topic AAA authentication sequence in Network Access Control

AAA authentication sequence

bapatsubodh — Mon, 11 Mar 2019 01:41:28 GMT

We have following commands configured on the 2950

aaa new-model

aaa authentication login default group radius local

aaa authentication enable default enable

aaa authorization exec default group radius if-authenticated

username localuser secret 5 *******

When trying to access the switch it is quering to RADIUS server but it's not getting authenticated.

And then it gets authenticated with local user name.

Following is the log from RADIUS server

It is showing the correct username and correct source IP of the switch.

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = PAP

EAP-Type = <undetermined>

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

In principle it was expected that as long as switch is able to connect to the the RADIUS server, it will not use the local username for authentication.

But the switch is using the local username even though it can contact the RADIUS serve.

Please share the experience.

Thanks

Subodh

AAA authentication sequence

camejia — Thu, 05 Jan 2012 20:21:09 GMT

Hello Subodh,

Can you enable "debug aaa authentication" and "debug radius" on the IOS switch and execute the following command:

test aaa group radius legacy

Please, share the IOS debug outputs.

Also, from the RADIUS server output it seems to be a Windows IAS. Can you confirm? Also which OS and SP is the MS server running?

Will be waiting for your response.

Regards

AAA authentication sequence

bapatsubodh — Thu, 05 Jan 2012 20:56:29 GMT

This is switch with IOS --Version 12.1(22)EA4.

It is not supporting test aaa command.

Here is the output of the debug commands aaa and radius.

15w1d: AAA: parse name=tty2 idb type=-1 tty=-1

15w1d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=

15w1d: AAA/MEMORY: create_user (0x80CDB730) user='' ruser='' port='tty2' rem_add

r='10.12.28.113' authen_type=ASCII service=LOGIN priv=15

15w1d: AAA/AUTHEN/START (2995812294): port='tty2' list='' action=LOGIN service=L

OGIN

15w1d: AAA/AUTHEN/START (2995812294): using "default" list

15w1d: AAA/AUTHEN/START (2995812294): Method=radius (radius)

15w1d: AAA/AUTHEN (2995812294): status = GETUSER

15w1d: AAA/AUTHEN/CONT (2995812294): continue_login (user='(undef)')

15w1d: AAA/AUTHEN (2995812294): status = GETUSER

15w1d: AAA/AUTHEN (2995812294): Method=radius (radius)

15w1d: AAA/AUTHEN (2995812294): status = GETPASS

15w1d: AAA/AUTHEN/CONT (2995812294): continue_login (user='domain\username')

15w1d: AAA/AUTHEN (2995812294): status = GETPASS

15w1d: AAA/AUTHEN (2995812294): Method=radius (radius)

15w1d: RADIUS: ustruct sharecount=1

15w1d: RADIUS: Initial Transmit tty2 id 98 10.105.6.50:1645, Access-Request, len

15w1d: Attribute 4 6 0A0C7C05

15w1d: Attribute 5 6 00000002

15w1d: Attribute 61 6 00000005

15w1d: Attribute 1 16 626D675C

15w1d: Attribute 31 14 31302E31

15w1d: Attribute 2 18 FE414243

15w1d: RADIUS: Received from id 98 10.105.6.50:1645, Access-Reject, len 20

15w1d: RADIUS: Response (98) failed decrypt

15w1d: AAA/AUTHEN (2995812294): status = ERROR

15w1d: AAA/AUTHEN/START (328845936): port='tty2' list='' action=LOGIN service=LO

GIN

15w1d: AAA/AUTHEN/START (328845936): Restart

15w1d: AAA/AUTHEN/START (328845936): Method=LOCAL

15w1d: AAA/AUTHEN (328845936): User not found, end of method list

15w1d: AAA/AUTHEN (328845936): status = FAIL

15w1d: AAA/MEMORY: free_user (0x80CDB730) user='domain\username' ruser='' port='t

ty2' rem_addr='10.12.28.113' authen_type=ASCII service=LOGIN priv=15

15w1d: AAA: parse name=tty2 idb type=-1 tty=-1

15w1d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=

15w1d: AAA/MEMORY: create_user (0x80CCC620) user='' ruser='' port='tty2' rem_add

r='10.12.28.113' authen_type=ASCII service=LOGIN priv=15

15w1d: AAA/AUTHEN/START (2996282759): port='tty2' list='' action=LOGIN service=L

OGIN

15w1d: AAA/AUTHEN/START (2996282759): using "default" list

15w1d: AAA/AUTHEN/START (2996282759): Method=radius (radius)

15w1d: AAA/AUTHEN (2996282759): status = GETUSER

sSeattleWACL-1#

15w1d: AAA/AUTHEN/CONT (2996282759): continue_login (user='(undef)')

15w1d: AAA/AUTHEN (2996282759): status = GETUSER

15w1d: AAA/AUTHEN (2996282759): Method=radius (radius)

