ASA 5525 - Radius server REJECT

1uplink · ‎04-25-2020

Hey everyone,

I am in the middle of an issue from a simple scenario.

FW1 -----FW2-----Radius server

I set up FW1 to authenticate to the radius server, (FW2 is allowing traffic to/from radius server)

aaa-server radserver protocol radius
aaa-server radserver (management) host 192.168.1.1
key secretkey
authentication port 1645
aaa authentication ssh console radserver LOCAL
aaa authentication enable console radserver LOCAL

FW1 is added to the server with the correct IP radius traffic is flowing between them without a problem

However I get message REJECT

Its a pretty simple scenario and its not working.

FW1 is connected to FW2 through a mgmt sw in the management interface, there is connectivity, radius traffic is flowing.

Server side looks fine, I dont have access to the server, but verified some points with the server admin, and I cant figure out where the issue is

Any suggestions???????

DEBUG OUTPUT:

INFO: Attempting Authentication test to IP address (192.168.1.1) (timeout: 10 seconds)

radius mkreq: 0x80000004

alloc_rip 0x00002aaac9b1b6c0

new request 0x80000004 --> 217 (0x00002aaac9b1b6c0)

got user 'myuser'

add_req 0x00002aaac9b1b6c0 session 0x80000004 id 217

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 88).....

01 d9 00 58 f2 19 c7 73 93 19 2f b6 17 00 03 e1 | ...X...s../.....

39 8f bd 6e 01 0b 6a 67 6f 6e 7a 61 6c 65 7a 02 | 9..n..testuser.

12 e6 a1 f5 1f af c3 0b 73 a1 66 df 3f 4a 50 8c | ........s.f.?JP.

0c 04 06 0a 7d fe 22 05 06 00 00 02 b9 3d 06 00 | ....}."......=..

00 00 05 1a 15 00 00 00 09 01 0f 63 6f 61 2d 70 | ...........coa-p

75 73 68 3d 74 72 75 65 | ush=true

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 217 (0xD9)

Radius: Length = 88 (0x0058)

Radius: Vector: F219C77393192FB6170003E1398FBD6E

Radius: Type = 1 (0x01) User-Name

Radius: Length = 11 (0x0B)

Radius: Value (String) =

6a 67 6f 6e 7a 61 6c 65 7a | myuser

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

e6 a1 f5 1f af c3 0b 73 a1 66 df 3f 4a 50 8c 0c | .......s.f.?JP..

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 192.168.2.30

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x2B9

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 21 (0x15)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 15 (0x0F)

Radius: Value (String) =

63 6f 61 2d 70 75 73 68 3d 74 72 75 65 | coa-push=true

send pkt 192.168.1.1/1645

rip 0x00002aaac9b1b6c0 state 7 id 217

rad_vrfy() : response message verified

rip 0x00002aaac9b1b6c0

: chall_state ''

: state 0x7

: reqauth:

f2 19 c7 73 93 19 2f b6 17 00 03 e1 39 8f bd 6e

: info 0x00002aaac9b1b800

session_id 0x80000004

request_id 0xd9

user 'myuser'

response '***'

app 0

reason 0

skey 'secretkey'

sip 192.168.1.1

type 1

RADIUS packet decode (response)

--------------------------------------

Raw packet data (length = 20).....

03 d9 00 14 14 06 dc ee e7 0a 65 e2 1f fb b1 4b | ..........e....K

78 ce b9 23 | x..#

Parsed packet data.....

Radius: Code = 3 (0x03)

Radius: Identifier = 217 (0xD9)

Radius: Length = 20 (0x0014)

Radius: Vector: 1406DCEEE70A65E21FFBB14B78CEB923

rad_procpkt: REJECT

RADIUS_DELETE

remove_req 0x00002aaac9b1b6c0 session 0x80000004 id 217

free_rip 0x00002aaac9b1b6c0

radius: send queue empty

ERROR: Authentication Rejected: AAA failure