Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
3
Replies

IOS AAA EAP Authentication.

Sam Smiley
Level 3
Level 3

‎04-29-2024 12:37 PM - edited ‎04-29-2024 12:42 PM

Hi guys,
I have a bit of an issues. I've got two routers on my bench that I building models for a FlexVPN deployment a couple of customers. Some customer are still running 2900 and others running 4000; we are in the process to replace these older machines however for the time being I need to add a FlexVPN to each platform. I have used the attached guild in each case; the guild indicates minimum IOS of 15.2.

I have the same config in a 2951 and a 4451; the 4451 (isr4400-universalk9.16.09.06.SPA.bin) works as expected. It authenticates to the Active Directory server, connects and can route to the remote network. The 2951 (c2951-universalk9-mz.SPA.155-3.M7.bin) however will not authenticate; I never get past the logon screen.

Both routers are authenticating to the same Active Directory server; each router is a listed as a separate RADIUS client in NPS and each as it's own network policy. Each has the same settings. I have attempted to run  test aaa group... but the login is always rejected.

The AAA config for both routers is identical:

From the 4451:
aaa new-model
!
!
aaa group server radius flex_group
server-private 10.244.0.41 key ***********
!
aaa authentication login default local
aaa authentication login flex_list group flex_group
aaa authorization exec default local
aaa authorization network flex_list local
!
!
!
!
!
!
aaa session-id common

From the 2951:
aaa new-model
!
!
aaa group server radius flex_group
server name talic
!
aaa authentication login default local
aaa authentication login flex_list group flex_group
aaa authorization exec default local
aaa authorization network flex_list local
!
!
!
!
!
!
aaa session-id common

!
radius server talic
address ipv4 10.244.0.41 auth-port 1645 acct-port 1646
key **********

I'm sure there is something simple that I'm missing; maybe an IOS upgrade on the 2951 would solve it. I would rather not do that if I don't have to; two customers are running CME.

Regards,

Sam

 

Labels:
Preview file
54 KB
0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎04-29-2024 02:59 PM

I would suggest running a packet capture on the NPS and compare the RADIUS Access-Request of the working device, versus the not working device. NPS runs Windows, so Wireshark (if possible) on that Windows server would be ideal.

Perhaps the RADIUS Access-Request packet of the non-working device is mal-formed due to a bug or some default that is missing in that version of IOS. You might be able to run a packet capture on the IOS device, or use some variant of the 'debug radius' to see the packet that it spits out.

In your posting, I don't see the flex configuration that the aaa method list refers to - I assume it's configured. However, that should not prevent the "test aaa" command from working. If the test aaa results in an 'Access-Reject', and IF you got a response from NPS, then the NPS logs must surely give a clue why it rejected the request. However, I have also seen IOS print the "User rejected" message when there was no response from the RADIUS request. It's important to validate that Request/Response in packet form.  

0 Helpful

Sam Smiley
Level 3
Level 3

‎04-29-2024 11:43 PM - edited ‎04-29-2024 11:44 PM

Thanks Arne,
The Flex config is present in both routers with identical configs.

Cheers,
Sam

0 Helpful

Arne Bier
VIP
VIP
In response to Sam Smiley

‎05-01-2024 01:47 PM

Have you compared the RADIUS Access-Request details of working and non-working scenario? I would do that next.

0 Helpful
Customers Also Viewed These Support Documents