09-07-2019 03:10 PM
Hi everyone
I can`t authenticate using a external database like NPS from Windows server.
I've seen some similar problems but no solution
This is my configuration for Radius server
*******
aaa group server radius winserver2012
server-private 192.168.1.220 auth-port 1812 acct-port 1813 key 7 112A3036343D4B
************************
aaa authentication login default group winserver2012 local
aaa authorization exec default group winserver2012 local
******************************
************************
When I do the login this debbug message I get
*********************************************
*Sep 7 17:05:55: AAA/BIND(0000001D): Bind i/f
*Sep 7 17:05:55: AAA/AUTHEN/LOGIN (0000001D): Pick method list 'default'
*Sep 7 17:05:55: RADIUS/ENCODE(0000001D): ask "Password: "
*Sep 7 17:05:55: RADIUS/ENCODE(0000001D): send packet; GET_PASSWORD
*Sep 7 17:05:58: RADIUS/ENCODE(0000001D):Orig. component type = Exec
*Sep 7 17:05:58: RADIUS: AAA Unsupported Attr: interface [210] 6
*Sep 7 17:05:58: RADIUS: 74 74 79 35 [ tty5]
*Sep 7 17:05:58: RADIUS/ENCODE(0000001D): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Sep 7 17:05:58: RADIUS(0000001D): Config NAS IP: 0.0.0.0
*Sep 7 17:05:58: RADIUS(0000001D): Config NAS IPv6: ::
*Sep 7 17:05:58: RADIUS/ENCODE(0000001D): acct_session_id: 19
*Sep 7 17:05:58: RADIUS(0000001D): sending
*Sep 7 17:05:58: RADIUS/ENCODE: Best Local IP-Address 198.51.100.2 for Radius-Server 192.168.1.220
*Sep 7 17:05:58: RADIUS(0000001D): Send Access-Request to 192.168.1.220:1812 id 1645/19, len 72
*Sep 7 17:05:58: RADIUS: authenticator C2 B0 5B DA B6 0E FE B4 - 43 80 E5 09 FC 31 AD 23
*Sep 7 17:05:58: RADIUS: User-Name [1] 8 "wcesar"
*Sep 7 17:05:58: RADIUS: User-Password [2] 18 *
*Sep 7 17:05:58: RADIUS: NAS-Port [5] 6 515
*Sep 7 17:05:58: RADIUS: NAS-Port-Id [87] 8 "tty515"
*Sep 7 17:05:58: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 7 17:05:58: RADIUS: NAS-IP-Address [4] 6 198.51.100.2
*Sep 7 17:05:58: RADIUS(0000001D): Sending a IPv4 Radius Packet
*Sep 7 17:05:58: RADIUS(0000001D): Started 5 sec timeout
*Sep 7 17:05:58: RADIUS: Received from id 1645/19 192.168.1.220:1812, Access-Reject, len 20
*Sep 7 17:05:58: RADIUS: authenticator A8 E6 D6 83 6D D0 B6 38 - A4 64 CB 46 E0 3A 9F 3D
*Sep 7 17:05:58: RADIUS: response-authenticator decrypt fail, pak len 20
*Sep 7 17:05:58: RADIUS: packet dump: 03130014A8E6D6836DD0B638A464CB46E03A9F3D
*Sep 7 17:05:58: RADIUS: expected digest: FFFFFFA803FFFFFFE93EFFFFFF9B26FFFFFFCEFFFFFFDAFFFFFF984946FFFFFFFFFFFFFF9254FFFFFFAFFFFFFFCA
*Sep 7 17:05:58: RADIUS: response authen: FFFFFFA8FFFFFFE6FFFFFFD6FFFFFF836DFFFFFFD0FFFFFFB638FFFFFFA464FFFFFFCB46FFFFFFE03AFFFFFF9F3D
*Sep 7 17:05:58: RADIUS: request authen: C2B05BDAB60EFEB44380E509FC31AD23
*Sep 7 17:05:58: RADIUS: Response (19) failed decrypt
*************************
Finally
*Sep 7 17:06:17: RADIUS(0000001D): Request timed out
*Sep 7 17:06:17: RADIUS: No response from (192.168.1.220:1812,1813) for id 1645/19
*Sep 7 17:06:17: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Sep 7 17:06:17: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*************************
With this message debbug I can ensure that the problem is the radius server ? (NPS Windows server)
This is message from radius server, event log
My router is 2811.
Thanks for suggestions.
09-08-2019 12:28 PM
Hi there,
the following line from the debug output:
*Sep 7 17:05:58: RADIUS: response-authenticator decrypt fail, pak len 20
...indicates that the RADIUS shared secret between the router and NPS do not match.
I suggest you re-enter them on both systems and try again.
cheers,
Seb.
09-09-2019 10:33 PM
hello friend, believe me the shared secret are the same but the error continues, do you know if that is a bug?
thanks
09-09-2019 11:28 PM
hmmm, OK, try the following to include the 'non-standard' command against the NPS server:
! no aaa group server radius winserver2012 ! radius-server host <windows_NPS_name>
ip address <windows_NPS_IP>
non-standard
key <secret_key> ! aaa authentication login default group radius local aaa authorization exec default group radius local !
cheers,
Seb.
