05-21-2021 03:58 AM
Hi,
Can you please help me with the required AAA config on XR9k. This is my current config which is not working (debugs below):
radius source-interface X vrf Mgmt
radius-server vsa attribute ignore unknown
radius-server host X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aaa accounting exec default start-stop group XXXX-RADIUS
aaa accounting system default start-stop group XXXX-RADIUS
aaa group server radius X.X.X.X
vrf Mgmt
server-private X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aaa authorization exec default group XXXX-RADIUS local
aaa authentication login default group XXXX-RADIUS local
aaa default-taskgroup root-system
vrf Mgmt
line default
login authentication default
access-class ingress XXXXXXXXX
transport input ssh
vty-pool default 0 4 line-template default
Here is the debug output:
debug aaa comm
RP:May 21 00:34:07.647 : SSHD_[65849]: %SECURITY-SSHD-6-INFO_GENERAL : Client X.X.X.X closes socket connection
RP:May 21 00:34:07.650 : SSHD_[65849]: %SECURITY-SSHD-3-ERR_GENERAL : Failed in version exchange
RP:May 21 00:34:12.974 : devc-vty[181]: Connection Accepted by ACL Source Add X.X.X.X Dest Add X.X.X.X Source Port XXXXX Dest port 22 Acl XXXXXXX
RP:May 21 00:34:13.005 : SSHD_[65849]: Attaching to LWM channel /dev/locald
RP:May 21 00:34:13.008 : SSHD_[65849]: Sending message, allocating memory for reply
RP:May 21 00:34:13.008 : SSHD_[65849]: Filling in the reply iov structure
RP:May 21 00:34:13.008 : SSHD_[65849]: Setting the connection ID in the message header
RP:May 21 00:34:13.008 : SSHD_[65849]: Setting the LWM type in the message header
RP:May 21 00:34:13.008 : SSHD_[65849]: Setting the reply buffer size in the message header
RP:May 21 00:34:13.008 : SSHD_[65849]: Sending the message to the server
RP:May 21 00:34:13.008 : SSHD_[65849]: Message successfully sent to the server
RP:May 21 00:34:13.008 : SSHD_[65849]: Retriving the connid from message
RP:May 21 00:34:13.008 : SSHD_[65849]: The message swapped successfully with the AAA server
RP:May 21 00:34:13.008 : SSHD_[65849]: Size of the reply from the server: 32
RP:May 21 00:34:13.008 : SSHD_[65849]: Received a normal reply from the server
RP:May 21 00:34:13.017 : SSHD_[65849]: Sending message, allocating memory for reply
RP:May 21 00:34:13.017 : SSHD_[65849]: Filling in the reply iov structure
RP:May 21 00:34:13.017 : SSHD_[65849]: Setting the connection ID in the message header
RP:May 21 00:34:13.017 : SSHD_[65849]: Setting the LWM type in the message header
RP:May 21 00:34:13.017 : SSHD_[65849]: Setting the reply buffer size in the message header
RP:May 21 00:34:13.017 : SSHD_[65849]: Sending the message to the server
RP:May 21 00:34:13.020 : locald_DSC[308]: Dumping buffer for MSG sent from locald (IOV 0) .....
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: Dumping buffer for MSG sent from locald (IOV 1) .....
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.020 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.021 : locald_DSC[308]:
RP:May 21 00:34:13.022 : locald_DSC[308]: Dumping buffer for MSG recv at locald (IOV 0) .....
