Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

amontefusco — Thu, 09 Aug 2018 10:47:11 GMT

I have a WS-C2960CX-8PC-L running IOS 15.2(3)E2 with dot1.x, and MAB authentication schema enabled.

Everything works fine for what concerns authentication and authorization while the accounting does have issues.

Differently, than other Cisco switches, we have in production (2960-X and 3560 running different flavors of IOS, typically C3560-IPBASEK9-M Version 12.2(55)SE5), that 2960CX are unable to send back a correct RADIUS accounting message.

The problem lies, in fact, the RADIUS server is sending an accept message that contains a CLASS attribute (25), so, according to RADIUS RFC4372/RFC2865, the switch should send back the same CLASS attribute value in accounting message.

We see that class attribute sent back in oldest switches/IOS accounting messages but not in the 2960-CX with IOS 15.

The configuration found under the interfaces are the same, and even the global configs (for the part concerning the AAA ) are equal.

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

Francesco Molino — Thu, 09 Aug 2018 12:54:18 GMT

Hi,

Can you confirm the following command is present in your config:

radius-server attribute 25 access-request include

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

amontefusco — Thu, 09 Aug 2018 15:10:32 GMT

The command you suggest is there:

sh run | i access-request
radius-server attribute 25 access-request include

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

amontefusco — Thu, 09 Aug 2018 15:16:21 GMT

BTW, on the older cat 3560 running on 122-55.SE5, it works irrespective of the presence of that command.

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

Francesco Molino — Thu, 09 Aug 2018 16:33:10 GMT

Did you run a debug on the 2960cx? If so, can you share it please? Or run it and share the output into a text file please.
Also, are you able to upgrade this switch with the recommended stable version 15.2.4E6 and test again?

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

amontefusco — Mon, 13 Aug 2018 12:44:01 GMT

Addresses redacted. Aug 9 15:18:15.232: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to down Aug 9 15:18:18.192: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up Aug 9 15:18:19.192: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up Aug 9 15:18:42.988: %DOT1X-5-FAIL: Authentication failed for client (0019.db2b.fa3f) on Interface Gi0/2 AuditSessionID 0A457A0A0000001901E81AF7 Aug 9 15:18:42.988: RADIUS/ENCODE(00000000):Orig. component type = Invalid Aug 9 15:18:42.988: RADIUS(00000000): Config NAS IP: 0.0.0.0 Aug 9 15:18:42.988: RADIUS(00000000): Config NAS IPv6: :: Aug 9 15:18:42.988: RADIUS(00000000): sending Aug 9 15:18:42.992: RADIUS/ENCODE: Best Local IP-Address ************** for Radius-Server ************ Aug 9 15:18:42.992: RADIUS(00000000): Send Access-Request to ****************:1812 id 1645/10, len 290 Aug 9 15:18:42.992: RADIUS: authenticator 55 C1 3E 36 6B EA D1 9D - 34 9C 68 B9 E8 6C 78 CD Aug 9 15:18:42.992: RADIUS: User-Name [1] 14 "000000000000" Aug 9 15:18:42.992: RADIUS: User-Password [2] 18 * Aug 9 15:18:42.992: RADIUS: Service-Type [6] 6 Call Check [10] Aug 9 15:18:42.992: RADIUS: Vendor, Cisco [26] 31 Aug 9 15:18:42.992: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check" Aug 9 15:18:42.992: RADIUS: Framed-MTU [12] 6 1500 Aug 9 15:18:42.992: RADIUS: Called-Station-Id [30] 19 "000000000000000000" Aug 9 15:18:42.992: RADIUS: Calling-Station-Id [31] 19 "0000000000000000" Aug 9 15:18:42.992: RADIUS: Message-Authenticato[80] 18 Aug 9 15:18:42.992: RADIUS: A8 1D C1 62 0E 79 0F 2A 21 A7 56 22 3E 4A BC E0 [ by*!V">J] Aug 9 15:18:42.992: RADIUS: EAP-Key-Name [102] 2 * Aug 9 15:18:42.992: RADIUS: Vendor, Cisco [26] 49 Aug 9 15:18:42.992: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A457A0A0000001901E81AF7" Aug 9 15:18:42.992: RADIUS: Vendor, Cisco [26] 18 Aug 9 15:18:42.992: RADIUS: Cisco AVpair [1] 12 "method=mab" Aug 9 15:18:42.992: RADIUS: Framed-IP-Address [8] 6 *************** Aug 9 15:18:42.992: RADIUS: NAS-IP-Address [4] 6 ****************** Aug 9 15:18:42.992: RADIUS: Vendor, Cisco [26] 26 Aug 9 15:18:42.992: RADIUS: cisco-nas-port [2] 20 "GigabitEthernet0/2" Aug 9 15:18:42.992: RADIUS: NAS-Port [5] 6 60000 Aug 9 15:18:42.992: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/2" Aug 9 15:18:42.992: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] Aug 9 15:18:42.992: RADIUS(00000000): Sending a IPv4 Radius Packet Aug 9 15:18:42.995: RADIUS(00000000): Started 5 sec timeout Aug 9 15:18:43.027: RADIUS: Received from id 1645/10 uuuuuuuuuuu:1812, Access-Accept, len 101 Aug 9 15:18:43.027: RADIUS: authenticator D4 F5 64 1E 9A 8B 32 F5 - D2 2E F6 CD E2 AF 63 D4 Aug 9 15:18:43.027: RADIUS: Class [25] 63 Aug 9 15:18:43.027: RADIUS: 53 42 52 32 43 4C E5 FC 80 B3 97 D5 F6 EC C7 80 11 80 2A 15 80 26 81 8D 87 E0 80 80 96 86 9F 8D C0 85 F5 AA 9E DA F4 BA C8 8D 86 F5 B5 C5 C7 FB EA A6 D9 B1 C2 D1 A5 9F 80 80 80 80 80 [ SBR2CL*&] Aug 9 15:18:43.027: RADIUS: Message-Authenticato[80] 18 Aug 9 15:18:43.027: RADIUS: 55 06 7B CC 9C CC 57 BE 51 E4 04 D5 EA B6 44 17 [ U{WQD] Aug 9 15:18:43.027: RADIUS(00000000): Received from id 1645/10 Aug 9 15:18:44.061: RADIUS/ENCODE(00000000):Orig. component type = Invalid Aug 9 15:18:44.061: RADIUS(00000000): Config NAS IP: 0.0.0.0 Aug 9 15:18:44.061: RADIUS(00000000): Config NAS IPv6: :: Aug 9 15:18:44.061: RADIUS(00000000): sending Aug 9 15:18:44.061: RADIUS/ENCODE: Best Local IP-Address xxxxxxxxxx for Radius-Server xxxxxxxxxxxxxx Aug 9 15:18:44.061: RADIUS(00000000): Send Accounting-Request to vvvvvvvvvvvvvvvvv:1813 id 1646/21, len 237 Aug 9 15:18:44.061: RADIUS: authenticator 42 38 21 6B 58 90 F7 F1 - E7 1F 10 30 6F 86 FF CA Aug 9 15:18:44.061: RADIUS: Framed-IP-Address [8] 6 10.x.y.z Aug 9 15:18:44.061: RADIUS: User-Name [1] 14 "xxxxxxxxxxxxxxxx" Aug 9 15:18:44.061: RADIUS: Vendor, Cisco [26] 49 Aug 9 15:18:44.061: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A457A0A0000001901E81AF7" Aug 9 15:18:44.061: RADIUS: Vendor, Cisco [26] 18 Aug 9 15:18:44.061: RADIUS: Cisco AVpair [1] 12 "method=mab" Aug 9 15:18:44.065: RADIUS: Called-Station-Id [30] 19 "xxxxxxxxxxxxxxx" Aug 9 15:18:44.065: RADIUS: Calling-Station-Id [31] 19 "*******************" Aug 9 15:18:44.065: RADIUS: NAS-IP-Address [4] 6 10.a.b.c Aug 9 15:18:44.065: RADIUS: Vendor, Cisco [26] 26 Aug 9 15:18:44.065: RADIUS: cisco-nas-port [2] 20 "GigabitEthernet0/2" Aug 9 15:18:44.065: RADIUS: NAS-Port [5] 6 60000 Aug 9 15:18:44.065: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/2" Aug 9 15:18:44.065: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] Aug 9 15:18:44.065: RADIUS: Acct-Session-Id [44] 10 "0000000F" Aug 9 15:18:44.065: RADIUS: Acct-Status-Type [40] 6 Start [1] Aug 9 15:18:44.065: RADIUS: Event-Timestamp [55] 6 1533827924 Aug 9 15:18:44.065: RADIUS: Acct-Delay-Time [41] 6 0 Aug 9 15:18:44.065: RADIUS(00000000): Sending a IPv4 Radius Packet Aug 9 15:18:44.065: RADIUS(00000000): Started 5 sec timeout Aug 9 15:18:44.089: RADIUS: Received from id 1646/21 a.b.c.d:1813, Accounting-response, len 20 Aug 9 15:18:44.089: RADIUS: authenticator EB 1F 1F 96 75 5B F1 1F - 2A 8A 35 07 67 E1 BC 6E

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

amontefusco — Mon, 13 Aug 2018 14:05:34 GMT

Upgrading to 15.2-6-E1 solved the problem.

topic Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages in Network Access Control

Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages

Re: Cisco 2960-CX unable to send back RADIUS Class (25) attribute in accounting messages