Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1638
Views
0
Helpful
5
Replies

Problema con autenticación radius aaa

willytech007
Level 1
Level 1

‎09-07-2019 03:10 PM

Hi everyone 

 

I can`t authenticate using a external database like NPS from Windows server.

I've seen some similar problems but no solution

This is my configuration for Radius server

*******

aaa group server radius winserver2012
server-private 192.168.1.220 auth-port 1812 acct-port 1813 key 7 112A3036343D4B
************************

aaa authentication login default group winserver2012 local
aaa authorization exec default group winserver2012 local

******************************

************************

When I do the login this debbug message I get

 

*********************************************

 

*Sep 7 17:05:55: AAA/BIND(0000001D): Bind i/f
*Sep 7 17:05:55: AAA/AUTHEN/LOGIN (0000001D): Pick method list 'default'
*Sep 7 17:05:55: RADIUS/ENCODE(0000001D): ask "Password: "
*Sep 7 17:05:55: RADIUS/ENCODE(0000001D): send packet; GET_PASSWORD
*Sep 7 17:05:58: RADIUS/ENCODE(0000001D):Orig. component type = Exec
*Sep 7 17:05:58: RADIUS: AAA Unsupported Attr: interface [210] 6
*Sep 7 17:05:58: RADIUS: 74 74 79 35 [ tty5]
*Sep 7 17:05:58: RADIUS/ENCODE(0000001D): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Sep 7 17:05:58: RADIUS(0000001D): Config NAS IP: 0.0.0.0
*Sep 7 17:05:58: RADIUS(0000001D): Config NAS IPv6: ::
*Sep 7 17:05:58: RADIUS/ENCODE(0000001D): acct_session_id: 19
*Sep 7 17:05:58: RADIUS(0000001D): sending
*Sep 7 17:05:58: RADIUS/ENCODE: Best Local IP-Address 198.51.100.2 for Radius-Server 192.168.1.220
*Sep 7 17:05:58: RADIUS(0000001D): Send Access-Request to 192.168.1.220:1812 id 1645/19, len 72
*Sep 7 17:05:58: RADIUS: authenticator C2 B0 5B DA B6 0E FE B4 - 43 80 E5 09 FC 31 AD 23
*Sep 7 17:05:58: RADIUS: User-Name [1] 8 "wcesar"
*Sep 7 17:05:58: RADIUS: User-Password [2] 18 *
*Sep 7 17:05:58: RADIUS: NAS-Port [5] 6 515
*Sep 7 17:05:58: RADIUS: NAS-Port-Id [87] 8 "tty515"
*Sep 7 17:05:58: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 7 17:05:58: RADIUS: NAS-IP-Address [4] 6 198.51.100.2
*Sep 7 17:05:58: RADIUS(0000001D): Sending a IPv4 Radius Packet
*Sep 7 17:05:58: RADIUS(0000001D): Started 5 sec timeout
*Sep 7 17:05:58: RADIUS: Received from id 1645/19 192.168.1.220:1812, Access-Reject, len 20
*Sep 7 17:05:58: RADIUS: authenticator A8 E6 D6 83 6D D0 B6 38 - A4 64 CB 46 E0 3A 9F 3D
*Sep 7 17:05:58: RADIUS: response-authenticator decrypt fail, pak len 20
*Sep 7 17:05:58: RADIUS: packet dump: 03130014A8E6D6836DD0B638A464CB46E03A9F3D
*Sep 7 17:05:58: RADIUS: expected digest: FFFFFFA803FFFFFFE93EFFFFFF9B26FFFFFFCEFFFFFFDAFFFFFF984946FFFFFFFFFFFFFF9254FFFFFFAFFFFFFFCA
*Sep 7 17:05:58: RADIUS: response authen: FFFFFFA8FFFFFFE6FFFFFFD6FFFFFF836DFFFFFFD0FFFFFFB638FFFFFFA464FFFFFFCB46FFFFFFE03AFFFFFF9F3D
*Sep 7 17:05:58: RADIUS: request authen: C2B05BDAB60EFEB44380E509FC31AD23
*Sep 7 17:05:58: RADIUS: Response (19) failed decrypt

*************************

Finally

 

*Sep 7 17:06:17: RADIUS(0000001D): Request timed out
*Sep 7 17:06:17: RADIUS: No response from (192.168.1.220:1812,1813) for id 1645/19
*Sep 7 17:06:17: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Sep 7 17:06:17: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

*************************

With this message debbug I can ensure that the problem is the radius server ? (NPS Windows server)

 

This is message from radius server, event log

1.png

 

My router is 2811.

Thanks for suggestions.

 

 

Labels:
0 Helpful
5 Replies 5

Seb Rupik
VIP Alumni
VIP Alumni

‎09-08-2019 12:28 PM

Hi there,

the following line from the debug output:

*Sep 7 17:05:58: RADIUS: response-authenticator decrypt fail, pak len 20

...indicates that the RADIUS shared secret between the router and NPS do not match.

I suggest you re-enter them on both systems and try again.

 

cheers,

Seb.

0 Helpful

willytech007
Level 1
Level 1
In response to Seb Rupik

‎09-09-2019 10:33 PM

hello friend, believe me the shared secret are the same but the error continues, do you know if that is a bug?

thanks

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to willytech007

‎09-09-2019 11:28 PM

hmmm, OK, try the following to include the 'non-standard' command against the NPS server:

!
no aaa group server radius winserver2012
!
radius-server host <windows_NPS_name>
  ip address <windows_NPS_IP>
  non-standard 
  key <secret_key>
!
aaa authentication login default group radius local
aaa authorization exec default group radius local
!

cheers,

Seb.

0 Helpful

willytech007
Level 1
Level 1
In response to Seb Rupik

‎09-20-2019 12:20 PM

Thanks dear Seb

 

I tried the suggestions but the problem is the same.

this is the configuration 

*******************

ROUTER 2811

aaa authentication login default group radius local

aaa authorization exec default group radius local

radius-server host 192.168.1.220 key 7 02050D4808094F

radius-server host 192.168.1.220 non-standard

 

*****

Logs from Router

 

********

*Sep 20 13:35:03: AAA/BIND(0000000E): Bind i/f
*Sep 20 13:35:03: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'default'
*Sep 20 13:35:03: RADIUS/ENCODE(0000000E): ask "Password: "
*Sep 20 13:35:03: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD
*Sep 20 13:35:06: RADIUS/ENCODE(0000000E):Orig. component type = Exec
*Sep 20 13:35:06: RADIUS: AAA Unsupported Attr: interface [210] 6
*Sep 20 13:35:06: RADIUS: 74 74 79 35 [ tty5]
*Sep 20 13:35:06: RADIUS/ENCODE(0000000E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Sep 20 13:35:06: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Sep 20 13:35:06: RADIUS(0000000E): Config NAS IPv6: ::
*Sep 20 13:35:06: RADIUS/ENCODE(0000000E): acct_session_id: 4
*Sep 20 13:35:06: RADIUS(0000000E): sending
*Sep 20 13:35:06: RADIUS/ENCODE: Best Local IP-Address 198.51.100.2 for Radius-Server 192.168.1.220
*Sep 20 13:35:06: RADIUS(0000000E): Send Access-Request to 192.168.1.220:1645 id 1645/2, len 74
*Sep 20 13:35:06: RADIUS: authenticator 42 D2 D4 5D 6F B0 E7 4B - CB F0 D2 07 40 CE FD 79
*Sep 20 13:35:06: RADIUS: User-Name [1] 10 "wpadilla"
*Sep 20 13:35:06: RADIUS: User-Password [2] 18 *
*Sep 20 13:35:06: RADIUS: NAS-Port [5] 6 515
*Sep 20 13:35:06: RADIUS: NAS-Port-Id [87] 8 "tty515"
*Sep 20 13:35:06: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 13:35:06: RADIUS: NAS-IP-Address [4] 6 198.51.100.2
*Sep 20 13:35:06: RADIUS(0000000E): Sending a IPv4 Radius Packet
*Sep 20 13:35:07: RADIUS(0000000E): Started 5 sec timeout
*Sep 20 13:35:07: RADIUS: Received from id 1645/2 192.168.1.220:1645, Access-Reject, len 20
*Sep 20 13:35:07: RADIUS: authenticator 02 81 DE 6A 18 12 1D F8 - 77 4E 4E EF 83 DF 79 A4
*Sep 20 13:35:07: RADIUS: response-authenticator decrypt fail, pak len 20
*Sep 20 13:35:07: RADIUS: packet dump: 030200140281DE6A18121DF8774E4EEF83DF79A4
*Sep 20 13:35:07: RADIUS: expected digest: 17FFFFFFA910FFFFFF81FFFFFF92FFFFFFD665FFFFFFC672FFFFFFF16CFFFFFFADFFFFFFCAFFFFFF8FFFFFFFD8FFFFFFC0
*Sep 20 13:35:07: RADIUS: response authen: 02FFFFFF81FFFFFFDE6A18121DFFFFFFF8774E4EFFFFFFEFFFFFFF83FFFFFFDF79FFFFFFA4
*Sep 20 13:35:07: RADIUS: request authen: 42D2D45D6FB0E74BCBF0D20740CEFD79
*Sep 20 13:35:07: RADIUS: Response (2) failed decrypt
*Sep 20 13:35:11: RADIUS(0000000E): Request timed out
*Sep 20 13:35:11: RADIUS: Retransmit to (192.168.1.220:1645,1646) for id 1645/2
*Sep 20 13:35:11: RADIUS(0000000E): Started 5 sec timeout
*Sep 20 13:35:11: RADIUS: Received from id 1645/2 192.168.1.220:1645, Access-Reject, len 20
*Sep 20 13:35:11: RADIUS: authenticator 02 81 DE 6A 18 12 1D F8 - 77 4E 4E EF 83 DF 79 A4
*Sep 20 13:35:11: RADIUS: response-authenticator decrypt fail, pak len 20
*Sep 20 13:35:11: RADIUS: packet dump: 030200140281DE6A18121DF8774E4EEF83DF79A4
*Sep 20 13:35:11: RADIUS: expected digest: 17FFFFFFA910FFFFFF81FFFFFF92FFFFFFD665FFFFFFC672FFFFFFF16CFFFFFFADFFFFFFCAFFFFFF8FFFFFFFD8FFFFFFC0
*Sep 20 13:35:11: RADIUS: response authen: 02FFFFFF81FFFFFFDE6A18121DFFFFFFF8774E4EFFFFFFEFFFFFFF83FFFFFFDF79FFFFFFA4
*Sep 20 13:35:11: RADIUS: request authen: 42D2D45D6FB0E74BCBF0D20740CEFD79
*Sep 20 13:35:11: RADIUS: Response (2) failed decrypt

*******************************

this is a wireshark file from window server 2012 I attached

*****************************

In event log the follow

event log 6273.png

I did the same configuration like this video on youtube https://www.youtube.com/watch?v=4PGBaJtqKYg

Thanks for help me

Radius debug.pcapng
0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to willytech007

‎09-21-2019 12:44 PM

Hi there,

You are still receiving the decrypt errors:

RADIUS: response-authenticator decrypt fail, pak len 20

...which indicates a RADIUS secret mismatch.

 

Can you use a simple secret like cisco or cisco123 on the switch and Windows Server and re-test.

 

cheers,

Seb.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents