Re: NPS: Device admin Authentication failing for ASR1006 router

Sanjoy4231 · ‎05-19-2022

We are trying to login to ASR 1006 router via NPS server authentication.

But we are getting User rejected when did the test aaa command from router.

From NPS server we are getting :

Reason :
The user's authentication attempts have exceeded the maximum allowed number of failed attempts specified by the account lockout threshold setting in Account Lockout Policy in Group Policy. To unlock the account, edit the user account properties.

Although the same creds are working for other network devices.

Config :

TPSODL_MPLS_RTR_1#sh run | sec radius
aaa authentication login default group radius local
radius server Radius-Server
address ipv4 10.10.13.15 auth-port 1812 acct-port 1813
key 7 14552F5B1E3918380C781F3E753E423A2D3A14790C5C16
TPSODL_MPLS_RTR_1#
TPSODL_MPLS_RTR_1#
TPSODL_MPLS_RTR_1#sh run | sec aaa
aaa new-model
aaa authentication login default group radius local
aaa session-id common
TPSODL_MPLS_RTR_1#
TPSODL_MPLS_RTR_1#sh run | sec vty
line vty 0 4
transport input ssh
transport output ssh
line vty 5 15
transport input ssh
transport output ssh

Did the aaa radius authentication & aaa authentication and found the below :

In the debug logs it was seen that the radius server is sending access-reject

*May 19 17:38:32 IST: RADIUS(0000014F): Send Access-Request to 10.10.13.15:1812 id 1645/3, len 77
*May 19 17:38:32 IST: RADIUS(0000014F): Sending a IPv4 Radius Packet
*May 19 17:38:32 IST: RADIUS(0000014F): Started 5 sec timeout
*May 19 17:38:32 IST: RADIUS: Received from id 1645/3 10.10.13.15:1812, Access-Reject, len 20

We are also getting the below :

May 19 17:38:37 IST: RADIUS: response-authenticator decrypt fail, pak len 20

May 19 17:38:42.623: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.13.15:1812,1813is not responding.
*May 19 17:38:42.623: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.10.13.15:1812,1813 is being marked alive

May 19 17:38:42 IST: RADIUS: expected digest: 2BFFFFFFE7FFFFFFCFFFFFFFF24200FFFFFFCEFFFFFFF2FFFFFFECFFFFFFCDFFFFFF95FFFFFF8DFFFFFF81FFFFFFF2FFFFFFC848
*May 19 17:38:42 IST: RADIUS: response authen: FFFFFFF005FFFFFFFF01FFFFFFAC48FFFFFF835BFFFFFFF348FFFFFFE0087C2303FFFFFFDD
*May 19 17:38:42 IST: RADIUS: request authen: C79225DDEC16484B256F66D5BF632BFC
*May 19 17:38:42 IST: RADIUS: Response (3) failed decrypt

> Did some research on it and found it was due to incorrect secret key, or not valid secret ket between NAD and radius server
> The secret key customer is using : "]0r]RsH0Lk7M%LN["@4o"

Not sure due to this key the authentication is not happening or is there any other issue?

Any help would be appreciated!

Thanks

Sanjoy

Arne Bier · ‎06-06-2022

Hello @Sanjoy4231

After you fixed the RADIUS shared secret issue (authenticator / decrypt issue), did anything improve after that, or is NPS still sending reject?

Without seeing your NPS Policies it would be hard to help. An IOS test aaa command will perform a PAP authentication to a RADIUS server, and therefore you must ensure that your RADIUS server is able to process PAP requests - this is the most basic username/password style of authentication. If NPS can authenticate the user/password you supplied in the test aaa command, then you will get Access-Accept back. Else, Access-Reject. And the reject reason is explained by the RADIUS server. If shared secret is wrong then the RADIUS protocol cannot ensure the integrity of the user's password (even if the password was typed correctly and user account is not locked out).

Let's return to the IOS config.

I don't see a RADIUS group called 'radius' - so I think you should use the more generic config of

aaa authentication login default radius local

You may also want to add a few more aaa commands like this one, to authorize you to drop into the exec shell. Notice I didn't use any named AAA Group (I just used the global 'radius') - if you want to create a AAA Group for RADIUS then of course you can do that too.

aaa authorization exec default radius if-authenticated