Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1744
Views
0
Helpful
2
Replies

AAA Authentication issue with IOS 15.X and Windows 2008 R2 NPS server

s-daly
Level 1
Level 1

‎02-04-2013 11:09 AM - edited ‎03-12-2019 05:41 PM

Hello:

I have a scenario where I'm using Win2008 NPS server to authenticate all my network infrastructure devices. I'm successfully already using this service with many of my Cisco routers, switches (running IOS 12.x code) and ASA's (running 8.X). I'm trying to get AAA up with routers running IOS 15.x code, but it is not working. Here's the pertinent config on the router:

aaa new-model

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius

aaa accounting exec default

action-type start-stop

group radius

ip radius source-interface Loopback0

radius-server host 10.0.16.109 auth-port 1645 acct-port 1646

radius-server timeout 3

radius-server directed-request

radius-server key *hidden*

On the server side, the "Device Manufacturer" is set to "Cisco", and the vendor specific attribute "Cisco-AV-Pair" is set at "shell:priv-lvl=15".

Here's the debug output I get when sending a radius authentication request:

Feb  4 11:01:47 PST: RADIUS/ENCODE(00001361): ask "Password: "

Feb  4 11:01:47 PST: RADIUS/ENCODE(00001361): send packet; GET_PASSWORD

Feb  4 11:01:47 PST: RADIUS/ENCODE(00001361):Orig. component type = Exec

Feb  4 11:01:47 PST: RADIUS:  AAA Unsupported Attr: interface         [204] 6  

Feb  4 11:01:47 PST: RADIUS:   74 74 79 33              [ tty3]

Feb  4 11:01:47 PST: RADIUS/ENCODE(00001361): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

Feb  4 11:01:47 PST: RADIUS(00001361): Config NAS IP: 172.18.1.21

Feb  4 11:01:47 PST: RADIUS/ENCODE(00001361): acct_session_id: 12558

Feb  4 11:01:47 PST: RADIUS(00001361): sending

Feb  4 11:01:47 PST: RADIUS(00001361): Send Access-Request to 10.0.16.109:1645 id 1645/9, len 83

Feb  4 11:01:47 PST: RADIUS:  authenticator 7A C3 C0 AB 73 76 35 4E - 61 EF 3A 4F CA 16 E0 2A

Feb  4 11:01:47 PST: RADIUS:  User-Name           [1]   7   "dalys"

Feb  4 11:01:47 PST: RADIUS:  Reply-Message       [18]  12 

Feb  4 11:01:47 PST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]

Feb  4 11:01:47 PST: RADIUS:  User-Password       [2]   18  *

Feb  4 11:01:47 PST: RADIUS:  NAS-Port            [5]   6   389                      

Feb  4 11:01:47 PST: RADIUS:  NAS-Port-Id         [87]  8   "tty389"

Feb  4 11:01:47 PST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

Feb  4 11:01:47 PST: RADIUS:  NAS-IP-Address      [4]   6   172.18.1.21              

Feb  4 11:01:47 PST: RADIUS(00001361): Started 3 sec timeout

Feb  4 11:01:50 PST: RADIUS(00001361): Request timed out

Feb  4 11:01:50 PST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.0.16.109:1645,1646 is not responding.

Feb  4 11:01:50 PST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.0.16.109:1645,1646 is being marked alive.

Feb  4 11:01:50 PST: RADIUS: Retransmit to (10.0.16.109:1645,1646) for id 1645/9

Feb  4 11:01:50 PST: RADIUS(00001361): Started 3 sec timeout

Feb  4 11:01:53 PST: RADIUS(00001361): Request timed out

Feb  4 11:01:53 PST: RADIUS: Retransmit to (10.0.16.109:1645,1646) for id 1645/9

Feb  4 11:01:53 PST: RADIUS(00001361): Started 3 sec timeout

Feb  4 11:01:56 PST: RADIUS(00001361): Request timed out

Feb  4 11:01:56 PST: RADIUS: No response from (10.0.16.109:1645,1646) for id 1645/9

Feb  4 11:01:56 PST: RADIUS/DECODE: No response from radius-server; parse response; FAIL

Feb  4 11:01:56 PST: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

It appears that the RADIUS server is not even responding, but the service up, running, accepting requests from other devices not running IOS 15.0, and the server is pingable from the Loopback address that the radius request is coming from. No ACL's or firewalls in the network path, and yes, I'm using the correct ports (1645,1646). I have several IOS routers running 15.x code, and none of them can authenticate with NPS at this time. Please advise on what I should do to correct this issue. Thanks.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

amusil
Level 1
Level 1

‎02-22-2013 09:04 AM

I was having the same problem and I upgraded my IOS to the latest version "c3900-universalk9-mz.SPA.153-1.T.bin" and that fixed my problem.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎02-22-2013 09:57 AM

I'm sure you must have radius client configured as loopback ip on the NPS server?

Even I've seen issues with 15.0/15.1 and radius authentication. If you want to troubleshoot further then put the capture on the NPS and check radius traffic.

Regards,

Jatin Katyal

- Do rate helpful posts -

~Jatin
0 Helpful
Customers Also Viewed These Support Documents