topic Re: Radius Authentication via MS NPS/Active Directory - ASR9k in Network Security

Radius Authentication via MS NPS/Active Directory - ASR9k

Dadbaud73 — Wed, 01 Mar 2023 17:54:28 GMT

Hello...this is the second time I'm posting about this issue, but I do have more info now.

I have been trying for over a week to get 2 ASR9k's to authenticate logins via our company's existing Microsoft NPS server via Active directory. I have standard ios routers working fine with this (on the same subnet, pointed to the same NPS), but cannot get our 2 ASR9k's to do the same.

I did install wireshark on the NPS server to try and figure out what was going on there. Both routers are getting access-accept packets from the NPS, so I know the issue is not with the AD authentication. Regardless of this, I still get access denied on the routers.

I have an existing TAC case open on this but so far that has yielded no help. This morning I decided to take a look at the log on the router after a login attempt and saw this message:

RP/0/RSP0/CPU0:Mar 1 10:21:38 : radiusd[1136]: %SECURITY-RADIUSD-3-BAD_VSA_TYPE : Bad non-cisco VSA type 14 with vendor_id 311 encountered, possibily out of range

I think I have found the issue. Can anyone tell me what this message is indicating? This is a microsoft VSA. Here's a screenshot from the wireshark capture of the access-accept packet. This feels like a bug?

Re: Radius Authentication via MS NPS/Active Directory - ASR9k

balaji.bandi — Thu, 02 Mar 2023 00:22:00 GMT

As per i know some bugs around Windows Version and NPS (there is some knowledge base)

what is the Windows Servers version that NPS running? what is the Windows Server version which has AD ?

i will simulate this issue over weekend, since moved to ISE we no longer using NPS,

Re: Radius Authentication via MS NPS/Active Directory - ASR9k

Dadbaud73 — Thu, 02 Mar 2023 15:11:09 GMT

Both servers: Server 19 Datacenter

version: 1809

Re: Radius Authentication via MS NPS/Active Directory - ASR9k

MHM Cisco World — Thu, 02 Mar 2023 15:35:33 GMT

radius-server attribute list listname <<- you can try attribute filter to accept deny some VSA

Re: Radius Authentication via MS NPS/Active Directory - ASR9k

Dadbaud73 — Thu, 02 Mar 2023 22:23:35 GMT

So once you set up the list, how do you accept or deny off of it?

Re: Radius Authentication via MS NPS/Active Directory - ASR9k

MHM Cisco World — Fri, 03 Mar 2023 02:56:16 GMT

OK, I will share command

Re: Radius Authentication via MS NPS/Active Directory - ASR9k

Dadbaud73 — Fri, 03 Mar 2023 15:22:45 GMT

I did this command and the error stopped showing up in the log. I am still not logging in:

config)#radius-server vsa attribute ignore unknown

Now I am seeing this in the log:

Re: Radius Authentication via MS NPS/Active Directory - ASR9k

MHM Cisco World — Mon, 06 Mar 2023 00:03:13 GMT

radius-server attribute list MHM
attribute vendor-id 311
vendor-type 26
!
aaa group server radius MHM 
authorization reply reject MHM