cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2126
Views
10
Helpful
3
Replies
Beginner

RADIUS authentication on NX-OS (6.2) using MS NPS

Hi guys,

I am having some hard time configuring RADIUS authentication on NX-OS using Microsoft's NPS. 

The error message I got on NPS server is this:

A RADIUS message was received from RADIUS client (10.10.10.2) with an invalid authenticator. This is typically caused by mismatched shared secrets. Verify the configuration of the shared secret for the RADIUS client in the Network Policy Server snap-in and the configuration of the network access server.

On Nexus device I got that message logged:

2015 Aug  9 07:49:47.595 switch1 %RADIUS-3-RADIUS_ERROR_MESSAGE: RADIUS server 172.16.88.166 failed to respond even after all retries
2015 Aug  9 07:49:47.595 switch1 %RADIUS-3-RADIUS_ERROR_MESSAGE: All RADIUS servers failed to respond after retries.
2015 Aug  9 07:52:00.234 switch1 %RADIUS-3-RADIUS_ERROR_MESSAGE: packet from RADIUS server 172.16.88.166 fails verification: The shared secret is probably incorrect.

Albeit the reason for failure may look obvious, I am 100% sure that the shared secret is correct. I have also tried changing it about 5 times, but the result was the same...

This is what I got configured on NX

aaa authentication login default group radius 
aaa authentication login invalid-username-log 
aaa authentication login error-enable 
radius-server timeout 5
radius-server retransmit 1
radius-server deadtime 0
radius-server host 172.16.88.166 key 7 "xxxxxxxxxx" auth-port 1645 acct-port 1646 authentication  
aaa group server radius radius 
    server 172.16.88.166 
    deadtime 0
    use-vrf management
    source-interface mgmt0
ip radius source-interface mgmt0

 

Some more troubleshooting output

# show radius-server statistics 172.16.88.166
Server is not monitored
Authentication Statistics
        failed transactions: 4
        sucessfull transactions: 0
        requests sent: 4
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 4
        responses containing errors: 0

 

I have also configured the VSA for NX-OS on NPS server (shell:roles*"network-admin vdc-admin"), but I don't think it does even go to that stage (as it says the RADIUS server is failing, not the user/credentials). 

 

Any thoughts are more than welcome!

 

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hello,It's indeed a issue

Hello,

It's indeed a issue with shared secret key. Try using a simple shared secret key (alphanumeric) and on Nexus while you configure shared secret key, use key 0 to instead of key 7 while entering the shared secret key.

Nexus OS automatically convert the plain text key to encrypted key (type 7).

Regards

Poonam Garg

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Hello,It's indeed a issue

Hello,

It's indeed a issue with shared secret key. Try using a simple shared secret key (alphanumeric) and on Nexus while you configure shared secret key, use key 0 to instead of key 7 while entering the shared secret key.

Nexus OS automatically convert the plain text key to encrypted key (type 7).

Regards

Poonam Garg

View solution in original post

Highlighted
Beginner

It was indeed a shared secret

It was indeed a shared secret key which was playing it .... I was initially sceptic to your response, but decided to give it another go with something simpler - and it worked... strange, because this very key works on other 150+ devices.. :/

 

And I used key 0 while configured the host' key,it's just the parser showing it with key 7. BTW, key 7 looks much different from previous Key 7?

 

D

Highlighted
Beginner

Just for the record, a type 7

Just for the record, a type 7 password is NOT encrypted unless you consider an algorithm that was invented in 1553, broken by Charles Babbage 200 years ago, and to which their are a multitude of sites which allow you to input type-7 and get back cleartext "encryption" . Anyone with access to the type-7 radius secret is capable of decrypting the RADIUS packets and by default reading all usernames and passwords in cleartext..

 

If your NXOS and RADIUS server supports it use the MSCHAP encryption option. Note that MSCHAP is still crappy encryption (its strength is single DES) and for a few bucks cloudcracker.com will crack it with 100% success but it will not be crackable simply by viewing the packet in wireshark. .