Issue appending Option-82 data to ISG Radius Authorization Request Username Field

randallwebb · ‎09-26-2017

We are having issues setting up transparent auto logon for dhcp iniated sessions on an asr1k. We are trying to append the username of the radius request to be as follows.

(mac-address)~(circuit-id)~(remote-id)

This is the same format that we see on our ASR9k deployments and we are tryign to emulate the behavior as close as possible with ISG on the asr1ks.

The problem we are seeing is when we try to append circuit-id or remote-id to the username field the router does not send out the radius access request packet. If we just send it out with the mac address it appears to work fine.

I've included some of the configs below. Is there something that is required to allow us to do this that we are missing? Any input would be appreciated.

Thanks,

Randall Webb

Here is the policy we are using that is failing to send out proper radius access request messages.

policy-map type control bos-dhcp

class type control always event session-start

5 authorize aaa list bos identifier mac-address plus circuit-id plus remote-id separator ~

!

class type control always event session-restart

5 authorize aaa list bos identifier mac-address plus circuit-id plus remote-id separator ~

!

class type control always event access-reject

10 service disconnect

interface TenGigabitEthernet0/0/0.46

description Test ISG Int

encapsulation dot1Q 46

ip dhcp relay information trusted

ip dhcp relay information policy-action encapsulate

ip address ######## 255.255.255.248

ip helper-address #########

service-policy type control bos-dhcp

ip subscriber l2-connected

initiator dhcp

Here is the policy with just the mac address selected and the radius debug showing the properly formatted request.

policy-map type control bos-dhcp

class type control always event session-start

5 authorize aaa list bos identifier mac-address

!

class type control always event session-restart

5 authorize aaa list bos identifier mac-address

!

class type control always event access-reject

10 service disconnect

*Sep 26 18:02:36.899: RADIUS(000000FD): Send Access-Request to ##########:1645 onvrf(0) id 1645/224, len 190

*Sep 26 18:02:36.899: RADIUS: authenticator 4F 3B A7 25 58 A7 EE 4D - EF F3 04 46 D3 8A 96 BC

*Sep 26 18:02:36.899: RADIUS: User-Name [1] 16 "ac87.a302.349d"

*Sep 26 18:02:36.900: RADIUS: User-Password [2] 18 *

*Sep 26 18:02:36.900: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Sep 26 18:02:36.900: RADIUS: NAS-Port [5] 6 46

*Sep 26 18:02:36.900: RADIUS: NAS-Port-Id [87] 27 "~020a0000d8c901690000002e"

*Sep 26 18:02:36.900: RADIUS: Vendor, Cisco [26] 46

*Sep 26 18:02:36.900: RADIUS: Cisco AVpair [1] 40 "remote-id-tag=020a0000d8c901690000002e"

*Sep 26 18:02:36.900: RADIUS: Service-Type [6] 6 Outbound [5]

*Sep 26 18:02:36.900: RADIUS: NAS-IP-Address [4] 6 ##########

*Sep 26 18:02:36.900: RADIUS: Acct-Session-Id [44] 19 "0/0/0/46_000000F3"

*Sep 26 18:02:36.900: RADIUS: Nas-Identifier [32] 14 "cni-isg-test"

*Sep 26 18:02:36.900: RADIUS: Event-Timestamp [55] 6 1506448956

*Sep 26 18:02:36.900: RADIUS(000000FD): Sending a IPv4 Radius Packet

*Sep 26 18:02:36.900: RADIUS(000000FD): Started 5 sec timeout

randallwebb · ‎06-04-2018

This issue end up being a bug that was the direct result to a fix for a security advisory.