09-20-2019 12:20 PM
Thanks dear Seb
I tried the suggestions but the problem is the same.
this is the configuration
*******************
ROUTER 2811
aaa authentication login default group radius local
aaa authorization exec default group radius local
radius-server host 192.168.1.220 key 7 02050D4808094F
radius-server host 192.168.1.220 non-standard
*****
Logs from Router
********
*Sep 20 13:35:03: AAA/BIND(0000000E): Bind i/f
*Sep 20 13:35:03: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'default'
*Sep 20 13:35:03: RADIUS/ENCODE(0000000E): ask "Password: "
*Sep 20 13:35:03: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD
*Sep 20 13:35:06: RADIUS/ENCODE(0000000E):Orig. component type = Exec
*Sep 20 13:35:06: RADIUS: AAA Unsupported Attr: interface [210] 6
*Sep 20 13:35:06: RADIUS: 74 74 79 35 [ tty5]
*Sep 20 13:35:06: RADIUS/ENCODE(0000000E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Sep 20 13:35:06: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Sep 20 13:35:06: RADIUS(0000000E): Config NAS IPv6: ::
*Sep 20 13:35:06: RADIUS/ENCODE(0000000E): acct_session_id: 4
*Sep 20 13:35:06: RADIUS(0000000E): sending
*Sep 20 13:35:06: RADIUS/ENCODE: Best Local IP-Address 198.51.100.2 for Radius-Server 192.168.1.220
*Sep 20 13:35:06: RADIUS(0000000E): Send Access-Request to 192.168.1.220:1645 id 1645/2, len 74
*Sep 20 13:35:06: RADIUS: authenticator 42 D2 D4 5D 6F B0 E7 4B - CB F0 D2 07 40 CE FD 79
*Sep 20 13:35:06: RADIUS: User-Name [1] 10 "wpadilla"
*Sep 20 13:35:06: RADIUS: User-Password [2] 18 *
*Sep 20 13:35:06: RADIUS: NAS-Port [5] 6 515
*Sep 20 13:35:06: RADIUS: NAS-Port-Id [87] 8 "tty515"
*Sep 20 13:35:06: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 13:35:06: RADIUS: NAS-IP-Address [4] 6 198.51.100.2
*Sep 20 13:35:06: RADIUS(0000000E): Sending a IPv4 Radius Packet
*Sep 20 13:35:07: RADIUS(0000000E): Started 5 sec timeout
*Sep 20 13:35:07: RADIUS: Received from id 1645/2 192.168.1.220:1645, Access-Reject, len 20
*Sep 20 13:35:07: RADIUS: authenticator 02 81 DE 6A 18 12 1D F8 - 77 4E 4E EF 83 DF 79 A4
*Sep 20 13:35:07: RADIUS: response-authenticator decrypt fail, pak len 20
*Sep 20 13:35:07: RADIUS: packet dump: 030200140281DE6A18121DF8774E4EEF83DF79A4
*Sep 20 13:35:07: RADIUS: expected digest: 17FFFFFFA910FFFFFF81FFFFFF92FFFFFFD665FFFFFFC672FFFFFFF16CFFFFFFADFFFFFFCAFFFFFF8FFFFFFFD8FFFFFFC0
*Sep 20 13:35:07: RADIUS: response authen: 02FFFFFF81FFFFFFDE6A18121DFFFFFFF8774E4EFFFFFFEFFFFFFF83FFFFFFDF79FFFFFFA4
*Sep 20 13:35:07: RADIUS: request authen: 42D2D45D6FB0E74BCBF0D20740CEFD79
*Sep 20 13:35:07: RADIUS: Response (2) failed decrypt
*Sep 20 13:35:11: RADIUS(0000000E): Request timed out
*Sep 20 13:35:11: RADIUS: Retransmit to (192.168.1.220:1645,1646) for id 1645/2
*Sep 20 13:35:11: RADIUS(0000000E): Started 5 sec timeout
*Sep 20 13:35:11: RADIUS: Received from id 1645/2 192.168.1.220:1645, Access-Reject, len 20
*Sep 20 13:35:11: RADIUS: authenticator 02 81 DE 6A 18 12 1D F8 - 77 4E 4E EF 83 DF 79 A4
*Sep 20 13:35:11: RADIUS: response-authenticator decrypt fail, pak len 20
*Sep 20 13:35:11: RADIUS: packet dump: 030200140281DE6A18121DF8774E4EEF83DF79A4
*Sep 20 13:35:11: RADIUS: expected digest: 17FFFFFFA910FFFFFF81FFFFFF92FFFFFFD665FFFFFFC672FFFFFFF16CFFFFFFADFFFFFFCAFFFFFF8FFFFFFFD8FFFFFFC0
*Sep 20 13:35:11: RADIUS: response authen: 02FFFFFF81FFFFFFDE6A18121DFFFFFFF8774E4EFFFFFFEFFFFFFF83FFFFFFDF79FFFFFFA4
*Sep 20 13:35:11: RADIUS: request authen: 42D2D45D6FB0E74BCBF0D20740CEFD79
*Sep 20 13:35:11: RADIUS: Response (2) failed decrypt
*******************************
this is a wireshark file from window server 2012 I attached
*****************************
In event log the follow
I did the same configuration like this video on youtube https://www.youtube.com/watch?v=4PGBaJtqKYg
Thanks for help me
09-21-2019 12:44 PM
Hi there,
You are still receiving the decrypt errors:
RADIUS: response-authenticator decrypt fail, pak len 20
...which indicates a RADIUS secret mismatch.
Can you use a simple secret like cisco or cisco123 on the switch and Windows Server and re-test.
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide