Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11428
Views
0
Helpful
5
Replies

Port 1812 config but port 1645 used

Catherine Paquet
Level 1
Level 1

‎12-16-2015 09:10 AM - edited ‎03-10-2019 11:20 PM

Switch configured to use port 1812.  Why in debug radius authentication, do we see port 1645 used between switch and ISE?  See config and debug output below:

CONFIG:

L3-SWITCH(config)# radius server ISE-PRIMARY
L3-SWITCH(config-radius-server)# address ipv4 10.10.2.50 auth-port 1812 acct-port 1813
L3-SWITCH(config-radius-server)# automate-tester username ISE_HEALTH ignore-acct-port
L3-SWITCH(config-radius-server)# key sharedsecret

DEBUG OUTPUT:
L3-SWITCH# test aaa group radius admin admin$Pwd new-code


Attempting authentication test to server-group radius using radius
Dec 3 21:09:57.873: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 3 21:09:57.873: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

Dec 3 21:09:57.873: RADIUS(00000000): Config NAS IP: 10.10.2.1
Dec 3 21:09:57.873: RADIUS(00000000): Config NAS IPv6: ::
Dec 3 21:09:57.873: RADIUS(00000000): sending
Dec 3 21:09:57.873: RADIUS/DECODE(00000000): There is no General DB. Want server details may not be specified
Dec 3 21:09:57.873: RADIUS(00000000): Send Access-Request to 10.10.2.50:1645 id 1645/2, len 51
Dec 3 21:09:57.873: RADIUS: authenticator 99 E2 71 98 E2 84 C8 BE - 34 B9 56 91 A8 E3 DC FB
Dec 3 21:09:57.873: RADIUS: User-Password [2] 18 *

Dec 3 21:09:57.873: RADIUS: User-Name [1] 7 "admin"
Dec 3 21:09:57.873: RADIUS: NAS-IP-Address [4] 6 10.10.2.1
Dec 3 21:09:57.873: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 3 21:09:57.873: RADIUS(00000000): Started 5 sec timeout

Dec 3 21:09:57.881: RADIUS: Received from id 1645/2 10.10.2.50:1645, Access-Reject, len 20
Dec 3 21:09:57.881: RADIUS: authenticator 61 6D 9A 38 9B 58 9E 44 - 4C 4A F2 1F 29 B3 74 3F
Dec 3 21:09:57.881: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
L3-SWITCH#

Thanks.

Labels:
0 Helpful
5 Replies 5

jan.nielsen
Level 7
Level 7

‎12-16-2015 09:41 AM

I don't think the "test aaa" command uses all the settings from your AAA server group. There is probably an option in the command to specify port.

0 Helpful

Catherine Paquet
Level 1
Level 1
In response to jan.nielsen

‎12-16-2015 11:07 AM

command used is:

L3-SWITCH# test aaa group radius admin admin$Pwd new-code

new-code means use port 1812/1813.   If the keyword would have been legacy, that would have mean to use port 1645/1646.

So, it's still puzzling that if we tell the switch to use NEW-CODE (1812), the switch is using port 1645.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Catherine Paquet

‎12-16-2015 12:11 PM

try this : test aaa group radius server 10.10.2.50 auth-port 1812 acct-port 1813 admin admin$Pwd new-code
0 Helpful

Ivan Gonzalez
Cisco Employee
Cisco Employee

‎12-17-2015 08:02 AM

Hello All,

Here is the issue. The command you are using to perform the test is using "radius" group which is default group IOS device uses to put the devices:

test aaa group radius admin admin$Pwd new-code

In order to test the configuration of the group you created and configured port 1812, you need to execute the test command using the group you created called "ISE-PRIMARY":

test aaa group ISE-PRIMARY admin admin$Pwd new-code/legacy

Note: Please mark it as answered if applicable

0 Helpful

Catherine Paquet
Level 1
Level 1
In response to Ivan Gonzalez

‎12-17-2015 12:56 PM

I tried Jan suggestion and it worked, on port 1812, without changing the group radius.  Following are the results:

L3-Switch#test aaa group radius server 10.10.2.50 auth-port 1812 acct-port 1813 admin admin$Pwd new-code
User rejected
L3-Switch#
<output omitted>
Dec 17 13:20:12.803: RADIUS(00000000): Send Access-Request to 10.10.2.50:1812 id 1645/233, len 51
Dec 17 13:20:12.803: RADIUS:  authenticator 8D 14 82 14 C4 AA 68 5B - DC D4 02 53 50 BB 02 AC
Dec 17 13:20:12.803: RADIUS:  User-Password       [2]   18  *
Dec 17 13:20:12.803: RADIUS:  User-Name           [1]   7   "admin"
<output omitted>
Dec 17 13:20:12.811: RADIUS: Received from id 1645/233 10.10.2.50:1812, Access-Reject, len 20
Dec 17 13:20:12.811: RADIUS:  authenticator 8D 1E 41 8E 9D DC 8E 36 - 9C 70 1A 72 19 DC 04 FE
Dec 17 13:20:12.811: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
L3-Switch#
Dec 17 13:20:12.811: RADIUS(00000000): Received from id 1645/233
Dec 17 13:20:12.811: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 17 13:20:12.811: RADIUS(00000000): Config NAS IP: 10.10.2.1
Dec 17 13:20:12.811: RADIUS(00000000): Config NAS IPv6: ::
Dec 17 13:20:12.820: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 17 13:20:12.820: RADIUS(00000000): Started 5 sec timeout
Dec 17 13:20:12.820: RADIUS: Received from id 1646/208 10.10.2.50:1813, Accounting-response, len 20
Dec 17 13:20:12.82 

0 Helpful
Customers Also Viewed These Support Documents