cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1447
Views
0
Helpful
3
Replies

AAA authentication using NPS/Radius. Version 16.8.1a

anas.awad
Level 1
Level 1

Hello Guys,

Just wondering if you can help me with something, I have used NPS as radius for AAA authentication but its not working. i tried troubleshooting and im give up. My basic config is below if you can help it would be much appreciated.

 

Logs.

###

May 16 20:29:15.498: AAA SRV(000021F5): process authen req
May 16 20:29:15.498: AAA SRV user name in list = nps.radius user name length = 10 user name copied to req = nps.radius user name len in req = 10
May 16 20:29:15.498: AAA SRV(000021F5): Authen method=SERVER_GROUP RAD_SERVERS
May 16 20:29:15.498: RADIUS/ENCODE(000021F5):Orig. component type = Exec
May 16 20:29:15.498: RADIUS/ENCODE(000021F5): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
May 16 20:29:15.498: RADIUS(000021F5): Config NAS IP: 10.32.104.10
May 16 20:29:15.498: RADIUS(000021F5): Config NAS IPv6: ::
May 16 20:29:15.498: Getting session id for EXEC(000021F5) : db=7F8F60EF9468
May 16 20:29:15.498: RADIUS/ENCODE(000021F5): acct_session_id: 6722
May 16 20:29:15.498: RADIUS(000021F5): sending
May 16 20:29:15.498: RADIUS(000021F5): Send Access-Request to 10.32.132.196:1645 id 1645/90, len 74
RADIUS: authenticator F7 18 EB 25 1B A2 DF DE - 31 82 03 00 32 DB C2 6B
May 16 20:29:15.498: RADIUS: User-Name [1] 12 "nps.radius"
May 16 20:29:15.498: RADIUS: User-Password [2] 18 *
May 16 20:29:15.498: RADIUS: NAS-Port [5] 6 2
May 16 20:29:15.498: RADIUS: NAS-Port-Id [87] 6 "tty2"
May 16 20:29:15.498: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
May 16 20:29:15.498: RADIUS: NAS-IP-Address [4] 6 10.32.104.10
May 16 20:29:15.498: RADIUS(000021F5): Sending a IPv4 Radius Packet
May 16 20:29:15.498: RADIUS(000021F5): Started 5 sec timeout
May 16 20:29:15.504: RADIUS: Received from id 1645/90 10.32.132.196:1645, Access-Reject, len 20
RADIUS: authenticator 83 71 BD 0E 74 75 86 BD - C7 19 6C 5A FC 91 1A 7D
May 16 20:29:15.504: RADIUS(000021F5): Received from id 1645/90
May 16 20:29:15.505: AAA SRV(000021F5): protocol reply FAIL for Authentication
May 16 20:29:15.505: AAA SRV(000021F5): Return Authentication status=FAIL
May 16 20:29:17.507: AAA/AUTHEN/LOGIN (000021F5): Pick method list 'VTY_AUTHEN'
May 16 20:29:17.507: AAA SRV(000021F5): process authen req
May 16 20:29:17.507: AAA SRV user name in list = nps.radius user name length = 10 user name copied to req = nps.radius user name len in req = 10
May 16 20:29:17.507: AAA SRV(000021F5): Authen method=LOCAL
May 16 20:29:17.507: AAA SRV(000021F5): protocol reply FAIL for Authentication
May 16 20:29:17.507: AAA SRV user name in list = nps.radius user name length = 10 user name copied to req = nps.radius user name len in req = 10
May 16 20:29:17.507: AAA SRV(000021F5): Authen method=SERVER_GROUP RAD_SERVERS
May 16 20:29:17.507: RADIUS/ENCODE(000021F5): ask "Password: "
May 16 20:29:17.507: RADIUS/ENCODE(000021F5): send packet; GET_PASSWORD
May 16 20:29:17.507: AAA SRV(000021F5): protocol reply GET_PASSWORD for Authentication
May 16 20:29:17.507: AAA SRV(000021F5): Return Authentication status=GET_PASSWORD

###


Running Config

aaa new-model
!
!
aaa group server radius RAD_SERVERS
server-private 10.32.132.196 key 7 00343315174C5B140B
server 10.32.132.196
server name RADIUS01
ip radius source-interface Vlan501
!
aaa authentication login VTY_AUTHEN local group RAD_SERVERS
aaa authorization exec VTY_AUTHOR local group RAD_SERVERS
!

radius server RADIUS01
key 7 142732181F137A3920

line con 0
stopbits 1
line vty 0 4
exec-timeout 30 0
login authentication VTY_AUTHEN
transport input all
line vty 5 15
exec-timeout 30 0
login authentication VTY_AUTHEN
transport input all

###

END.

