Solved: Re: RADIUS Clients Access Denied - Page 2

RaulSambula40179 · ‎01-13-2023

Some RADIUS Clients are authenticating Network 137......

Clients not authenticating Network 132....

raul.sambula.ctr@us.af.mil

RaulSambula40179 · ‎01-14-2023

I did a Route trace and I'm not able to ping some of the hops indicated; but at the end there is link between endpoints

MHM Cisco World · ‎01-14-2023

there is link ? can you more elaborate ?

RaulSambula40179 · ‎01-14-2023

Ping is successful.

MHM Cisco World · ‎01-14-2023

I will check how we can debug the AAA but before that
are the RTT of ping from both SW is same ? or the failed SW have much long RTT than success one ?

RaulSambula40179 · ‎01-14-2023

I would say is the same, difference is the number of hops; about 7 for the fail SW. and none for the successful

RaulSambula40179 · ‎01-15-2023

Sorry. Yes RTT is higher on fail SW

MHM Cisco World · ‎01-16-2023

debug radius auth <<- run this in SW, and share here,

after the SW send access-request it wait for reply. it can that server is slow the SW not receive reply wihtin specific time.
with debug we can check this case

RaulSambula40179 · ‎01-17-2023

*Jan 17 12:22:38.736: AAA/BIND(00000040): Bind i/f
*Jan 17 12:22:38.736: AAA/AUTHEN/LOGIN (00000040): Pick method list 'default'
*Jan 17 12:22:48.462: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: x] [Source: 137] [localport: 22] at 12:22:48 UTC Tue Jan 17 2023
*Jan 17 12:22:48.693: AAA/AUTHOR (0x40): Pick method list 'default'
*Jan 17 12:22:48.694: AAA/AUTHOR/EXEC(00000040): processing AV cmd=
*Jan 17 12:22:48.694: AAA/AUTHOR/EXEC(00000040): processing AV priv-lvl=15
*Jan 17 12:22:48.694: AAA/AUTHOR/EXEC(00000040): Authorization successful
*Jan 17 12:24:11.858: AAA/AUTHOR: auth_need : user= 'x' ruser= '132'rem_addr= '137 priv= 15 list= '' AUTHOR-TYPE= 'commands'
*Jan 17 12:24:26.466: AAA/AUTHOR: auth_need : user= 'netops' ruser= '132'rem_addr= '137' priv= 15 list= '' AUTHOR-TYPE= 'commands'
*Jan 17 12:27:17.510: AAA/BIND(00000041): Bind i/f
*Jan 17 12:27:17.510: AAA/AUTHEN/LOGIN (00000041): Pick method list 'default'
*Jan 17 12:27:17.510: RADIUS/ENCODE(00000041): ask "Password: "
*Jan 17 12:27:17.510: RADIUS/ENCODE(00000041): send packet; GET_PASSWORD
*Jan 17 12:27:25.857: RADIUS/ENCODE(00000041):Orig. component type = Exec
*Jan 17 12:27:25.857: RADIUS/ENCODE(00000041): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jan 17 12:27:25.857: RADIUS(00000041): Config NAS IP: 132.
*Jan 17 12:27:25.857: vrfid: [65535] ipv6 tableid : [0]
*Jan 17 12:27:25.857: idb is NULL
*Jan 17 12:27:25.857: RADIUS(00000041): Config NAS IPv6: ::
*Jan 17 12:27:25.857: RADIUS/ENCODE(00000041): acct_session_id: 4051
*Jan 17 12:27:25.857: RADIUS(00000041): sending
*Jan 17 12:27:25.857: RADIUS(00000041): Send Access-Request to 137. id 1645/31, len 78
RADIUS: authenticator 43 A2 87 E3 46 2B C9 45 - 18 81 AF 56 DB C2 17 8B
*Jan 17 12:27:25.857: RADIUS: User-Name [1] 16 "x"
*Jan 17 12:27:25.857: RADIUS: User-Password [2] 18 *
*Jan 17 12:27:25.857: RADIUS: NAS-Port [5] 6 2
*Jan 17 12:27:25.857: RADIUS: NAS-Port-Id [87] 6 "tty2"
*Jan 17 12:27:25.857: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jan 17 12:27:25.857: RADIUS: NAS-IP-Address [4] 6 132.
*Jan 17 12:27:25.857: RADIUS(00000041): Sending a IPv4 Radius Packet
*Jan 17 12:27:25.857: RADIUS(00000041): Started 5 sec timeout
*Jan 17 12:27:30.890: RADIUS(00000041): Request timed out!
*Jan 17 12:27:30.890: RADIUS: Retransmit to (137.:1812,1813) for id 1645/31
*Jan 17 12:27:30.890: RADIUS(00000041): Started 5 sec timeout
*Jan 17 12:27:35.923: RADIUS(00000041): Request timed out!
*Jan 17 12:27:35.923: RADIUS: Retransmit to (137.:1812,1813) for id 1645/31
*Jan 17 12:27:35.924: RADIUS(00000041): Started 5 sec timeout
*Jan 17 12:27:38.688: AAA/AUTHOR: auth_need : user= 'netops' ruser= '132'rem_addr= '137' priv= 15 list= '' AUTHOR-TYPE= 'commands'

MHM Cisco World · ‎01-18-2023

radius-server timeout <<- can you change this timeout

the retransmit meaning and all you mention before about many hop to Server, lead me to think that there is issue with SW-Server timeout, and debug show us that,
so please make timeout long enough.

RaulSambula40179 · ‎01-21-2023

"Parse response; FAIL". Erros message

RaulSambula40179 · ‎01-21-2023

Same result. I'll try with an ip route

RaulSambula40179 · ‎01-28-2023

I'm testing some different. For some reason the RADIUS Client IP keeps changing. I believe might be a DNS issue.

RaulSambula40179 · ‎01-30-2023

RADIUS Server Encryption configuration was the issue.