15w1d: AAA/AUTHEN (2996282759): status = GETPASS

15w1d: AAA/AUTHEN/CONT (2996282759): continue_login (user='cisco')

15w1d: AAA/AUTHEN (2996282759): status = GETPASS

15w1d: AAA/AUTHEN (2996282759): Method=radius (radius)

15w1d: RADIUS: ustruct sharecount=1

15w1d: RADIUS: Initial Transmit tty2 id 99 10.105.6.50:1645, Access-Request, len

15w1d: Attribute 4 6 0A0C7C05

15w1d: Attribute 5 6 00000002

15w1d: Attribute 61 6 00000005

15w1d: Attribute 1 7 63697363

15w1d: Attribute 31 14 31302E31

15w1d: Attribute 2 18 1C9128B1

15w1d: RADIUS: Received from id 99 10.105.6.50:1645, Access-Reject, len 20

15w1d: RADIUS: Response (99) failed decrypt

15w1d: AAA/AUTHEN (2996282759): status = ERROR

15w1d: AAA/AUTHEN/START (845261052): port='tty2' list='' action=LOGIN service=LO

GIN

15w1d: AAA/AUTHEN/START (845261052): Restart

15w1d: AAA/AUTHEN/START (845261052): Method=LOCAL

15w1d: AAA/AUTHEN (845261052): status = GETPASS

15w1d: AAA/AUTHEN/CONT (845261052): continue_login (user='cisco')

15w1d: AAA/AUTHEN (845261052): status = GETPASS

15w1d: AAA/AUTHEN/CONT (845261052): Method=LOCAL

15w1d: AAA/AUTHEN (845261052): status = PASS

Radius looks fine as it is working okay for all other devices.

Thanks

Subodh

AAA authentication sequence

camejia — Thu, 05 Jan 2012 21:04:39 GMT

Hello,

Can you retype the Shared Secret key on the "radius-server" command and on the IAS RADIUS Client Entry?

The IOS is reporting "RADIUS: Response (98) failed decrypt" which is 99% of the times a Shared Secret Mismatch.

Regards.

AAA authentication sequence

bapatsubodh — Thu, 05 Jan 2012 21:17:47 GMT

Same reault. It is getting authenticated locally.

Do we need to add the IP address of the switch even in AD server. We have added this subnet in RADIUS.

Thanks!

Subodh

AAA authentication sequence

camejia — Thu, 05 Jan 2012 22:25:43 GMT

Hello,

For testing it would be better if we add a single entry for the Switch IP address keeping it separated from the Subnet defined for it.

Again, usually the "RADIUS: Response (98) failed decrypt" refers to an issue with the keys.

When configuring the "radius-server" command we need to be sure that we do not leave a space after configuring the key. If we add a space after the key it will be considered as valid character for the key as well. This might cause a shared secret mismatch as the IOS has the key configured with a space at the end but the IAS RADIUS Client entry has no space on it.

Regards.

AAA authentication sequence

camejia — Thu, 05 Jan 2012 23:33:06 GMT

Hello,

I have indeed recreated the issue when authenticating against an IAS. My switch is running a newer version, however, it still reports the Decrypt error on the logs when the shared secret is incorrect. Configured shared secret as "cisco" on the switch and as "cisco123" on the IAS RADIUS client entry. Got the following:

User priv15 was denied access.

Fully-Qualified-User-Name = CAMEJIA\priv15

NAS-IP-Address = x.x.250.12

NAS-Identifier =

Called-Station-Identifier =

Calling-Station-Identifier =

Client-Friendly-Name = x.x.250.12

Client-IP-Address = x.x.250.12

NAS-Port-Type = Async

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

On the switch debugs:

*Mar 2 06:02:13.600: RADIUS: Received from id 1645/6 x.x.250.20:1645, Access-Reject, len 20

*Mar 2 06:02:13.600: RADIUS: authenticator 24 84 60 FA B8 43 3E A9 - AC 55 72 70 CE 34 BA 70

*Mar 2 06:02:13.600: RADIUS: response-authenticator decrypt fail, pak len 20

*Mar 2 06:02:13.600: RADIUS: packet dump: 03060014248460FAB8433EA9AC557270CE34BA70

*Mar 2 06:02:13.600: RADIUS: expected digest: D22363698E8862015AC91213B540D77C

*Mar 2 06:02:13.600: RADIUS: response authen: 248460FAB8433EA9AC557270CE34BA70

*Mar 2 06:02:13.600: RADIUS: request authen: 32B4A229A7EB982A61EB31E29A24AA47

*Mar 2 06:02:13.600: RADIUS: Response (6) failed decrypt

Please, create a new RADIUS client entry for the switch only and use a simple key like "cisco" on both sides. Remember that we should not hit the space bar when configuring the key on the IOS as it will take the space as a valid shared key character.

Hope this helps.

Regards.

AAA authentication sequence

bapatsubodh — Fri, 06 Jan 2012 17:35:06 GMT

After reseting the key on the RADIUS server it's working. Thanks for help.