RP:May 21 00:34:13.022 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.022 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.022 : locald_DSC[308]: XXXXXXXXXXXXXXXXXXXX
RP:May 21 00:34:13.023 : SSHD_[65849]: Message successfully sent to the server
RP:May 21 00:34:13.023 : SSHD_[65849]: The message swapped successfully with the AAA server
RP:May 21 00:34:13.033 : SSHD_[65849]: Received an error reply from the server - error ''LOCALD' detected the 'fatal' condition 'No available method was able to process the request''
RP:May 21 00:34:13.033 : SSHD_[65849]: %SECURITY-SSHD-4-INFO_FAILURE : Failed authentication attempt by user 'xxxxxx' from 'X.X.X.X' on 'vty1'
RP:May 21 00:34:13.043 : SSHD_[65849]: Sending message, allocating memory for reply
RP:May 21 00:34:13.043 : SSHD_[65849]: Filling in the reply iov structure
RP:May 21 00:34:13.043 : SSHD_[65849]: Setting the connection ID in the message header
RP:May 21 00:34:13.043 : SSHD_[65849]: Setting the LWM type in the message header
RP:May 21 00:34:13.043 : SSHD_[65849]: Setting the reply buffer size in the message header
RP:May 21 00:34:13.043 : SSHD_[65849]: Sending the message to the server
RP:May 21 00:34:13.043 : SSHD_[65849]: Message successfully sent to the server
RP:May 21 00:34:13.043 : SSHD_[65849]: The message swapped successfully with the AAA server
RP:May 21 00:34:13.043 : SSHD_[65849]: Received a normal reply from the server
RP:May 21 00:34:13.043 : SSHD_[65849]: Size of the reply from the server: 20
I am only able to ssh with the root user
Any ideas what could be wrong?
Solved! Go to Solution.
05-27-2021 04:54 AM
Found the issue - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum34024
We got a different error than the one in the document, but after changing the key to be less than 21 characters the issue is gone.
05-21-2021 04:46 AM
why you have 2 difference configuration : one use server-private and another radius server ?
adius source-interface X vrf Mgmt
radius-server vsa attribute ignore unknown
radius-server host X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aaa group server radius X.X.X.X
vrf Mgmt
server-private X.X.X.X auth-port X.X.X.X acct-port X.X.X.X
you try testing using :
#test aaa group XXXX test test legacy ( test / test dummy user and password)
If the Radius reachable you get failure as below : ( i did using TACACS, should be same with radius should work)
Attempting authentication test to server-group tacacs+ using tacacs+
User authentication request was rejected by server.
If radius server config issue you get below message :
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
05-21-2021 09:05 AM - edited 05-21-2021 09:07 AM
Thanks @balaji.bandi
I've tried with the configuration below, but still no luck .... Am I missing something? All of the other devices are working with Radius without issues, only the XR platforms cannot use it for some reason...
### 1 ###
usergroup XXXX
taskgroup root-system
radius-server host X.X.X.X auth-port XXXX acct-port 1XXXX
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
radius source-interface X vrf Mgmt
aaa authentication login default group radius local
aaa authentication login default local
line default
login authentication default
access-class ingress XXXXXX
transport input ssh
vty-pool default 0 4 line-template default
### 2 ###
usergroup XXXX
taskgroup root-system
radius-server host X.X.X.X auth-port XXXX acct-port 1XXXX
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
radius source-interface X vrf Mgmt
aaa group server radius XXXX-RADIUS
server X.X.X.X auth-port XXXX acct-port XXXX
vrf Mgmt
source-interface X
aaa authentication login default group XXXX-RADIUS local
aaa authentication login default local
line default
login authentication default
access-class ingress XXXXXX
transport input ssh
vty-pool default 0 4 line-template default
Also the following is not available, but thanks for suggesting:
#test aaa group XXXX test test legacy ( test / test dummy user and password)
05-21-2021 10:02 AM
Let me test the command syntax and get back to you:
what is the ASR IOX XR version, what Radius is this ?
05-25-2021 12:20 AM
Thanks @balaji.bandi!
ASR-9001 running IOS XR Software Version 4.3.0 and a Windows Server 2016 acting as a Radius server (NPS)
I really appreciate your help with this!
05-27-2021 04:54 AM
Found the issue - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum34024
We got a different error than the one in the document, but after changing the key to be less than 21 characters the issue is gone.
05-27-2021 06:19 AM
Oh good to know, thought it was bug need to check, but you got it now.,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide