Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
4
Replies

Help with RADIUS on VFR 6509, can't authenticate

jwkersey
Level 1
Level 1

‎06-10-2016 03:30 PM - edited ‎03-10-2019 11:51 PM

The similar configurations work on all other simpler cisco switches that use this switch as a default gateway. Using a microsoft server 2008 Network Policy Server. It looks like the final packet from the RADIUS server is not getting back to the switch.


radius_trouble_shooting_6509_vfr


version 12.2

!

boot system flash sup-bootflash:s72033-adventerprisek9-mz.122-33.SXH8b.bin


aaa group server radius GRP_SRV_RADIUS
 server 10.3.23.105 auth-port 1645 acct-port 1646
 ip vrf forwarding VRFCOR
 ip radius source-interface Vlan1

 
 ---**** TACACS Working setup below to show similarity___
aaa group server tacacs+ GRP_TAC_SRVRS
 server 10.3.24.129
 ip vrf forwarding VRFCOR
 ip radius source-interface Vlan1
 
 
 
 aaa authentication login ML_AU_LOGIN group GRP_SRV_RADIUS local
 
 
  ---**** TACACS Working setup below to show similarity___
 
 aaa authentication login ML_AU_LOGIN group GRP_TAC_SRVRS local
 
 
 
radius-server host 10.3.23.105 auth-port 1645 acct-port 1646
radius-server directed-request
radius-server key 7 omitted



no ip route static inter-vrf
ip route vrf VRFCOR 0.0.0.0 0.0.0.0 10.3.1.32
ip route vrf VRFCOR 10.3.16.0 255.255.240.0 10.3.31.2 2
ip route vrf VRFCOR 10.3.32.0 255.255.240.0 10.3.47.2 2
ip route vrf VRFCOR 10.3.48.0 255.255.240.0 10.3.63.2 2
ip route vrf VRFCOR 10.3.64.0 255.255.240.0 10.3.79.2 2
ip route vrf VRFCOR 10.3.91.0 255.255.255.0 10.3.79.2
ip route vrf VRFCOR 10.3.92.0 255.255.255.0 10.3.79.2
ip route vrf VRFCOR 10.3.112.0 255.255.240.0 10.3.127.2
ip route vrf VRFCOR 10.4.0.0 255.255.0.0 10.3.2.2 200



line vty 0 4
 session-timeout 20
 access-class 99 in vrf-also
 exec-timeout 30 0
 authorization exec ML_AZ_EXEC
 login authentication ML_AU_LOGIN
 transport preferred none
 transport input all
 transport output ssh
 
 
 
 interface Vlan1
 description MGTNETD Vlan (Management)
 ip vrf forwarding VRFCOR
 ip address 10.3.1.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 no ip route-cache
 no ip mroute-cache
 
 RADIUS LOGS  what does this mean below  ? RADIUS:  AAA Unsupported     [162] 4  ???


