cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
939
Views
10
Helpful
6
Replies

ASR9k - cannot login with Radius

mareeast
Level 1
Level 1

Hi,

 

Can you please help me with the required AAA config on XR9k. This is my current config which is not working (debugs below):

 

radius source-interface X vrf Mgmt

radius-server vsa attribute ignore unknown

radius-server host X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

aaa accounting exec default start-stop group XXXX-RADIUS
aaa accounting system default start-stop group XXXX-RADIUS
aaa group server radius X.X.X.X
vrf Mgmt
server-private X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

aaa authorization exec default group XXXX-RADIUS local
aaa authentication login default group XXXX-RADIUS local
aaa default-taskgroup root-system
vrf Mgmt

 

line default
login authentication default
access-class ingress XXXXXXXXX
transport input ssh

 

vty-pool default 0 4 line-template default

 

Here is the debug output:

 

debug aaa comm


RP:May 21 00:34:07.647 : SSHD_[65849]: %SECURITY-SSHD-6-INFO_GENERAL : Client X.X.X.X closes socket connection
RP:May 21 00:34:07.650 : SSHD_[65849]: %SECURITY-SSHD-3-ERR_GENERAL : Failed in version exchange
RP:May 21 00:34:12.974 : devc-vty[181]: Connection Accepted by ACL Source Add X.X.X.X Dest Add X.X.X.X Source Port XXXXX Dest port 22 Acl XXXXXXX
RP:May 21 00:34:13.005 : SSHD_[65849]: Attaching to LWM channel /dev/locald
RP:May 21 00:34:13.008 : SSHD_[65849]: Sending message, allocating memory for reply
RP:May 21 00:34:13.008 : SSHD_[65849]: Filling in the reply iov structure
RP:May 21 00:34:13.008 : SSHD_[65849]: Setting the connection ID in the message header
RP:May 21 00:34:13.008 : SSHD_[65849]: Setting the LWM type in the message header
RP:May 21 00:34:13.008 : SSHD_[65849]: Setting the reply buffer size in the message header
RP:May 21 00:34:13.008 : SSHD_[65849]: Sending the message to the server
RP:May 21 00:34:13.008 : SSHD_[65849]: Message successfully sent to the server
RP:May 21 00:34:13.008 : SSHD_[65849]: Retriving the connid from message
RP:May 21 00:34:13.008 : SSHD_[65849]: The message swapped successfully with the AAA server
RP:May 21 00:34:13.008 : SSHD_[65849]: Size of the reply from the server: 32
RP:May 21 00:34:13.008 : SSHD_[65849]: Received a normal reply from the server
RP:May 21 00:34:13.017 : SSHD_[65849]: Sending message, allocating memory for reply
RP:May 21 00:34:13.017 : SSHD_[65849]: Filling in the reply iov structure
RP:May 21 00:34:13.017 : SSHD_[65849]: Setting the connection ID in the message header
RP:May 21 00:34:13.017 : SSHD_[65849]: Setting the LWM type in the message header
RP:May 21 00:34:13.017 : SSHD_[65849]: Setting the reply buffer size in the message header
RP:May 21 00:34:13.017 : SSHD_[65849]: Sending the message to the server
RP:May 21 00:34:13.020 : locald_DSC[308]: Dumping buffer for MSG sent from locald (IOV 0) .....
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: Dumping buffer for MSG sent from locald (IOV 1) .....
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]:
RP:May 21 00:34:13.022 : locald_DSC[308]: Dumping buffer for MSG recv at locald (IOV 0) .....
RP:May 21 00:34:13.022 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.022 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.022 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.023 : SSHD_[65849]: Message successfully sent to the server
RP:May 21 00:34:13.023 : SSHD_[65849]: The message swapped successfully with the AAA server
RP:May 21 00:34:13.033 : SSHD_[65849]: Received an error reply from the server - error ''LOCALD' detected the 'fatal' condition 'No available method was able to process the request''
RP:May 21 00:34:13.033 : SSHD_[65849]: %SECURITY-SSHD-4-INFO_FAILURE : Failed authentication attempt by user 'xxxxxx' from 'X.X.X.X' on 'vty1'
RP:May 21 00:34:13.043 : SSHD_[65849]: Sending message, allocating memory for reply
RP:May 21 00:34:13.043 : SSHD_[65849]: Filling in the reply iov structure
RP:May 21 00:34:13.043 : SSHD_[65849]: Setting the connection ID in the message header
RP:May 21 00:34:13.043 : SSHD_[65849]: Setting the LWM type in the message header
RP:May 21 00:34:13.043 : SSHD_[65849]: Setting the reply buffer size in the message header
RP:May 21 00:34:13.043 : SSHD_[65849]: Sending the message to the server
RP:May 21 00:34:13.043 : SSHD_[65849]: Message successfully sent to the server
RP:May 21 00:34:13.043 : SSHD_[65849]: The message swapped successfully with the AAA server
RP:May 21 00:34:13.043 : SSHD_[65849]: Received a normal reply from the server
RP:May 21 00:34:13.043 : SSHD_[65849]: Size of the reply from the server: 20

 

I am only able to ssh with the root user

 

Any ideas what could be wrong?

1 Accepted Solution

Accepted Solutions

mareeast
Level 1
Level 1

Found the issue - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum34024

 

We got a different error than the one in the document, but after changing the key to be less than 21 characters the issue is gone.

View solution in original post

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

why you have 2 difference configuration : one use server-private and another radius server ?

 

adius source-interface X vrf Mgmt

radius-server vsa attribute ignore unknown

radius-server host X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

aaa group server radius X.X.X.X
vrf Mgmt
server-private X.X.X.X auth-port X.X.X.X acct-port X.X.X.X

 

you try testing using :

 

#test aaa group XXXX  test test legacy  ( test / test dummy user and password)

 

If the Radius reachable you get  failure  as below : ( i did using TACACS, should be same with radius should work)

 

Attempting authentication test to server-group tacacs+ using tacacs+
User authentication request was rejected by server.

 

If radius server config issue you get below message :

Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.

 

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks @balaji.bandi 

 

I've tried with the configuration below, but still no luck .... Am I missing something? All of the other devices are working with Radius without issues, only the XR platforms cannot use it for some reason...

 


### 1 ###

usergroup XXXX
taskgroup root-system

radius-server host X.X.X.X auth-port XXXX acct-port 1XXXX
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

radius source-interface X vrf Mgmt

aaa authentication login default group radius local
aaa authentication login default local

line default
login authentication default
access-class ingress XXXXXX
transport input ssh

vty-pool default 0 4 line-template default

 

### 2 ###

usergroup XXXX
taskgroup root-system

radius-server host X.X.X.X auth-port XXXX acct-port 1XXXX
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

radius source-interface X vrf Mgmt

aaa group server radius XXXX-RADIUS
server X.X.X.X auth-port XXXX acct-port XXXX
vrf Mgmt
source-interface X

aaa authentication login default group XXXX-RADIUS local
aaa authentication login default local

line default
login authentication default
access-class ingress XXXXXX
transport input ssh

vty-pool default 0 4 line-template default

 

 

Also the following is not available, but thanks for suggesting:

 

#test aaa group XXXX test test legacy ( test / test dummy user and password)

 

Let me test the command syntax and get back to you:

 

what is the ASR IOX XR version, what Radius is this ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks @balaji.bandi!

 

ASR-9001 running IOS XR Software Version 4.3.0 and a Windows Server 2016 acting as a Radius server (NPS)

 

I really appreciate your help with this!

mareeast
Level 1
Level 1

Found the issue - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum34024

 

We got a different error than the one in the document, but after changing the key to be less than 21 characters the issue is gone.

Oh good to know, thought it was bug need to check, but you got it now.,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: