01-13-2023 06:56 AM
Some RADIUS Clients are authenticating Network 137......
Clients not authenticating Network 132....
raul.sambula.ctr@us.af.mil
Solved! Go to Solution.
01-14-2023 07:35 AM
I did a Route trace and I'm not able to ping some of the hops indicated; but at the end there is link between endpoints
01-14-2023 08:49 AM
there is link ? can you more elaborate ?
01-14-2023 11:40 AM
Ping is successful.
01-14-2023 12:18 PM
I will check how we can debug the AAA but before that
are the RTT of ping from both SW is same ? or the failed SW have much long RTT than success one ?
01-14-2023 12:53 PM
I would say is the same, difference is the number of hops; about 7 for the fail SW. and none for the successful
01-15-2023 04:31 AM
Sorry. Yes RTT is higher on fail SW
01-16-2023 10:56 AM
debug radius auth <<- run this in SW, and share here,
after the SW send access-request it wait for reply. it can that server is slow the SW not receive reply wihtin specific time.
with debug we can check this case
01-17-2023 03:15 PM
*Jan 17 12:22:38.736: AAA/BIND(00000040): Bind i/f
*Jan 17 12:22:38.736: AAA/AUTHEN/LOGIN (00000040): Pick method list 'default'
*Jan 17 12:22:48.462: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: x] [Source: 137] [localport: 22] at 12:22:48 UTC Tue Jan 17 2023
*Jan 17 12:22:48.693: AAA/AUTHOR (0x40): Pick method list 'default'
*Jan 17 12:22:48.694: AAA/AUTHOR/EXEC(00000040): processing AV cmd=
*Jan 17 12:22:48.694: AAA/AUTHOR/EXEC(00000040): processing AV priv-lvl=15
*Jan 17 12:22:48.694: AAA/AUTHOR/EXEC(00000040): Authorization successful
*Jan 17 12:24:11.858: AAA/AUTHOR: auth_need : user= 'x' ruser= '132'rem_addr= '137 priv= 15 list= '' AUTHOR-TYPE= 'commands'
*Jan 17 12:24:26.466: AAA/AUTHOR: auth_need : user= 'netops' ruser= '132'rem_addr= '137' priv= 15 list= '' AUTHOR-TYPE= 'commands'
*Jan 17 12:27:17.510: AAA/BIND(00000041): Bind i/f
*Jan 17 12:27:17.510: AAA/AUTHEN/LOGIN (00000041): Pick method list 'default'
*Jan 17 12:27:17.510: RADIUS/ENCODE(00000041): ask "Password: "
*Jan 17 12:27:17.510: RADIUS/ENCODE(00000041): send packet; GET_PASSWORD
*Jan 17 12:27:25.857: RADIUS/ENCODE(00000041):Orig. component type = Exec
*Jan 17 12:27:25.857: RADIUS/ENCODE(00000041): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jan 17 12:27:25.857: RADIUS(00000041): Config NAS IP: 132.
*Jan 17 12:27:25.857: vrfid: [65535] ipv6 tableid : [0]
*Jan 17 12:27:25.857: idb is NULL
*Jan 17 12:27:25.857: RADIUS(00000041): Config NAS IPv6: ::
*Jan 17 12:27:25.857: RADIUS/ENCODE(00000041): acct_session_id: 4051
*Jan 17 12:27:25.857: RADIUS(00000041): sending
*Jan 17 12:27:25.857: RADIUS(00000041): Send Access-Request to 137. id 1645/31, len 78
RADIUS: authenticator 43 A2 87 E3 46 2B C9 45 - 18 81 AF 56 DB C2 17 8B
*Jan 17 12:27:25.857: RADIUS: User-Name [1] 16 "x"
*Jan 17 12:27:25.857: RADIUS: User-Password [2] 18 *
*Jan 17 12:27:25.857: RADIUS: NAS-Port [5] 6 2
*Jan 17 12:27:25.857: RADIUS: NAS-Port-Id [87] 6 "tty2"
*Jan 17 12:27:25.857: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jan 17 12:27:25.857: RADIUS: NAS-IP-Address [4] 6 132.
*Jan 17 12:27:25.857: RADIUS(00000041): Sending a IPv4 Radius Packet
*Jan 17 12:27:25.857: RADIUS(00000041): Started 5 sec timeout
*Jan 17 12:27:30.890: RADIUS(00000041): Request timed out!
*Jan 17 12:27:30.890: RADIUS: Retransmit to (137.:1812,1813) for id 1645/31
*Jan 17 12:27:30.890: RADIUS(00000041): Started 5 sec timeout
*Jan 17 12:27:35.923: RADIUS(00000041): Request timed out!
*Jan 17 12:27:35.923: RADIUS: Retransmit to (137.:1812,1813) for id 1645/31
*Jan 17 12:27:35.924: RADIUS(00000041): Started 5 sec timeout
*Jan 17 12:27:38.688: AAA/AUTHOR: auth_need : user= 'netops' ruser= '132'rem_addr= '137' priv= 15 list= '' AUTHOR-TYPE= 'commands'
01-18-2023 04:18 PM
radius-server timeout <<- can you change this timeout
the retransmit meaning and all you mention before about many hop to Server, lead me to think that there is issue with SW-Server timeout, and debug show us that,
so please make timeout long enough.
01-21-2023 12:43 PM
"Parse response; FAIL". Erros message
01-21-2023 12:27 PM
Same result. I'll try with an ip route
01-28-2023 03:45 AM
I'm testing some different. For some reason the RADIUS Client IP keeps changing. I believe might be a DNS issue.
01-30-2023 02:58 PM
RADIUS Server Encryption configuration was the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide