Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1875
Views
5
Helpful
13
Replies

ASR9k aaa Radius authentication issues

Go to solution
Dadbaud73
Level 1
Level 1

‎02-17-2023 11:57 AM

Hello...new to posting here.  If it needs to go to a different board please move.

I am working for a company that is attempting to harden it's routing/switching network by leveraging Radius authentication via MS Active Directory.  I have been successful on configuring this for standard ios devices, but have yet to get the ASR9k's using XR v 6.3.3

here's my aaa config:

radius-server host 192.168.12.50 auth-port 1645 acct-port 1646
key 7 0333492B1207714A6501180B464B535E
timeout 5
!
aaa group server radius RAD_SERVERS
server 192.168.12.50 auth-port 1645 acct-port 1646
source-interface Loopback0
!
aaa authorization exec default none
aaa authentication login CONSOLE local
aaa authentication login default group RAD_SERVERS local

I have confirmed communication to the radius server.  I have other config I can provide if requested.  When trying to log in with AD credentials on the switch, I get an immediate access denied response.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Dadbaud73

‎03-01-2023 04:42 PM

i have replied to your new thread. so we close this here and pursue your issue on the new thread.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
13 Replies 13

Go to solution
MHM Cisco World
VIP
VIP

‎02-17-2023 12:03 PM

first try change the port 
1812 and 1813

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-17-2023 12:31 PM

what radius server, is the radius server listening to 1645 and 1646 ?

Could you make sure the radius server is reachable with the Loopback0 address?

on the NAD/NAC what IP address was added in the radius? Loopback0 address?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Dadbaud73
Level 1
Level 1

‎02-17-2023 12:47 PM

yes, the loopback address is the authorized address for comms.  I have done packet capture at my firewall and verified comms between the server and router on port 1645/46

I actually would have preferred using ports 1812/13 but when I used those ports to define the radius-server host, it would not commit the changes when I used that ip/ports in the aaa group server radius command.  I had to define it on 1645/46.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Dadbaud73

‎02-17-2023 12:59 PM

can you share 
debug aaa auth

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Dadbaud73

‎02-17-2023 01:58 PM

what radius server ? 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Dadbaud73
Level 1
Level 1

‎02-17-2023 01:17 PM

Here's the debug output from username and pw entry.  I do know I am using correct credentials.  From this output I can surmise the line is using the default authentication method.  my credentials are passed to the server and they fail.

Dadbaud73_0-1676668586741.png

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Dadbaud73

‎02-17-2023 01:47 PM - edited ‎02-18-2023 02:57 AM

see my comment about bug 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎02-18-2023 02:56 AM

CSCum34024 : Bug Search Tool (cisco.com) 
please check this bug 
there is bug if the key is more than 22 then it will not work.
reduce the key and check again, 

0 Helpful

Go to solution
Dadbaud73
Level 1
Level 1
In response to MHM Cisco World

‎02-20-2023 08:05 AM - edited ‎02-20-2023 08:18 AM

The key I have been using is only 15 characters.  I also do not get the associated error message when using debug locald during login attempts.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Dadbaud73

‎02-20-2023 09:47 AM

for key I will double check 
for the error message appear, can you more elaborate 

0 Helpful

Go to solution
Dadbaud73
Level 1
Level 1
In response to MHM Cisco World

‎02-20-2023 09:52 AM

from the bug's description:

Symptom: ASR9000 running 4.3.2. Radius authentification fails with the following message seen in 'debug locald', despite radius-server is configured and seen in UP state in 'show radius': locald_DSC[308]: EXITTING 'locald_send_v' with error [A247C800] 'RADIUS' detected the 'fatal' condition 'No server information is available'

When I run debug locald and attempt radius authentication, I do not receive EXITTING 'locald_send_v' with error [A247C800] 'RADIUS' detected the 'fatal' condition 'No server information is available' 

This is what I mean when I say I do not get the associated error message

Go to solution
Dadbaud73
Level 1
Level 1

‎02-28-2023 03:04 PM

I have an update on this.  I have installed wireshark on the MS NPS.  I have confirmed I am getting access-accept packets being sent back to the routers.  

If the router is getting these packets, why is the user not being authenticated?  It makes no sense.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Dadbaud73

‎03-01-2023 04:42 PM

i have replied to your new thread. so we close this here and pursue your issue on the new thread.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents