05-21-2021 03:58 AM
Hi,
Can you please help me with the required AAA config on XR9k. This is my current config which is not working (debugs below):
radius source-interface X vrf Mgmt
radius-server vsa attribute ignore unknown
radius-server host X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aaa accounting exec default start-stop group XXXX-RADIUS
aaa accounting system default start-stop group XXXX-RADIUS
aaa group server radius X.X.X.X
vrf Mgmt
server-private X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aaa authorization exec default group XXXX-RADIUS local
aaa authentication login default group XXXX-RADIUS local
aaa default-taskgroup root-system
vrf Mgmt
line default
login authentication default
access-class ingress XXXXXXXXX
transport input ssh
vty-pool default 0 4 line-template default
Here is the debug output:
debug aaa comm
RP:May 21 00:34:07.647 : SSHD_[65849]: %SECURITY-SSHD-6-INFO_GENERAL : Client X.X.X.X closes socket connection
RP:May 21 00:34:07.650 : SSHD_[65849]: %SECURITY-SSHD-3-ERR_GENERAL : Failed in version exchange
RP:May 21 00:34:12.974 : devc-vty[181]: Connection Accepted by ACL Source Add X.X.X.X Dest Add X.X.X.X Source Port XXXXX Dest port 22 Acl XXXXXXX
RP:May 21 00:34:13.005 : SSHD_[65849]: Attaching to LWM channel /dev/locald
RP:May 21 00:34:13.008 : SSHD_[65849]: Sending message, allocating memory for reply
RP:May 21 00:34:13.008 : SSHD_[65849]: Filling in the reply iov structure
RP:May 21 00:34:13.008 : SSHD_[65849]: Setting the connection ID in the message header
RP:May 21 00:34:13.008 : SSHD_[65849]: Setting the LWM type in the message header
RP:May 21 00:34:13.008 : SSHD_[65849]: Setting the reply buffer size in the message header
RP:May 21 00:34:13.008 : SSHD_[65849]: Sending the message to the server
RP:May 21 00:34:13.008 : SSHD_[65849]: Message successfully sent to the server
RP:May 21 00:34:13.008 : SSHD_[65849]: Retriving the connid from message
RP:May 21 00:34:13.008 : SSHD_[65849]: The message swapped successfully with the AAA server
RP:May 21 00:34:13.008 : SSHD_[65849]: Size of the reply from the server: 32
RP:May 21 00:34:13.008 : SSHD_[65849]: Received a normal reply from the server
RP:May 21 00:34:13.017 : SSHD_[65849]: Sending message, allocating memory for reply
RP:May 21 00:34:13.017 : SSHD_[65849]: Filling in the reply iov structure
RP:May 21 00:34:13.017 : SSHD_[65849]: Setting the connection ID in the message header
RP:May 21 00:34:13.017 : SSHD_[65849]: Setting the LWM type in the message header
RP:May 21 00:34:13.017 : SSHD_[65849]: Setting the reply buffer size in the message header
RP:May 21 00:34:13.017 : SSHD_[65849]: Sending the message to the server
RP:May 21 00:34:13.020 : locald_DSC[308]: Dumping buffer for MSG sent from locald (IOV 0) .....
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: Dumping buffer for MSG sent from locald (IOV 1) .....
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]:
RP:May 21 00:34:13.022 : locald_DSC[308]: Dumping buffer for MSG recv at locald (IOV 0) .....
RP:May 21 00:34:13.022 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.022 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.022 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.023 : SSHD_[65849]: Message successfully sent to the server
RP:May 21 00:34:13.023 : SSHD_[65849]: The message swapped successfully with the AAA server
RP:May 21 00:34:13.033 : SSHD_[65849]: Received an error reply from the server - error ''LOCALD' detected the 'fatal' condition 'No available method was able to process the request''
RP:May 21 00:34:13.033 : SSHD_[65849]: %SECURITY-SSHD-4-INFO_FAILURE : Failed authentication attempt by user 'xxxxxx' from 'X.X.X.X' on 'vty1'
RP:May 21 00:34:13.043 : SSHD_[65849]: Sending message, allocating memory for reply
RP:May 21 00:34:13.043 : SSHD_[65849]: Filling in the reply iov structure
RP:May 21 00:34:13.043 : SSHD_[65849]: Setting the connection ID in the message header
RP:May 21 00:34:13.043 : SSHD_[65849]: Setting the LWM type in the message header
RP:May 21 00:34:13.043 : SSHD_[65849]: Setting the reply buffer size in the message header
RP:May 21 00:34:13.043 : SSHD_[65849]: Sending the message to the server
RP:May 21 00:34:13.043 : SSHD_[65849]: Message successfully sent to the server
RP:May 21 00:34:13.043 : SSHD_[65849]: The message swapped successfully with the AAA server
RP:May 21 00:34:13.043 : SSHD_[65849]: Received a normal reply from the server
RP:May 21 00:34:13.043 : SSHD_[65849]: Size of the reply from the server: 20
I am only able to ssh with the root user
Any ideas what could be wrong?
Solved! Go to Solution.
05-27-2021 04:54 AM
Found the issue - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum34024
We got a different error than the one in the document, but after changing the key to be less than 21 characters the issue is gone.
05-21-2021 04:46 AM
why you have 2 difference configuration : one use server-private and another radius server ?
adius source-interface X vrf Mgmt
radius-server vsa attribute ignore unknown
radius-server host X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aaa group server radius X.X.X.X
vrf Mgmt
server-private X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
you try testing using :
#test aaa group XXXX test test legacy ( test / test dummy user and password)
If the Radius reachable you get failure as below : ( i did using TACACS, should be same with radius should work)
Attempting authentication test to server-group tacacs+ using tacacs+
User authentication request was rejected by server.
If radius server config issue you get below message :
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
05-21-2021 09:05 AM - edited 05-21-2021 09:07 AM
Thanks @balaji.bandi
I've tried with the configuration below, but still no luck .... Am I missing something? All of the other devices are working with Radius without issues, only the XR platforms cannot use it for some reason...
### 1 ###
usergroup XXXX
taskgroup root-system
radius-server host X.X.X.X auth-port XXXX acct-port 1XXXX
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
radius source-interface X vrf Mgmt
aaa authentication login default group radius local
aaa authentication login default local
line default
login authentication default
access-class ingress XXXXXX
transport input ssh
vty-pool default 0 4 line-template default
### 2 ###
usergroup XXXX
taskgroup root-system
radius-server host X.X.X.X auth-port XXXX acct-port 1XXXX
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
radius source-interface X vrf Mgmt
aaa group server radius XXXX-RADIUS
server X.X.X.X auth-port XXXX acct-port XXXX
vrf Mgmt
source-interface X
aaa authentication login default group XXXX-RADIUS local
aaa authentication login default local
line default
login authentication default
access-class ingress XXXXXX
transport input ssh
vty-pool default 0 4 line-template default
Also the following is not available, but thanks for suggesting:
#test aaa group XXXX test test legacy ( test / test dummy user and password)
05-21-2021 10:02 AM
Let me test the command syntax and get back to you:
what is the ASR IOX XR version, what Radius is this ?
05-25-2021 12:20 AM
Thanks @balaji.bandi!
ASR-9001 running IOS XR Software Version 4.3.0 and a Windows Server 2016 acting as a Radius server (NPS)
I really appreciate your help with this!
05-27-2021 04:54 AM
Found the issue - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum34024
We got a different error than the one in the document, but after changing the key to be less than 21 characters the issue is gone.
05-27-2021 06:19 AM
Oh good to know, thought it was bug need to check, but you got it now.,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: