topic Re: IOS AAA EAP Authentication. in Network Access Control

IOS AAA EAP Authentication.

Sam Smiley — Mon, 29 Apr 2024 19:42:44 GMT

Hi guys,
I have a bit of an issues. I've got two routers on my bench that I building models for a FlexVPN deployment a couple of customers. Some customer are still running 2900 and others running 4000; we are in the process to replace these older machines however for the time being I need to add a FlexVPN to each platform. I have used the attached guild in each case; the guild indicates minimum IOS of 15.2.

I have the same config in a 2951 and a 4451; the 4451 (isr4400-universalk9.16.09.06.SPA.bin) works as expected. It authenticates to the Active Directory server, connects and can route to the remote network. The 2951 (c2951-universalk9-mz.SPA.155-3.M7.bin) however will not authenticate; I never get past the logon screen.

Both routers are authenticating to the same Active Directory server; each router is a listed as a separate RADIUS client in NPS and each as it's own network policy. Each has the same settings. I have attempted to run test aaa group... but the login is always rejected.

The AAA config for both routers is identical:

From the 4451:
aaa new-model
!
!
aaa group server radius flex_group
server-private 10.244.0.41 key ***********
!
aaa authentication login default local
aaa authentication login flex_list group flex_group
aaa authorization exec default local
aaa authorization network flex_list local
!
!
!
!
!
!
aaa session-id common

From the 2951:
aaa new-model
!
!
aaa group server radius flex_group
server name talic
!
aaa authentication login default local
aaa authentication login flex_list group flex_group
aaa authorization exec default local
aaa authorization network flex_list local
!
!
!
!
!
!
aaa session-id common

!
radius server talic
address ipv4 10.244.0.41 auth-port 1645 acct-port 1646
key **********

I'm sure there is something simple that I'm missing; maybe an IOS upgrade on the 2951 would solve it. I would rather not do that if I don't have to; two customers are running CME.

Regards,

Sam

Re: IOS AAA EAP Authentication.

Arne Bier — Mon, 29 Apr 2024 21:59:20 GMT

I would suggest running a packet capture on the NPS and compare the RADIUS Access-Request of the working device, versus the not working device. NPS runs Windows, so Wireshark (if possible) on that Windows server would be ideal.

Perhaps the RADIUS Access-Request packet of the non-working device is mal-formed due to a bug or some default that is missing in that version of IOS. You might be able to run a packet capture on the IOS device, or use some variant of the 'debug radius' to see the packet that it spits out.

In your posting, I don't see the flex configuration that the aaa method list refers to - I assume it's configured. However, that should not prevent the "test aaa" command from working. If the test aaa results in an 'Access-Reject', and IF you got a response from NPS, then the NPS logs must surely give a clue why it rejected the request. However, I have also seen IOS print the "User rejected" message when there was no response from the RADIUS request. It's important to validate that Request/Response in packet form.

Re: IOS AAA EAP Authentication.

Sam Smiley — Tue, 30 Apr 2024 06:44:10 GMT

Thanks Arne,
The Flex config is present in both routers with identical configs.

Cheers,
Sam

Re: IOS AAA EAP Authentication.

Arne Bier — Wed, 01 May 2024 20:47:50 GMT

Have you compared the RADIUS Access-Request details of working and non-working scenario? I would do that next.