Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3549
Views
5
Helpful
2
Replies

RADIUS Requests not Populating Attribute 4 (NAS-IP-Address)

Go to solution
Mike Hendriks
Level 1
Level 1

‎02-08-2011 02:14 PM - edited ‎03-10-2019 05:48 PM

I'm trying to get a Cisco 3120G configured for RADIUS authentication.  I have many other IOS devices with identical configuration lines working, however, this one is giving me a hard time.  The RADIUS server policy is configured by NAS-IP-Address.  The AAA and radius configuration is as follows:

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

radius-server host 10.x.x.x auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 XXXXXXXXXXXXXX

See the following Radius debug information:

indrc3120a#
000284: Feb  8 14:05:15.447 PST: RADIUS: Pick NAS IP for u=0x5992EF4 tableid=0 cfg_addr=0.0.0.0
000285: Feb  8 14:05:15.447 PST: RADIUS: ustruct sharecount=1
000286: Feb  8 14:05:15.447 PST: Radius: radius_port_info() success=1 radius_nas_port=1
000287: Feb  8 14:05:15.447 PST: RADIUS(00000000): Send Access-Request to 10.x.x.x:1645 id 1645/8, len 84
000288: Feb  8 14:05:15.447 PST: RADIUS:  authenticator 12 5E 7E DF 01 B5 F1 D8 - 40 07 09 76 C5 88 C1 A4
000289: Feb  8 14:05:15.447 PST: RADIUS:  NAS-IP-Address      [4]   6   0.0.0.0
000290: Feb  8 14:05:15.447 PST: RADIUS:  NAS-Port            [5]   6   2
000291: Feb  8 14:05:15.447 PST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
000292: Feb  8 14:05:15.447 PST: RADIUS:  User-Name           [1]   13  "admin_user"
000293: Feb  8 14:05:15.447 PST: RADIUS:  Calling-Station-Id  [31]  15  "10.y.y.y"
000294: Feb  8 14:05:15.447 PST: RADIUS:  User-Password       [2]   18  *
000295: Feb  8 14:05:15.505 PST: RADIUS: Received from id 1645/8 10.x.x.x:1645, Access-Reject, len 20
000296: Feb  8 14:05:15.505 PST: RADIUS:  authenticator 4E EC 8F AB BB 8E F9 BB - 13 67 56 A3 5F F9 99 94
000297: Feb  8 14:05:15.505 PST: RADIUS: saved authorization data for user 5992EF4 at 0

Note the NAS-IP-Address attribute populated as 0.0.0.0

Another switch with an identical configuration returns the following:

