settings on the AAA server.

If that resolves the problem, the procedure is complete. Otherwise, proceed to Step 5.

Step 5 Contact the Cisco TAC for assistance in resolving this problem.

Notes

Special issues: This problem may also be due to the user profile being incorrectly configured on the AAA server.

Using show Commands

Description

Summary	Use show commands to troubleshoot Cisco AR problems.
Target Platform(s)	Sun SPARC systems
Application	See Introduction
Frequency	As needed

Reference

For all related documentation, see References.

Command

Use the following show command:

show radius statistics

The system returns a response similar to the following:

5400-3-pop#sh radius statistics
                                  Auth.      Acct.       Both
         Maximum inQ length:         NA         NA          1
       Maximum waitQ length:         NA         NA          2
       Maximum doneQ length:         NA         NA          1
       Total responses seen:          6         24         30
     Packets with responses:          6         24         30
  Packets without responses:          0         10         10
 Average response delay(ms):          6        240        193
 Maximum response delay(ms):         16       3764       3764
  Number of Radius timeouts:          0         41         41
        Duplicate ID detects:          0          0          0

Notes

Related documents: Cisco Resource Pool Manager Server Installation Guide. See References.

Using debug Commands

Description

Summary	`Use debug commands to troubleshoot Cisco AR problems.`
Target Platform(s)	Sun SPARC systems
Application	See Introduction
Frequency	As needed

Reference

For all related documentation, see References.

Commands

Use the following debug commands:

debug aaa authentication
debug aaa authorization
debug aaa accounting
debug radius

Tip Be sure to use conditional debugs (where possible) to minimize the amount of output. The conditional debug facility allows a debug command to be triggered by a specific event, such as a user ID or phone number, and turns on debug for the affected port only, enabling problems to be identified and resolved rapidly.

Caution Do not enable console logging. Instead, log to a buffer or to a syslog server.

Notes

Related documents: Cisco Resource Pool Manager Server Installation Guide. See References.

Table of Contents

Summary

Target Platform(s)

Application

Frequency

Summary

Target Platform(s)

Application

Frequency

Summary

Target Platform(s)

Application

Frequency

Summary

Target Platform(s)

Application

Frequency

Summary

Target Platform(s)

Application

Frequency