08-09-2015 01:03 AM - edited 03-10-2019 10:58 PM
Hi guys,
I am having some hard time configuring RADIUS authentication on NX-OS using Microsoft's NPS.
The error message I got on NPS server is this:
A RADIUS message was received from RADIUS client (10.10.10.2) with an invalid authenticator. This is typically caused by mismatched shared secrets. Verify the configuration of the shared secret for the RADIUS client in the Network Policy Server snap-in and the configuration of the network access server.
On Nexus device I got that message logged:
2015 Aug 9 07:49:47.595 switch1 %RADIUS-3-RADIUS_ERROR_MESSAGE: RADIUS server 172.16.88.166 failed to respond even after all retries 2015 Aug 9 07:49:47.595 switch1 %RADIUS-3-RADIUS_ERROR_MESSAGE: All RADIUS servers failed to respond after retries. 2015 Aug 9 07:52:00.234 switch1 %RADIUS-3-RADIUS_ERROR_MESSAGE: packet from RADIUS server 172.16.88.166 fails verification: The shared secret is probably incorrect.
Albeit the reason for failure may look obvious, I am 100% sure that the shared secret is correct. I have also tried changing it about 5 times, but the result was the same...
This is what I got configured on NX
aaa authentication login default group radius aaa authentication login invalid-username-log aaa authentication login error-enable radius-server timeout 5 radius-server retransmit 1 radius-server deadtime 0 radius-server host 172.16.88.166 key 7 "xxxxxxxxxx" auth-port 1645 acct-port 1646 authentication aaa group server radius radius server 172.16.88.166 deadtime 0 use-vrf management source-interface mgmt0 ip radius source-interface mgmt0
Some more troubleshooting output
# show radius-server statistics 172.16.88.166
Server is not monitored
Authentication Statistics
failed transactions: 4
sucessfull transactions: 0
requests sent: 4
requests timed out: 0
responses with no matching requests: 0
responses not processed: 4
responses containing errors: 0
I have also configured the VSA for NX-OS on NPS server (shell:roles*"network-admin vdc-admin"), but I don't think it does even go to that stage (as it says the RADIUS server is failing, not the user/credentials).
Any thoughts are more than welcome!
Solved! Go to Solution.
08-09-2015 08:32 AM
Hello,
It's indeed a issue with shared secret key. Try using a simple shared secret key (alphanumeric) and on Nexus while you configure shared secret key, use key 0 to instead of key 7 while entering the shared secret key.
Nexus OS automatically convert the plain text key to encrypted key (type 7).
Regards
Poonam Garg
08-09-2015 08:32 AM
Hello,
It's indeed a issue with shared secret key. Try using a simple shared secret key (alphanumeric) and on Nexus while you configure shared secret key, use key 0 to instead of key 7 while entering the shared secret key.
Nexus OS automatically convert the plain text key to encrypted key (type 7).
Regards
Poonam Garg
08-09-2015 12:27 PM
It was indeed a shared secret key which was playing it .... I was initially sceptic to your response, but decided to give it another go with something simpler - and it worked... strange, because this very key works on other 150+ devices.. :/
And I used key 0 while configured the host' key,it's just the parser showing it with key 7. BTW, key 7 looks much different from previous Key 7?
D
08-09-2015 06:42 PM
Just for the record, a type 7 password is NOT encrypted unless you consider an algorithm that was invented in 1553, broken by Charles Babbage 200 years ago, and to which their are a multitude of sites which allow you to input type-7 and get back cleartext "encryption" . Anyone with access to the type-7 radius secret is capable of decrypting the RADIUS packets and by default reading all usernames and passwords in cleartext..
If your NXOS and RADIUS server supports it use the MSCHAP encryption option. Note that MSCHAP is still crappy encryption (its strength is single DES) and for a few bucks cloudcracker.com will crack it with 100% success but it will not be crackable simply by viewing the packet in wireshark. .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide