Cisco Cloud Services Platform RADIUS issue

dontsellmydata · ‎11-02-2024

What I am trying to do:

Simply authenticate and login to a Cisco Cloud Services Platform GUI or CLI via RADIUS with admin-group privilege (or any group).

CSP is standalone, basic config, just the built-in admin super-user present. Reachability to RADIUS server confirmed. No access lists or Firewalls in play.

I've tried with Windows Server 2022 NPS and FreeRADIUS running on Ubuntu with the same results.

The CSP documention does not indicate clearly (at least to me) what RADIUS attributes are required to be sent in the Access-Accept messages in order to properly authenticate a remote user to correct group. For example, the admin-group.

https://www.cisco.com/c/en/us/td/docs/routers/CSP/csp-2100/config/b_Cisco_CSP_Config_Guide_2-9-0.html#id_33411

Cisco CSP-5216

csp# show version
Cisco Cloud Services Platform Software Software, Version 2.9.2 Build:319
TAC Support: 
Copyright (c) 2018-2020 by Cisco Systems, Inc
Compiled Thursday 08-December-2022 10:10http://www.cisco.com/tac
-SNIP-

Radius config on the CSP:

show running-config radius-server
radius-server retransmit 1
radius-server timeout 5
radius-server host 192.168.220.12
 key           7
 shared-secret testing123
 auth-port 1812
 acct-port 1813
!

csp# ping 192.168.220.12
PING 192.168.220.12 (192.168.220.12) 56(84) bytes of data.
64 bytes from 192.168.220.12: icmp_seq=1 ttl=61 time=11.6 ms

Local user config on the CSP:

csp# show running-config csp-users
csp-users groups group default-vnf-group
 type none
!
csp-users users user admin
 group    superadmin
 password <REDACTED>
!

FreeRADIUS version 3.0.26 (Ubuntu)

Users:

root@ubuntu:/# cat /etc/freeradius/3.0/users
testing Cleartext-Password := "password"
        Service-Type = Administrative-User,
        Class := "admin-group"
-SNIP-

clients.conf: (The CSP)

client new {
        ipaddr = 192.168.104.30
        secret = testing123
        nas_type = cisco
}

Testing logging in as user "testing" and password "password" from the CSP GUI:

Result: Denied, cannot login.

FreeRADIUS logs:

Ready to process requests
(2) Received Access-Request Id 145 from 192.168.104.30:55985 to 192.168.220.12:1812 length 59
(2)   User-Name = "testing"
(2)   User-Password = "password"
(2)   NAS-Port = 0
(2)   NAS-IP-Address = 192.168.104.30
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "testing", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: No EAP-Message, not doing EAP
(2)     [eap] = noop
(2) files: users: Matched entry testing at line 1
(2)     [files] = ok
(2)     [expiration] = noop
(2)     [logintime] = noop
(2)     [pap] = updated
(2)   } # authorize = updated
(2) Found Auth-Type = PAP
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Auth-Type PAP {
(2) pap: Login attempt with password
(2) pap: Comparing with "known good" Cleartext-Password
(2) pap: User authenticated successfully
(2)     [pap] = ok
(2)   } # Auth-Type PAP = ok
(2) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(2)   post-auth {
(2)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(2)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(2)     update {
(2)       No attributes updated for RHS &session-state:
(2)     } # update = noop
(2)     [exec] = noop
(2)     policy remove_reply_message_if_eap {
(2)       if (&reply:EAP-Message && &reply:Reply-Message) {
(2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(2)       else {
(2)         [noop] = noop
(2)       } # else = noop
(2)     } # policy remove_reply_message_if_eap = noop
(2)     if (EAP-Key-Name && &reply:EAP-Session-Id) {
(2)     if (EAP-Key-Name && &reply:EAP-Session-Id)  -> FALSE
(2)   } # post-auth = noop
(2) Sent Access-Accept Id 145 from 192.168.220.12:1812 to 192.168.104.30:55985 length 57
(2)   Service-Type = Administrative-User
(2)   Class = 0x61646d696e2d67726f7570
(2) Finished request
Waking up in 4.9 seconds.
(2) Cleaning up request packet ID 145 with timestamp +129 due to cleanup_delay was reached
Ready to process requests

From the above output we see the user was authenticated successfully and Service-Type and Class attributes were sent in the Access-Accept reply.

CSP logs:

csp# show log messages
Nov  2 13:32:17 csp radexternal: rc_avpair_gen: received unknown attribute 80 of length 18: 0x34C7DE97F8BEED36EAA3EE5FA4E1AC57
Nov  2 13:32:17 csp radexternal: REJECT (RC=0)

I believe this "unknown attritbute" is the message-authenticator attribute and is used for validation and integrity purposes. The fact that The RADIUS logs above show successful authentication indicates to me that this isn't a pre-shared key issue. From my research it appears you cannot and would not want to disable message-authentication in FREERADIUS or Microsoft NPS.

