Solved: Authentication problem using test aaa command

guy.zwerdling · ‎08-21-2016

Hi guys,

I have virtual lab in GNS3

I have router c3660 (with nm16) that connected to ISE server,

I setup on the ISE this SW1 and some user named "bob", I also setup the radius share key

On the SW1 I have the congifuration as follows:

SW1#

SW1#s

*Mar 1 02:33:29.755: %SYS-5-CONFIG_I: Configured from console by console

SW1#sh run

Building configuration...

Current configuration : 1694 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SW1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$12JI$qm2BtuiKQPZqeAPsklUVt1

!

aaa new-model

!

aaa group server radius ISE-group

server 192.168.1.117 auth-port 1812 acct-port 1813

!

aaa authentication login default enable

!

aaa session-id common

memory-size iomem 5

no ip icmp rate-limit unreachable

!

ip cef

no ip domain lookup

!

ip device tracking

!

ip tcp synwait-time 5

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

!

interface FastEthernet1/1

!

interface FastEthernet1/2

!

interface FastEthernet1/3

!

interface FastEthernet1/4

!

interface FastEthernet1/5

!

interface FastEthernet1/6

!

interface FastEthernet1/7

!

interface FastEthernet1/8

!

interface FastEthernet1/9

!

interface FastEthernet1/10

!

interface FastEthernet1/11

!

interface FastEthernet1/12

!

interface FastEthernet1/13

!

interface FastEthernet1/14

!

interface FastEthernet1/15

!

interface Vlan1

ip address 192.168.1.121 255.255.255.0

!

no ip http server

no ip http secure-server

!

no cdp log mismatch duplex

!

radius-server host 192.168.1.117 auth-port 1812 acct-port 1813 key Nugget!23

radius-server key Nugget!23

radius-server vsa send accounting

radius-server vsa send authentication

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

!

end

When I tried to test the authentication using "test aaa" commend and it faild:

SW1#test aaa group radius bob Nugget!23 legacy

Attempting authentication test to server-group radius using radius

No authoritative response from any server.

SW1#

*Mar 1 02:37:56.127: RADIUS: Pick NAS IP for u=0x64CD243C tableid=0 cfg_addr=0.0.0.0

*Mar 1 02:37:56.127: RADIUS: ustruct sharecount=1

*Mar 1 02:37:56.127: Radius: radius_port_info() success=0 radius_nas_port=1

*Mar 1 02:37:56.131: RADIUS/ENCODE: Best Local IP-Address 192.168.1.121 for Radius-Server 192.168.1.117

*Mar 1 02:37:56.135: RADIUS(00000000): Send Access-Request to 192.168.1.117:1812 id 1645/27, len 55

*Mar 1 02:37:56.135: RADIUS: authenticator F4 23 BB F9 D3 5F 9C 8D - F4 FF 63 E8 50 6D 69 66

*Mar 1 02:37:56.135: RADIUS: NAS-IP-Address [4] 6 192.168.1.121

*Mar 1 02:37:56.139: RADIUS: NAS-Port-Type [61] 6 Async [0]

*Mar 1 02:37:56.139: RADIUS: User-Name [1] 5 "bob"

*Mar 1 02:37:56.139: RADIUS: User-Password [2] 18 *

*Mar 1 02:37:56.171: RADIUS: Received from id 1645/27 192.168.1.117:1812, Access-Reject, len 20

*Mar 1 02:37:56.171: RADIUS: authenticator 3C 3C BB 2D 98 D3 6F 6E - DD B3 AE 95 18 E1 C7 E9

*Mar 1 02:37:56.175: RADIUS: response-authenticator decrypt fail, pak len 20

*Mar 1 02:37:56.175: RADIUS: packet dump: 031B00143C3CBB2D98D36F6EDDB3AE9518E1C7E9

*Mar 1 02:37:56.179: RADIUS: expected digest: A597ABE742677AC385AF522A846A50A3

*Mar 1 02:37:56.179: RADIUS: response authen: 3C3CBB2D98D36F6EDDB3AE9518E1C7E9

*Mar 1 02:37:56.179: RADIUS: request authen: F423BBF9D35F9C8DF4FF63E8506D6966

*Mar 1 02:37:56.179: RADIUS: Response (27) failed decrypt

*Mar 1 02:37:56.179: RADIUS(00000000): Reply for 1645/27 fails decrypt

What I missed? why it doesn’t work?

hslai · ‎08-23-2016

Please remove any special characters, such as exclamation sign, and try again.

I've logged it as a bug -- CSCvb02752. Thank you for reporting it.

View solution in original post

gbekmezi-DD · ‎08-22-2016

I would doublecheck the pre-shared key. What does the ISE live log show?

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

hariholla · ‎08-22-2016

'RADIUS: response-authenticator decrypt fail' happens when there is a mismatch in the shard secret. Ensure that the key configured on the router matches to that on ISE 'Network Device' configuration.

guy.zwerdling · ‎08-23-2016

Here my screenshot.. as you can see it is the same shard sectet.

at the live log I get:

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP - Normalised Radius.RadiusFlowType

15006 Matched Default Rule

22040 Wrong password or invalid shared secret

22002 Authentication complete

11003 Returned RADIUS Access-Reject

hslai · ‎08-23-2016

Please remove any special characters, such as exclamation sign, and try again.

I've logged it as a bug -- CSCvb02752. Thank you for reporting it.

guy.zwerdling · ‎08-23-2016

It work!! you were right! I setup the key to 123456 and It work!

Where I can fund reference for this bug?

I search at https://bst.cloudapps.cisco.com/bugsearch/ the CSCvb02752.. but I can't find it...

hslai · ‎08-23-2016

As I only opened it tonight, it would take a couple of days for it become external viewable. Please try it later this week. However, there is no much more info in it, as you already know the workaround.