 

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Anas,

I have noticed the following line in debug output:

>> May 16 20:29:15.498: RADIUS/ENCODE(000021F5): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

 

see the following thread that tells about what happens if the service-type is missing = dropped

 

https://community.cisco.com/t5/policy-and-access/radius-error-message-radius-server-attribute-6-on-for-login-auth/td-p/1402200

from the thread

>> when you have configured radius-server attribute 6 on-for-login-auth in cisco devices it sends the  Service-Type attribute in the authentication packets.

 

This might apply to your case, as the issue in that thread is similar

 

Hope to help

Giuseppe

 

Thank you Giuseppe

 

I actually notice that too before, and i did configured the switch with "radius-server attribute 6 on-for-login-auth" but see got the same result. but i removed it later. below logs with above command.

 

LOGs:

May 16 21:46:46.857: AAA/AUTHOR: auth_need : user= 'DME-admin' ruser= '1SW-110-A01-ADM-AC-01'rem_addr= '10.50.12.40' priv= 15 list= '' AUTHOR-TYPE= 'commands'
May 16 21:46:49.924: AAA SRV(0000229F): process authen req
May 16 21:46:49.924: AAA SRV user name in list = nps.radius user name length = 10 user name copied to req = nps.radius user name len in req = 10
May 16 21:46:49.924: AAA SRV(0000229F): Authen method=SERVER_GROUP RAD_SERVERS
May 16 21:46:49.924: RADIUS/ENCODE(0000229F):Orig. component type = Exec
May 16 21:46:49.924: RADIUS(0000229F): Config NAS IP: 10.32.104.10
May 16 21:46:49.924: RADIUS(0000229F): Config NAS IPv6: ::
May 16 21:46:49.924: Getting session id for EXEC(0000229F) : db=7F8F61064BE0
May 16 21:46:49.925: RADIUS/ENCODE(0000229F): acct_session_id: 6892
May 16 21:46:49.925: RADIUS(0000229F): sending
May 16 21:46:49.925: RADIUS(0000229F): Send Access-Request to 10.32.132.196:1645 id 1645/91, len 80
RADIUS: authenticator 5A 1D E1 7E E7 D6 D6 43 - A3 63 C7 18 B2 DD 80 E2
May 16 21:46:49.925: RADIUS: User-Name [1] 12 "nps.radius"
May 16 21:46:49.925: RADIUS: User-Password [2] 18 *
May 16 21:46:49.925: RADIUS: NAS-Port [5] 6 2
May 16 21:46:49.925: RADIUS: NAS-Port-Id [87] 6 "tty2"
May 16 21:46:49.925: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
May 16 21:46:49.925: RADIUS: Service-Type [6] 6 Login [1]
May 16 21:46:49.925: RADIUS: NAS-IP-Address [4] 6 10.32.104.10
May 16 21:46:49.925: RADIUS(0000229F): Sending a IPv4 Radius Packet
May 16 21:46:49.925: RADIUS(0000229F): Started 5 sec timeout
May 16 21:46:50.264: RADIUS: Received from id 1645/91 10.32.132.196:1645, Access-Reject, len 20
RADIUS: authenticator 5A 21 14 38 91 62 9D 86 - A3 EF 8B 25 4A F2 D0 4D
May 16 21:46:50.264: RADIUS(0000229F): Received from id 1645/91
May 16 21:46:50.264: AAA SRV(0000229F): protocol reply FAIL for Authentication
May 16 21:46:50.264: AAA SRV(0000229F): Return Authentication status=FAIL
May 16 21:46:52.267: AAA/AUTHEN/LOGIN (0000229F): Pick method list 'VTY_AUTHEN'
May 16 21:46:52.267: AAA SRV(0000229F): process authen req
May 16 21:46:52.267: AAA SRV user name in list = nps.radius user name length = 10 user name copied to req = nps.radius user name len in req = 10
May 16 21:46:52.267: AAA SRV(0000229F): Authen method=LOCAL
May 16 21:46:52.267: AAA SRV(0000229F): protocol reply FAIL for Authentication
May 16 21:46:52.267: AAA SRV user name in list = nps.radius user name length = 10 user name copied to req = nps.radius user name len in req = 10
May 16 21:46:52.267: AAA SRV(0000229F): Authen method=SERVER_GROUP RAD_SERVERS
May 16 21:46:52.267: RADIUS/ENCODE(0000229F): ask "Password: "
May 16 21:46:52.267: RADIUS/ENCODE(0000229F): send packet; GET_PASSWORD
May 16 21:46:52.267: AAA SRV(0000229F): protocol reply GET_PASSWORD for Authentication
May 16 21:46:52.267: AAA SRV(0000229F): Return Authentication status=GET_PASSWORD

Any help Guys!

Review Cisco Networking for a $25 gift card