Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1664
Views
0
Helpful
5
Replies

AAA and VRF

Radek Zabicki
Level 1
Level 1

ā€Ž11-17-2010 06:13 AM - edited ā€Ž03-10-2019 05:35 PM

Hi all,

I have some problems with the VRF that I made and the radius verification.

The problem is that it's imposlible to make authentication through the radius server.

The debug output is :

000103: Nov 17 14:26:02: RADIUS/ENCODE(00000004):Orig. component type = EXEC

000104: Nov 17 14:26:02: RADIUS:  AAA Unsupported Attr: interface         [171] 4

000105: Nov 17 14:26:02: RADIUS:   74 74                [ tt]

000107: Nov 17 14:26:02: RADIUS(00000004): Config NAS IP: 0.0.0.0

000108: Nov 17 14:26:02: RADIUS/ENCODE(00000004): acct_session_id: 4

000109: Nov 17 14:26:02: RADIUS(00000004): sending

000110: Nov 17 14:26:02: RADIUS/ENCODE: Best Local IP-Address 192.168.1.50 for Radius-Server 192.168.1.10

000111: Nov 17 14:26:02: RADIUS: No secret to encode request (rctx:0x5935DF4)

000112: Nov 17 14:26:02: RADIUS: Unable to encrypt (rctx:0x5935DF4)

000113: Nov 17 14:26:02: RADIUS(00000004): Send Access-Request to 192.168.1.10:1645 id 1645/4, len 84

000114: Nov 17 14:26:02: RADIUS:  authenticator 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00

000115: Nov 17 14:26:02: RADIUS:  User-Name           [1]   8   "****"

000116: Nov 17 14:26:02: RADIUS:  User-Password       [2]   18  *

000117: Nov 17 14:26:02: RADIUS:  NAS-Port            [5]   6   2

000118: Nov 17 14:26:02: RADIUS:  NAS-Port-Id         [87]  6   "tty2"

vpn003151ro110#

000119: Nov 17 14:26:02: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

000120: Nov 17 14:26:02: RADIUS:  Calling-Station-Id  [31]  14  "192.168.1.20"

000121: Nov 17 14:26:02: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.50

000122: Nov 17 14:26:02: RADIUS(00000004): Started 5 sec timeout

000257: Nov 17 14:26:02: RADIUS: Retransmit to (192.168.1.10:1645,1646) for id 1645/8

000258: Nov 17 14:26:02: RADIUS(00000004): Started 5 sec timeout

000268: Nov 17 14:27:05: RADIUS: No response from (192.168.1.10:1645,1646) for id 1645/8

000269: Nov 17 14:27:05: RADIUS/DECODE: parse response no app start; FAIL

000270: Nov 17 14:27:05: RADIUS/DECODE: parse response; FAIL

From witin the vrf I can ping the radius server. From the radius server I can ping the router

So I don't understand where it's gonig wrong

The little config is :


aaa group server radius radius_1

server 192.168.1.10 auth-port 1645 acct-port 1646

ip vrf forwarding vpn01

ip radius source-interface Vlan200

vlan 200

name vpn01

interface Vlan200

ip vrf forwarding vpn01

ip address 192.168.1.50 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip ospf authentication-key 7 ********

In global

radius-server host 192.168.1.10 auth-port 1645 acct-port 1646

ip route vrf vpn01 0.0.0.0 0.0.0.0 192.168.1.254

Thanks

Labels:
0 Helpful
5 Replies 5

Nicolas Darchis
Cisco Employee
Cisco Employee

ā€Ž11-17-2010 09:27 AM

Hi,

can you check to see if the radius server is receiving the packets or not ?

Nicolas

0 Helpful

krahmani323
Level 3
Level 3

ā€Ž09-08-2011 03:35 PM

Hello Radek, Nicolas, community, 

I am currently experiencing the same exact issue...Trying to perform authentication on a 6500 12.2(33)SXH6 where multiple vrf are configured (vrf A can communicate with the radius)

My configuration is almost the same as yours with following difference :

In global

radius-server host x.x.x.x auth-port 1812 acct-port 1813 key string

(+ global ā€˜radius-server key stringā€™)

ip radius source-interface vlan 10 vrf A

The debug is similar as yours (file in attachments), the Radius does receives something but the authentication is denied and nothing is returned to the switch exaplaining the retransmission/timeout messages at the end (same secret and key double checked and validated) .

FYI it is working well for other 6500 without VRF in 12.2(33)SXI)ā€¦.

Did your authentication issue solved, and if yes how ? Or any idea explaining this authentication problem ?

Any suggestion will be appreciated !

Thank you very much.

Regards.

Karim

113346-Debug_radius_aaa.txt.zip
0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to krahmani323

ā€Ž09-08-2011 10:22 PM

Troubleshooting path would be the same :

You say that the radius server receives the request. It then sends back an access-reject ? If yes, what is the failure reason marked on the radius server ?

0 Helpful

krahmani323
Level 3
Level 3
In response to Nicolas Darchis

ā€Ž09-09-2011 01:44 AM

Hello Nicolas,

Many thanks for your reply.

As stated the server receives the request, rejects it but the server does not send back an access-reject to the 6500... 

================Server log===================================

[unix] invalid password "my_username"

++[unix] returns reject

Failed to authenticate the user.

WARNING: Unprintable characters in the password - Double-check the shared secret on the server and the NAS!

===================================================

What is stucking me is the warning message in the server logs => We DO use the same secret.

And the same user authenticates without any problem in other 6500 not using VRFs...

Thanks anyway.

Regards.

Karim

0 Helpful

krahmani323
Level 3
Level 3
In response to krahmani323

ā€Ž09-09-2011 06:21 AM

Hello,

Ok problem solved.

I don't know why but my Sup720-10G 12.2(33)SXH5 was sending the request throug Radius extended source-port.

1097078: Sep  8 12:47:22: RADIUS(00000C82): Send Access-Request to X.X.X.X:1812 id 21645/118, len 81

And the server did not like it, thus rejecting the Authentication.

Adding the hidden command in global config =>

"radius-server source-ports 1645-1646" resolved the situation.

The authentificaiton is now OK;

Thanks anyway.

Kind regards.
Karim

0 Helpful
Customers Also Viewed These Support Documents