5003607: Jun 10 11:09:04.006 PST: RADIUS/ENCODE(00000B9E): ask "Password: "
5003608: Jun 10 11:09:04.006 PST: RADIUS/ENCODE(00000B9E): send packet; GET_PASSWORD
5003609: Jun 10 11:09:04.010 PST: RADIUS:  AAA Unsupported     [162] 4   
5003610: Jun 10 11:09:04.010 PST: RADIUS:   74 74                                            [tt]
5003611: Jun 10 11:09:04.010 PST: RADIUS(00000B9E): Storing nasport 2 in rad_db
5003612: Jun 10 11:09:04.010 PST: RADIUS/ENCODE(00000B9E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
5003613: Jun 10 11:09:04.010 PST: RADIUS(00000B9E): Config NAS IP: 10.3.1.1
5003614: Jun 10 11:09:04.010 PST: RADIUS/ENCODE(00000B9E): acct_session_id: 12262
5003615: Jun 10 11:09:04.010 PST: RADIUS(00000B9E): sending
5003616: Jun 10 11:09:04.010 PST: RADIUS(00000B9E): Send Access-Request to 10.3.27.14:1814 id 21645/46, len 90
5003617: Jun 10 11:09:04.010 PST: RADIUS:  authenticator 14 D4 F1 EA A5 AB 80 15 - 8B 2C 25 E8 5E 12 C3 25
5003618: Jun 10 11:09:04.010 PST: RADIUS:  User-Name           [1]   9   "jakejohnson"
5003619: Jun 10 11:09:04.010 PST: RADIUS:  Reply-Message       [18]  12  
5003620: Jun 10 11:09:04.010 PST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20                    [Password: ]
5003621: Jun 10 11:09:04.010 PST: RADIUS:  User-Password       [2]   18  *
5003622: Jun 10 11:09:04.010 PST: RADIUS:  NAS-Port            [5]   6   2                         
5003623: Jun 10 11:09:04.010 PST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
5003624: Jun 10 11:09:04.010 PST: RADIUS:  Calling-Station-Id  [31]  13  "10.3.23.105"
5003625: Jun 10 11:09:04.010 PST: RADIUS:  NAS-IP-Address      [4]   6   10.3.1.1                  
5003632: Jun 10 11:10:35.057 PST: RADIUS: Retransmit to (10.3.23.105:1645,1646) for id 21645/46
5003633: Jun 10 11:10:40.497 PST: RADIUS: Retransmit to (10.3.23.105:1645,1646) for id 21645/46
5003634: Jun 10 11:10:46.193 PST: RADIUS: Retransmit to (10.3.23.105:1645,1646) for id 21645/46
5003635: Jun 10 11:10:51.889 PST: RADIUS: No response from (10.3.23.105:1645,1646) for id 21645/46
5003636: Jun 10 11:10:51.889 PST: RADIUS/DECODE: parse response no app start; FAIL
5003637: Jun 10 11:10:51.889 PST: RADIUS/DECODE: parse response; FAIL
5003638: Jun 10 11:10:53.889 PST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: jakejohnson] [Source: 10.3.23.105] [localport: 22] [Reason: Login Authentication Failed] at 11:10:53 PST Fri Jun 10 2016



BELOW, The Microsoft Radius Server 2008 (Network Policy Server) receives the traffic and responds with success, but never gets back to the VRF switch

Network Policy Server granted access to a user. Does not get back to the switch, works fine on every other switch, so nothing odd about the RADIUS server.

User:
    Security ID:            CORP\jakejohnson
    Account Name:            jakejohnson
    Account Domain:            CORP
    Fully Qualified Account Name:    corp.unicorn.com/KTMD - CORP Users & Groups/Users/Systems/jakejohnson

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        -
    Calling Station Identifier:        10.3.23.105

NAS:
    NAS IPv4 Address:        10.3.1.1
    NAS IPv6 Address:        -
    NAS Identifier:            -
    NAS Port-Type:            Virtual
    NAS Port:            2

RADIUS Client:
    Client Friendly Name:        pdx-s-cor
    Client IP Address:            10.3.1.1

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for all users
    Network Policy Name:        cisco-radius
    Authentication Provider:        Windows
    Authentication Server:        PDXOPSMGR01.corp.unicorn.com
    Authentication Type:        PAP
    EAP Type:            -
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.

Quarantine Information:
    Result:                Full Access
    Session Identifier:            -

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-11-2016 04:08 PM

What supervisor engine doe you have in the 6509, and what software version are you running?

Smells like a bug to me.

0 Helpful

jwkersey
Level 1
Level 1
In response to Philip D'Ath

‎06-12-2016 09:33 AM

Supervisor Engine :

VS-S720-10G        Hw : 4.1
                                         Fw : 8.5(4)
                                         Sw : 12.2(33)SXH8b
                                         Sw1: 8.7(0.22)BUB84

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to jwkersey

‎06-12-2016 12:22 PM

I think I would be tempted to go to a gold star release, such as 12.2.33-SRE12 or 15.3.3S6.  I note that the release you are running, 12.2(33)SXH8b, is no longer available for download - which is never a good sign.

https://software.cisco.com/download/release.html?mdfid=281939433&softwareid=280805680&release=15.3.3S6&relind=AVAILABLE&rellifecycle=MD&reltype=latest

0 Helpful

jwkersey
Level 1
Level 1
In response to Philip D'Ath

‎06-12-2016 07:52 PM

This is a great suggestion, I will pursue this. Probably 12.2.33-SRE12 will be more likely just to keep changes as simple as possible.

Thanks so much !

0 Helpful
Customers Also Viewed These Support Documents