Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1603
Views
0
Helpful
7
Replies

Radius Authentication via MS NPS/Active Directory - ASR9k

Dadbaud73
Level 1
Level 1

‎03-01-2023 09:54 AM

Hello...this is the second time I'm posting about this issue, but I do have more info now.  

I have been trying for over a week to get 2 ASR9k's to authenticate logins via our company's existing Microsoft NPS server via Active directory.  I have standard ios routers working fine with this (on the same subnet, pointed to the same NPS), but cannot get our 2 ASR9k's to do the same.

I did install wireshark on the NPS server to try and figure out what was going on there.  Both routers are getting access-accept packets from the NPS, so I know the issue is not with the AD authentication. Regardless of this, I still get access denied on the routers.

I have an existing TAC case open on this but so far that has yielded no help.  This morning I decided to take a look at the log on the router after a login attempt and saw this message:

RP/0/RSP0/CPU0:Mar 1 10:21:38 : radiusd[1136]: %SECURITY-RADIUSD-3-BAD_VSA_TYPE : Bad non-cisco VSA type 14 with vendor_id 311 encountered, possibily out of range

I think I have found the issue.  Can anyone tell me what this message is indicating?  This is a microsoft VSA.  Here's a screenshot from the wireshark capture of the access-accept packet.  This feels like a bug?

Dadbaud73_0-1677693080987.png

 

 

 

Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎03-01-2023 04:22 PM

As per i know some bugs around Windows Version and NPS (there is some knowledge base)

what is the Windows Servers version that NPS running? what is the Windows Server version which has AD ?

i will simulate this issue over weekend, since moved to ISE we no longer using NPS, 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Dadbaud73
Level 1
Level 1
In response to balaji.bandi

‎03-02-2023 07:11 AM

Both servers: Server 19 Datacenter

version: 1809

 

0 Helpful

MHM Cisco World
VIP
VIP

‎03-02-2023 07:35 AM

radius-server attribute list listname <<- you can try attribute filter to accept deny some VSA 

 

0 Helpful

Dadbaud73
Level 1
Level 1
In response to MHM Cisco World

‎03-02-2023 02:23 PM

So once you set up the list, how do you accept or deny off of it?

0 Helpful

MHM Cisco World
VIP
VIP
In response to Dadbaud73

‎03-02-2023 06:53 PM - edited ‎03-02-2023 06:56 PM

OK, I will share command 

0 Helpful

Dadbaud73
Level 1
Level 1
In response to MHM Cisco World

‎03-03-2023 07:22 AM

I did this command and the error stopped showing up in the log.  I am still not logging in:

config)#radius-server vsa attribute ignore unknown

Now I am seeing this in the log:

Dadbaud73_0-1677856918456.png

0 Helpful

MHM Cisco World
VIP
VIP
In response to Dadbaud73

‎03-05-2023 04:03 PM

 

radius-server attribute list MHM
attribute vendor-id 311
vendor-type 26
!
aaa group server radius MHM 
authorization reply reject MHM 

 

0 Helpful
Review Cisco Networking for a $25 gift card
Top