ā02-17-2023 11:57 AM
Hello...new to posting here. If it needs to go to a different board please move.
I am working for a company that is attempting to harden it's routing/switching network by leveraging Radius authentication via MS Active Directory. I have been successful on configuring this for standard ios devices, but have yet to get the ASR9k's using XR v 6.3.3
here's my aaa config:
radius-server host 192.168.12.50 auth-port 1645 acct-port 1646
key 7 0333492B1207714A6501180B464B535E
timeout 5
!
aaa group server radius RAD_SERVERS
server 192.168.12.50 auth-port 1645 acct-port 1646
source-interface Loopback0
!
aaa authorization exec default none
aaa authentication login CONSOLE local
aaa authentication login default group RAD_SERVERS local
I have confirmed communication to the radius server. I have other config I can provide if requested. When trying to log in with AD credentials on the switch, I get an immediate access denied response.
Solved! Go to Solution.
ā03-01-2023 04:42 PM
i have replied to your new thread. so we close this here and pursue your issue on the new thread.
ā02-17-2023 12:03 PM
first try change the port
1812 and 1813
ā02-17-2023 12:31 PM
what radius server, is the radius server listening to 1645 and 1646 ?
Could you make sure the radius server is reachable with the Loopback0 address?
on the NAD/NAC what IP address was added in the radius? Loopback0 address?
ā02-17-2023 12:47 PM
yes, the loopback address is the authorized address for comms. I have done packet capture at my firewall and verified comms between the server and router on port 1645/46
I actually would have preferred using ports 1812/13 but when I used those ports to define the radius-server host, it would not commit the changes when I used that ip/ports in the aaa group server radius command. I had to define it on 1645/46.
ā02-17-2023 12:59 PM
can you share
debug aaa auth
ā02-17-2023 01:58 PM
what radius server ?
ā02-17-2023 01:17 PM
Here's the debug output from username and pw entry. I do know I am using correct credentials. From this output I can surmise the line is using the default authentication method. my credentials are passed to the server and they fail.
ā02-17-2023 01:47 PM - edited ā02-18-2023 02:57 AM
see my comment about bug
ā02-18-2023 02:56 AM
CSCum34024 : Bug Search Tool (cisco.com)
please check this bug
there is bug if the key is more than 22 then it will not work.
reduce the key and check again,
ā02-20-2023 08:05 AM - edited ā02-20-2023 08:18 AM
The key I have been using is only 15 characters. I also do not get the associated error message when using debug locald during login attempts.
ā02-20-2023 09:47 AM
for key I will double check
for the error message appear, can you more elaborate
ā02-20-2023 09:52 AM
from the bug's description:
Symptom: ASR9000 running 4.3.2. Radius authentification fails with the following message seen in 'debug locald', despite radius-server is configured and seen in UP state in 'show radius': locald_DSC[308]: EXITTING 'locald_send_v' with error [A247C800] 'RADIUS' detected the 'fatal' condition 'No server information is available'
When I run debug locald and attempt radius authentication, I do not receive EXITTING 'locald_send_v' with error [A247C800] 'RADIUS' detected the 'fatal' condition 'No server information is available'
This is what I mean when I say I do not get the associated error message
ā02-28-2023 03:04 PM
I have an update on this. I have installed wireshark on the MS NPS. I have confirmed I am getting access-accept packets being sent back to the routers.
If the router is getting these packets, why is the user not being authenticated? It makes no sense.
ā03-01-2023 04:42 PM
i have replied to your new thread. so we close this here and pursue your issue on the new thread.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide