
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2016 06:59 AM
Hi guys,
I have virtual lab in GNS3
I have router c3660 (with nm16) that connected to ISE server,
I setup on the ISE this SW1 and some user named "bob", I also setup the radius share key
On the SW1 I have the congifuration as follows:
SW1#
SW1#s
*Mar 1 02:33:29.755: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh run
Building configuration...
Current configuration : 1694 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$12JI$qm2BtuiKQPZqeAPsklUVt1
!
aaa new-model
!
!
aaa group server radius ISE-group
server 192.168.1.117 auth-port 1812 acct-port 1813
!
aaa authentication login default enable
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
ip device tracking
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
ip address 192.168.1.121 255.255.255.0
!
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
radius-server host 192.168.1.117 auth-port 1812 acct-port 1813 key Nugget!23
radius-server key Nugget!23
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
!
!
end
When I tried to test the authentication using "test aaa" commend and it faild:
SW1#test aaa group radius bob Nugget!23 legacy
Attempting authentication test to server-group radius using radius
No authoritative response from any server.
SW1#
*Mar 1 02:37:56.127: RADIUS: Pick NAS IP for u=0x64CD243C tableid=0 cfg_addr=0.0.0.0
*Mar 1 02:37:56.127: RADIUS: ustruct sharecount=1
*Mar 1 02:37:56.127: Radius: radius_port_info() success=0 radius_nas_port=1
*Mar 1 02:37:56.131: RADIUS/ENCODE: Best Local IP-Address 192.168.1.121 for Radius-Server 192.168.1.117
*Mar 1 02:37:56.135: RADIUS(00000000): Send Access-Request to 192.168.1.117:1812 id 1645/27, len 55
*Mar 1 02:37:56.135: RADIUS: authenticator F4 23 BB F9 D3 5F 9C 8D - F4 FF 63 E8 50 6D 69 66
*Mar 1 02:37:56.135: RADIUS: NAS-IP-Address [4] 6 192.168.1.121
*Mar 1 02:37:56.139: RADIUS: NAS-Port-Type [61] 6 Async [0]
*Mar 1 02:37:56.139: RADIUS: User-Name [1] 5 "bob"
*Mar 1 02:37:56.139: RADIUS: User-Password [2] 18 *
*Mar 1 02:37:56.171: RADIUS: Received from id 1645/27 192.168.1.117:1812, Access-Reject, len 20
*Mar 1 02:37:56.171: RADIUS: authenticator 3C 3C BB 2D 98 D3 6F 6E - DD B3 AE 95 18 E1 C7 E9
*Mar 1 02:37:56.175: RADIUS: response-authenticator decrypt fail, pak len 20
*Mar 1 02:37:56.175: RADIUS: packet dump: 031B00143C3CBB2D98D36F6EDDB3AE9518E1C7E9
*Mar 1 02:37:56.179: RADIUS: expected digest: A597ABE742677AC385AF522A846A50A3
*Mar 1 02:37:56.179: RADIUS: response authen: 3C3CBB2D98D36F6EDDB3AE9518E1C7E9
*Mar 1 02:37:56.179: RADIUS: request authen: F423BBF9D35F9C8DF4FF63E8506D6966
*Mar 1 02:37:56.179: RADIUS: Response (27) failed decrypt
*Mar 1 02:37:56.179: RADIUS(00000000): Reply for 1645/27 fails decrypt
What I missed? why it doesn’t work?
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2016 05:40 PM
Please remove any special characters, such as exclamation sign, and try again.
I've logged it as a bug -- CSCvb02752. Thank you for reporting it.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2016 11:31 AM
I would doublecheck the pre-shared key. What does the ISE live log show?
Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2016 02:06 PM
'RADIUS: response-authenticator decrypt fail' happens when there is a mismatch in the shard secret. Ensure that the key configured on the router matches to that on ISE 'Network Device' configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2016 12:15 PM
Here my screenshot.. as you can see it is the same shard sectet.
at the live log I get:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Normalised Radius.RadiusFlowType
15048 Queried PIP - Normalised Radius.RadiusFlowType
15048 Queried PIP - Normalised Radius.RadiusFlowType
15048 Queried PIP - Normalised Radius.RadiusFlowType
15006 Matched Default Rule
22040 Wrong password or invalid shared secret
22002 Authentication complete
11003 Returned RADIUS Access-Reject
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2016 05:40 PM
Please remove any special characters, such as exclamation sign, and try again.
I've logged it as a bug -- CSCvb02752. Thank you for reporting it.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2016 08:32 PM
It work!! you were right! I setup the key to 123456 and It work!
Where I can fund reference for this bug?
I search at https://bst.cloudapps.cisco.com/bugsearch/ the CSCvb02752.. but I can't find it...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2016 09:05 PM
As I only opened it tonight, it would take a couple of days for it become external viewable. Please try it later this week. However, there is no much more info in it, as you already know the workaround.