tritc3120a#
350554: Feb  8 14:11:00.916 PST: RADIUS/ENCODE(000155BC): ask "Username: "
350555: Feb  8 14:11:10.605 PST: RADIUS/ENCODE(000155BC): ask "Password: "
350556: Feb  8 14:11:14.480 PST: RADIUS/ENCODE(000155BC):Orig. component type = EXEC
350557: Feb  8 14:11:14.480 PST: RADIUS:  AAA Unsupported Attr: interface         [170] 4
350558: Feb  8 14:11:14.480 PST: RADIUS:   74 74                [ tt]
350559: Feb  8 14:11:14.480 PST: RADIUS/ENCODE(000155BC): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
350560: Feb  8 14:11:14.480 PST: RADIUS(000155BC): Config NAS IP: 0.0.0.0
350561: Feb  8 14:11:14.480 PST: RADIUS/ENCODE(000155BC): acct_session_id: 87482
350562: Feb  8 14:11:14.480 PST: RADIUS(000155BC): sending
350563: Feb  8 14:11:14.480 PST: RADIUS/ENCODE: Best Local IP-Address 10.x.x.x for Radius-Server 10.y.y.y
350564: Feb  8 14:11:14.480 PST: RADIUS(000155BC): Send Access-Request to 10.y.y.y:1645 id 1645/222, len 90
350565: Feb  8 14:11:14.480 PST: RADIUS:  authenticator 5F B1 17 DF 72 4B A6 3D - B6 7C D8 5C 85 66 B9 8D
350566: Feb  8 14:11:14.480 PST: RADIUS:  User-Name           [1]   13  "admin_user"
350567: Feb  8 14:11:14.480 PST: RADIUS:  User-Password       [2]   18  *
350568: Feb  8 14:11:14.480 PST: RADIUS:  NAS-Port            [5]   6   2
350569: Feb  8 14:11:14.480 PST: RADIUS:  NAS-Port-Id         [87]  6   "tty2"
350570: Feb  8 14:11:14.480 PST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
350571: Feb  8 14:11:14.480 PST: RADIUS:  Calling-Station-Id  [31]  15  "10.z.z.z"
350572: Feb  8 14:11:14.480 PST: RADIUS:  NAS-IP-Address      [4]   6   1.2.3.4
350573: Feb  8 14:11:14.556 PST: RADIUS: Received from id 1645/222 10.y.y.y:1645, Access-Accept, len 83
350574: Feb  8 14:11:14.556 PST: RADIUS:  authenticator 24 D9 F9 E2 BB A3 66 F6 - 73 E8 5D 42 8C A5 17 DA
350575: Feb  8 14:11:14.556 PST: RADIUS:  Service-Type        [6]   6   Administrative            [6]
350576: Feb  8 14:11:14.556 PST: RADIUS:  Class               [25]  32
350577: Feb  8 14:11:14.556 PST: RADIUS:   59 6D 06 B1 00 00 01 37 00 01 0A DC 1E 18 01 CB C7 B8 82 D7 CA E2 00 00 00 00 00 00 00 0B               [ Ym7]
350578: Feb  8 14:11:14.556 PST: RADIUS:  Vendor, Cisco       [26]  25
350579: Feb  8 14:11:14.556 PST: RADIUS:   Cisco AVpair       [1]   19  "shell:priv-lvl=15"
350580: Feb  8 14:11:14.556 PST: RADIUS(000155BC): Received from id 1645/222

Note that in the example above, the NAS-IP-Address is populating properly (I've just changed it for security reasons)

If anyone has any advice, it would be greatly appreciated.  Does the switch need a restart? A RADIUS server process kick?

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-08-2011 04:24 PM


Seems to be a bug,

CSCdx27019    Radius Access-request pkt sent by CSS doesnt contain NAS info


The Cisco ACS feature NAR (Network Access Restriction) with Radius does not work with the CSS. This is because radius attribute NAS-IP-Address is set to 0.0.0.0 in the Radius Authentication Request.



Rgds, Jatin



Do rate helpful posts

~Jatin

View solution in original post

2 Replies 2

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-08-2011 04:24 PM


Seems to be a bug,

CSCdx27019    Radius Access-request pkt sent by CSS doesnt contain NAS info


The Cisco ACS feature NAR (Network Access Restriction) with Radius does not work with the CSS. This is because radius attribute NAS-IP-Address is set to 0.0.0.0 in the Radius Authentication Request.



Rgds, Jatin



Do rate helpful posts

~Jatin

Go to solution
Mike Hendriks
Level 1
Level 1
In response to Jatin Katyal

‎02-09-2011 08:51 AM

Thanks Jatin, I believe you're correct.

I tried this command

radius-server attribute 4 10.2.1.1

As specified in this document:

http://www.cisco.com/en/US/docs/ios/12_3/12_3b/feature/guide/gt_siara.html

Unfortunately, it doesn't seem to be available.  The only command I have is radius-server attribute 4 npr.

The release notes which describe the bug here:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/v5.00.0.63/release/note/Reln5b63.html

Also describe a workaround with the radius-server source-interface command.  This, too, is unavailable, unfortunately.

I've been able to create a workaround policy tied to the "RADIUS-Client-IP" attribute, and have the functionality I require for the time being.

Thanks again for your help.

0 Helpful
Customers Also Viewed These Support Documents