Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1002
Views
0
Helpful
0
Replies

ASR 1004 running 15.2(4)S fails the initial RADIUS administrative login attmepts

larry.sutters
Level 1
Level 1

‎10-09-2019 07:23 AM

We are deploying RADIUS (MS NPS Server 2016) as our administrative login database.  So far the deployment is working great across multiple vendors and platforms.  However, on our ASR 1004 that has a dozen or so VRFs, I get an initial failure as demonstrated below.

 

Initially, there were 3 retries per NPS server and when the request came back to the primary, the login was successful.  This caused around a 50-second delay for an administrator to log in.  I tried increasing the retries to 4, since the first request on the 2nd pass was successful... no joy.  As a workaround, I decreased the retries to 1 with the same results being the 1st attempt on the 2nd pass is successful.

 

The NPS servers are working as they should for the few hundred other devices we have connected.  Whiled monitoring the NPS server, there is no request actually seen until the second pass.

 

[ASR AAA config ]

aaa group server radius DEF-RAD
server name RAD-SRV-1ST
server name RAD-SRV-2ND
ip vrf forwarding DEF_VRF
aaa authentication login default group radius group DEF-RAD local
aaa session-id common
ip radius source-interface Port-channel1.123 vrf DEF_VRF
radius-server attribute 4 IP of VRF interface used
radius-server retransmit 1

 

[DEBUG Output]

Oct 9 09:45:26.464: RADIUS(00009CFB): Request timed out!
Oct 9 09:45:26.464: RADIUS: Retransmit to (a.b.c.d:1812,1813) for id 1645/153
Oct 9 09:45:26.465: RADIUS(00009CFB): Started 5 sec timeout
Oct 9 09:45:31.503: RADIUS(00009CFB): Request timed out!
Oct 9 09:45:31.503: RADIUS: Fail-over to (w.x.y.z:1645,1646) for id 1645/153
Oct 9 09:45:31.503: RADIUS(00009CFB): Started 5 sec timeout
Oct 9 09:45:36.518: RADIUS(00009CFB): Request timed out!
Oct 9 09:45:36.519: %RADIUS-4-RADIUS_DEAD: RADIUS server w.x.y.z:1645,1646 is not responding.
Oct 9 09:45:36.519: %RADIUS-4-RADIUS_ALIVE: RADIUS server w.x.y.z:1645,1646 is being marked alive.
Oct 9 09:45:36.519: RADIUS: Retransmit to (w.x.y.z:1645,1646) for id 1645/153
Oct 9 09:45:36.519: RADIUS(00009CFB): Started 5 sec timeout
Oct 9 09:45:41.564: RADIUS(00009CFB): Request timed out!
Oct 9 09:45:41.564: RADIUS: No response from (w.x.y.z:1645,1646) for id 1645/153
Oct 9 09:45:41.565: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Oct 9 09:45:41.565: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Oct 9 09:45:41.565: RADIUS/ENCODE(00009CFB):Orig. component type = Exec
Oct 9 09:45:41.565: RADIUS: AAA Unsupported Attr: interface [221] 4 1176200964
Oct 9 09:45:41.565: RADIUS/ENCODE(00009CFB): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Oct 9 09:45:41.565: RADIUS(00009CFB): Config NAS IPv6: ::
Oct 9 09:45:41.565: RADIUS/ENCODE(00009CFB): acct_session_id: 40176
Oct 9 09:45:41.565: RADIUS(00009CFB): sending
Oct 9 09:45:41.565: RADIUS: No secret to encode request (rctx:0x447F5E4C)
Oct 9 09:45:41.565: RADIUS: Unable to encrypt (rctx:0x447F5E4C)
Oct 9 09:45:41.565: RADIUS: No secret to encode request (rctx:0x447F5E4C)
Oct 9 09:45:41.565: RADIUS: Unable to encrypt (rctx:0x447F5E4C)
Oct 9 09:45:41.565: RADIUS(00009CFB): Sending a IPv4 Radius Packet
Oct 9 09:45:41.566: RADIUS(00009CFB): Send Access-Request to a.b.c.d:1812 id 1645/154,len 84
Oct 9 09:45:41.566: RADIUS: authenticator DC 06 FC 2F 67 12 9C 73 - 8F 65 0B 23 46 3D 81 C7
Oct 9 09:45:41.566: RADIUS: User-Name [1] 10 "MY-RAD-Username"
Oct 9 09:45:41.566: RADIUS: Reply-Message [18] 12
Oct 9 09:45:41.566: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Oct 9 09:45:41.566: RADIUS: User-Password [2] 18 *
Oct 9 09:45:41.566: RADIUS: NAS-Port [5] 6 3
Oct 9 09:45:41.566: RADIUS: NAS-Port-Id [87] 6 "tty3"
Oct 9 09:45:41.566: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Oct 9 09:45:41.566: RADIUS: NAS-IP-Address [4] 6 IP of VRF interface used
Oct 9 09:45:41.566: RADIUS(00009CFB): Started 5 sec timeout
Oct 9 09:45:41.570: RADIUS: Received from id 1645/154 a.b.c.d:1812, Access-Accept, len 139
Oct 9 09:45:41.570: RADIUS: authenticator B6 C2 78 46 BC 25 2B 4A - 28 5B 29 43 9E 93 B8 57
Oct 9 09:45:41.570: RADIUS: Vendor, Unknown [26] 12
Oct 9 09:45:41.570: RADIUS: User-Name [1] 6
Oct 9 09:45:41.570: RADIUS: 00 00 00 00
Oct 9 09:45:41.570: RADIUS: Framed-Protocol [7] 6 PPP [1]
Oct 9 09:45:41.570: RADIUS: Service-Type [6] 6 Administrative [6]
Oct 9 09:45:41.570: RADIUS: Class [25] 46
Oct 9 09:45:41.570: RADIUS: AE 6C 09 C0 00 00 01 37 00 01 02 00 0A C8 24 5D 00 00 00 00 CD 58 5B 01 72 CC CA F5 01 D5 76 75 0D 18 9C 32 00 00 00 00 00 00 92 6D [ l7$]X[rvu2m]
Oct 9 09:45:41.570: RADIUS: Vendor, Cisco [26] 25
Oct 9 09:45:41.570: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
Oct 9 09:45:41.570: RADIUS: Vendor, Microsoft [26] 12
Oct 9 09:45:41.570: RADIUS: MS-Link-Util-Thresh[14] 6
Oct 9 09:45:41.570: RADIUS: 00 00 00 32 [ 2]
Oct 9 09:45:41.570: RADIUS: Vendor, Microsoft [26] 12
Oct 9 09:45:41.570: RADIUS: MS-Link-Drop-Time-L[15] 6
Oct 9 09:45:41.570: RADIUS: 00 00 00 78 [ x]
Oct 9 09:45:41.570: RADIUS(00009CFB): Received from id 1645/154

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents