Hm - thanks Xander.

I posted the note as I noticed the incoming REQ much differently.

I'm seeing this minimal REQ from my 9001 running 4.2.3 for router VTY access.

I'm using Radiator as a server.

I edited the Calling-Station-ID and User-Password fields below below for privacy.

Code:       Access-Request

Identifier: 46

Authentic:  <0><0><4><143>cerrno/libra

Attributes:

        User-Name = "test"

        NAS-IP-Address = 10.10.10.3

        NAS-Port = 130

        NAS-Port-Type = Virtual

        Calling-Station-Id = ""

        User-Password =

aha! garry I missed the fact that you were referencing an exec login.

I see the same issue. it is a miss. we should include service-type hands down and nas-identifier would be nice to have as well.

I am checking in with our AAA development for XR to make see if this is already recognized as a known issue and if not I will file a ddts to have this corrected.

I don't believe this should be knobbed (like IOS) and just be inserted regardless.

If you don't hear from me by Friday, please send me a reminder and I will let you know the ddts ID that we'll use for tracking. You can use your account team and TAC then to follow up for integration and status.

sounds good?

thanks

Xander

Principal Engineer, ASR9000

Cisco Systems

Xander,

Appreciate the quick verification and avoiding having to work through a TAC case.

I'm just getting used to IOS-XR but might the resolution arrive in a XR module and perhaps more quickly than awaiting it to be folded into a maintenance release (?).  Either way sounds good and thanks again.

Garry,

Let me see what the scoop of this is from a code perspective, so I can advice better on what the next course of action is.

If this is a show stopper for your deployment, we have a concept of a "SMU" (software maintenance update) which is a package that you can apply to your existing release. So you don't have to go through another certifcation cycle.

Depending on the deployment, timelines, schedules, code complexity etc, we can make something work.

Lets sync up in a few days when I know more and I can advice the right course of action.

If we do go down the smu path, we may need a tac case for reference/linkage, but I'll talk you through that as we go.

Also, if you are new(er) to XR and you like to read up more on this, I have a few white papers that you may like on XR and ASR9000: https://supportforums.cisco.com/docs/DOC-22848, check out the linked documents for more info on route scale, loadbalancing, EVC, L2, L3 etc.

cheers

Xander

Principal Engineer, ASR9000

Cisco Systems

Xander,

Curious if you've had any developer response yet. Is not a show-stopper per-se as local accounts can be used, but prefer things to be in line with other Authentication as these boxes roll into production.

I'm familiar with SMU, but have not loaded any outside the main image yet.

Gary, I had requested your SE's to contact you wth the latest info since I didn't have your email, but

last status is that I have a DDTS for you: CSCud59174:  Access-request missing service-type for exec  authentication

that is slated for XR4.3.1

regards

xander

Xander,

Here in April, I'm actually still awating code containing the resolution of this Radius bug.

Any sense of when we'll see 4.3.1 or 4.3.2?

There still doesn't appear to be an SMU for it either unless I'm missing it.

thanks for any info,

Garry, I guess your account team missed to update you as I had requested to them.

When you raised the issue I filed a ddts and fixed it for XR4.3.1

That release is due this month. So when you pick up that release, your fix will be in there:

CSCud59174 http://wwwin.cisco.com/ops/infra/pds/cbms/cdets/legend.shtmlAccess-request missing service-type for exec authentication

xander

great, thanks for the update.

Hi Xander what do you do...

I have some questions about the access-requets from 9K you have showed

I have been analyzing the following,

The value of this Nas-Port 67109347 gave me a result in binary 00000100000000000000000111100011

where in case the nasport type were 5, I would assume this following correlation

•        for NAS-Port-Type = 5 (Virtual):
  

            slot:     0    0000

subslot:  0        0

port:     4         100

svlan:    0            00000000

cvlan:    483                 0000000111100011

and in case the nasport type were 15, I would assume this correlation

•   for NAS-Port-Type = 15 (Ethernet):
  

slot:     0    0000
subslot:  0        0
port:     4         100
vp:       0            000000000000
vc:       483                     000111100011

So, my question is.... Was the original test made on port 0/0/4?

if the answer regarding this is negative,… could you show me the format that you configured for NAS-Port-Type 36?

Thanks.

Regards,

Javier

Hey Javier,

the config used for that example was:

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU

Interface:                Bundle-Ether100.30.pppoe788

Nas-Port:                 67109348

User name:                dialer

S S A A P P P P Q Q Q Q Q Q Q Q Q Q V V V V V V V V V V U U U U

0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 0 0 1 0 0

(the formatting is not coming off to nice)

U = 0100 = 4

V = 11110 = 30

Q = 0 = 0

P = 0100 = 4

A = 0 = 0

S = 0 = 0

U = sessionID = 788 = 1100010100 (only last 4 bits used in this format)

V = vlan = 30 = 11110 (matches)

P = port = 4, the 4th bundle ether configured:

interface Bundle-Ether100.2

interface Bundle-Ether100.10

interface Bundle-Ether100.20

interface Bundle-Ether100.30 <<

interface Bundle-Ether100.50

interface Bundle-Ether100.100

slot = 0 (RSP based session, bundle ether)

adapter = 0 (RSP based session, bundle ether)

I noticed an issue here btw, the Q is not filled out properly with the outter vlan...

xander

Hi Alexander Thuijis,

                           I would like to ask one question related to radius when I read through this discussion. In ASR 9000 XR, is any commands available to configure generic authentication parameters for clients using 802.1x EAPOL ??

Unfortunately, a9k doesn't do dot1x or EAP.

xander