Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4845
Views
15
Helpful
3
Replies

RADIUS authentication on NX-OS (6.2) using MS NPS

Go to solution
danailpetrov
Level 1
Level 1

‎08-09-2015 01:03 AM - edited ‎03-10-2019 10:58 PM

Hi guys,

I am having some hard time configuring RADIUS authentication on NX-OS using Microsoft's NPS. 

The error message I got on NPS server is this:

A RADIUS message was received from RADIUS client (10.10.10.2) with an invalid authenticator. This is typically caused by mismatched shared secrets. Verify the configuration of the shared secret for the RADIUS client in the Network Policy Server snap-in and the configuration of the network access server.

On Nexus device I got that message logged:

2015 Aug  9 07:49:47.595 switch1 %RADIUS-3-RADIUS_ERROR_MESSAGE: RADIUS server 172.16.88.166 failed to respond even after all retries
2015 Aug  9 07:49:47.595 switch1 %RADIUS-3-RADIUS_ERROR_MESSAGE: All RADIUS servers failed to respond after retries.
2015 Aug  9 07:52:00.234 switch1 %RADIUS-3-RADIUS_ERROR_MESSAGE: packet from RADIUS server 172.16.88.166 fails verification: The shared secret is probably incorrect.

Albeit the reason for failure may look obvious, I am 100% sure that the shared secret is correct. I have also tried changing it about 5 times, but the result was the same...

This is what I got configured on NX

aaa authentication login default group radius 
aaa authentication login invalid-username-log 
aaa authentication login error-enable 
radius-server timeout 5
radius-server retransmit 1
radius-server deadtime 0
radius-server host 172.16.88.166 key 7 "xxxxxxxxxx" auth-port 1645 acct-port 1646 authentication  
aaa group server radius radius 
    server 172.16.88.166 
    deadtime 0
    use-vrf management
    source-interface mgmt0
ip radius source-interface mgmt0

 

Some more troubleshooting output

# show radius-server statistics 172.16.88.166
Server is not monitored
Authentication Statistics
        failed transactions: 4
        sucessfull transactions: 0
        requests sent: 4
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 4
        responses containing errors: 0

 

I have also configured the VSA for NX-OS on NPS server (shell:roles*"network-admin vdc-admin"), but I don't think it does even go to that stage (as it says the RADIUS server is failing, not the user/credentials). 

 

Any thoughts are more than welcome!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎08-09-2015 08:32 AM

Hello,

It's indeed a issue with shared secret key. Try using a simple shared secret key (alphanumeric) and on Nexus while you configure shared secret key, use key 0 to instead of key 7 while entering the shared secret key.

Nexus OS automatically convert the plain text key to encrypted key (type 7).

Regards

Poonam Garg

View solution in original post

3 Replies 3

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎08-09-2015 08:32 AM

Hello,

It's indeed a issue with shared secret key. Try using a simple shared secret key (alphanumeric) and on Nexus while you configure shared secret key, use key 0 to instead of key 7 while entering the shared secret key.

Nexus OS automatically convert the plain text key to encrypted key (type 7).

Regards

Poonam Garg

Go to solution
danailpetrov
Level 1
Level 1
In response to poongarg

‎08-09-2015 12:27 PM

It was indeed a shared secret key which was playing it .... I was initially sceptic to your response, but decided to give it another go with something simpler - and it worked... strange, because this very key works on other 150+ devices.. :/

 

And I used key 0 while configured the host' key,it's just the parser showing it with key 7. BTW, key 7 looks much different from previous Key 7?

 

D

0 Helpful

Go to solution
Nathan Spitzer
Level 1
Level 1
In response to poongarg

‎08-09-2015 06:42 PM

Just for the record, a type 7 password is NOT encrypted unless you consider an algorithm that was invented in 1553, broken by Charles Babbage 200 years ago, and to which their are a multitude of sites which allow you to input type-7 and get back cleartext "encryption" . Anyone with access to the type-7 radius secret is capable of decrypting the RADIUS packets and by default reading all usernames and passwords in cleartext..

 

If your NXOS and RADIUS server supports it use the MSCHAP encryption option. Note that MSCHAP is still crappy encryption (its strength is single DES) and for a few bucks cloudcracker.com will crack it with 100% success but it will not be crackable simply by viewing the packet in wireshark. .

0 Helpful
Customers Also Viewed These Support Documents