How about playing around with Cisco attribute-values?

testing Cleartext-Password := "password"
        Service-Type = Administrative-User,
        Cisco-AVPair := "shell:priv-lvl=15",
        Cisco-AVPair += "shell:roles=admin-group"

CSP GUI login result: Login failed

RADIUS logs: Same as before, authentication successful

(0) Sent Access-Accept Id 44 from 192.168.220.12:1812 to 192.168.104.30:58583 length 100
(0)   Service-Type = Administrative-User
(0)   Cisco-AVPair = "shell:priv-lvl=15"
(0)   Cisco-AVPair = "shell:roles=admin-group"
(0) Finished request

CSP logs:

Nov  2 13:50:06 lon-lab-csp1 radexternal: rc_avpair_gen: received VSA attribute with unknown Vendor-Id 9
Nov  2 13:50:06 lon-lab-csp1 radexternal: REJECT (RC=0)

Now it's complaining about receiving unknown Cisco attributes.

Anyone out there managed to configure this and get it working?

Any help greatly appreciated.

balaji.bandi · ‎11-02-2024

we use ISE and ACS works as expected with CSP,

I am thinking password :

Rules for User Passwords

The user passwords must meet the following requirements:

Must be 8 to 64 characters long.
Must contain a digit.
Must contain a special character. Following characters are allowed: "_", "-", "@", "=", "+","^", "#".
Must contain an uppercase character and a lowercase character.
Must not contain two or more repeating characters.
Must not contain dictionary words.

Nov  2 13:50:06 lon-lab-csp1 radexternal: rc_avpair_gen: received VSA attribute with unknown Vendor-Id 9

Cisco vendor ID 9, why this is complaining about ? check on the radius vendor attributes (not played recently with freeradius)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dontsellmydata · ‎11-02-2024

Hi,

I'm now testing with Windows Server 2022 NPS. The domain password being used meets the password complexity requirements in the CSP documentation, still I cannot login but Wireshark and Event Viewer I can see Access-Accept response and authentication successful.

What RADIUS standard or vendor specific attributes are you using in your setup to get RADIUS AAA to work with CSP? It's not clear to me in the Cisco documention what to use.

For example, how does the CSP know what user group to assign the RADIUS user to from the options listed in the documentation?

admin-group
service-group
operator-group
vnf-operator-group
user-created-group

Thanks,

balaji.bandi · ‎11-03-2024

Configure Users and Their Appropriate RADIUS IETF Attributes

Service-Type Attribute

https://www.freeradius.org/rfc/rfc2865.html#Service-Type

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dontsellmydata · ‎11-03-2024

Yes I have tried all of these Service-Type attributes with no success using FreeRADIUS and also with Microsoft Network Policy Server as the RADIUS server.

You mentioned in previous post "we use ISE and ACS works as expected with CSP".

Specifically, what RADIUS standard or vendor specific attributes and string vlaues are you using to get this working with CSP?

Thank you,

MHM Cisco World · ‎11-03-2024

Message-authenticator must disable in aaa if you can not try use aaa attribute filter

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/15-s/sec-usr-radatt-15-s-book/sec-rad-attr-scng.html

MHM

dontsellmydata · ‎11-03-2024

Is it really the case that Cisco Cloud Services Platform running on the latest available 2.9.2 code from 2022 with a vanilla RADIUS config cannot handle receiving Message-Authenticator AVPs in RADIUS Access-Accept packets???

Can anyone out there confirm this? I didn't see anything mentioning this when reading the release notes or when checking the Cisco bug search tool.

My Cisco 4500 switch talking to the same NPS RADIUS server can happily deal with receiving Message-Authenticator AVPs when authenticating domain users for vty sessions.

Is there anyone that has RADIUS working with Cisco Cloud Services Platform 2.9.2 & Microsoft NPS (or any RADIUS server) that can share their working config. Literally just want to login to the CSP GUI with a domain user that will have admin-group privilege on the CSP.

Thanks,

dontsellmydata · ‎11-08-2024

Is anyone able to provide the av-pair values Cisco CSP requires?

In Microsoft NPS I've now tried Vendor Specific: Cisco-AV-Pair

shell:priv-lvl=15
shell:priv-lvl=admin-group
shell:domain=admin-group
shell:group=admin-group
admin-group
priv-lvl=15
priv=lvl=admin-group

With all of these different combinations I get RADIUS accept in Wireshark and can confirm it's hitting the correct policy. I can see the above attributes being sent back to the CSP.

On the CSP:

Nov 8 19:22:19 csp1 radexternal: REJECT (RC=0)
Nov 8 19:22:25 csp1 radexternal: rc_avpair_gen: received VSA attribute with unknown Vendor-Id 9
Nov 8 19:22:25 csp1 radexternal: REJECT (RC=0)
Nov 8 19:22:28 csp1 radexternal: rc_avpair_gen: received VSA attribute with unknown Vendor-Id 9
Nov 8 19:22:28 csp1 radexternal: REJECT (RC=0)
Nov 8 19:22:29 csp1 radexternal: rc_avpair_gen: received VSA attribute with unknown Vendor-Id 9
Nov 8 19:22:29 csp1 radexternal: REJECT (RC=0)