[c-nsp] Cisco ASR 9k and Windows RADIUS server
Pshem Kowalczyk
pshem.k at gmail.com
Thu May 5 07:11:21 EDT 2016
Just a suggestion. I've seen something similar with SNMP communities in XR
- try prepending all 'special' characters in the secret with a backslash
'\' in the configuration.
kind regards
Pshem
On Thu, 5 May 2016 at 22:51 David Wilkinson <cisco-nsp at noroutetohost.net>
wrote:
> On 04/05/2016 07:37, Ulrik Ivers wrote:
> > Hi David,
> >
> > Has the exact same config, including the shared secret, ever worked?
> With another RADIUS server?
> >
> > I ask because we had a similar problem getting Radius to work with our
> ASR 9001 when they were first deployed. Don't remember if we saw any errors
> on the Radius server though.
> >
> > Root cause - we used a shared secret longer than 22 characters. The ASR
> happily accepted the config, but it didn't work.
> >
> > IOS XR 4.3
> >
> > Regards,
> > /Ulrik
>
> Each device has its own shared secret, apart from the shared secret it
> is setup the same way as the devices. However this is first IOS XR
> device we have trying to talk to the RADIUS server.
> The shared secret isn't longer than 22 characters, however it does have
> symbols in it, I will try without and see if that is the issue.
>
> On 04/05/2016 10:38, Kimaru Mansour wrote:
> > Hi,
> >
> > Having same issue myself. Also noticed the malformed packet messages.
> > We in fact placed a FreeRADIUS implementation in front of the Windows
> > Server as a proxy to forward requests between RADIUS client and
> > Windows RADIUS server. Our key is also shorter than 22 chars so that
> > doesn't seem to be it. Same setup is working fine with IOS XE and
> > classic IOS based RADIUS client so I am also looking forward to read
> > if anyone else has gotten this working for IOS XR and Wndows RADIUS.
> > One difference I noticed, is that the Auth-Req message does differ
> > between Auth-Req message IOS XR and IOS XE with regard to the AV pairs
> > sent but I seem to have misplaced the pcaps.
> >
> > Br,
> >
> > Kimaru
>
> Here are the Auth-Req messages from dumps I did
> IOS XR
>
> Radius Protocol
> Code: Access-Request (1)
> Packet identifier: 0x18 (24)
> Length: 113
> Authenticator: <removed>
> Attribute Value Pairs
> AVP: l=17 t=User-Name(1): <removed>
> User-Name: <removed>
> AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0
> NAS-IP-Address: 0.0.0.0 (0.0.0.0)
> AVP: l=22 t=NAS-IPv6-Address(95):
> AVP: l=6 t=NAS-Port(5): 130
> NAS-Port: 130
> AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
> NAS-Port-Type: Virtual (5)
> AVP: l=6 t=Service-Type(6): Login(1)
> Service-Type: Login (1)
> AVP: l=12 t=Calling-Station-Id(31): <removed>
> Calling-Station-Id: <removed>
> AVP: l=18 t=User-Password(2): Encrypted
> User-Password (encrypted): <removed>
>
>
> Classic IOS.
>
> Radius Protocol
> Code: Access-Request (1)
> Packet identifier: 0xe6 (230)
> Length: 79
> Authenticator: <removed>
> Attribute Value Pairs
> AVP: l=17 t=User-Name(1): <removed>
> User-Name: <removed>
> AVP: l=18 t=User-Password(2): Encrypted
> User-Password (encrypted): <removed>
> AVP: l=6 t=NAS-Port(5): 1
> NAS-Port: 1
> AVP: l=6 t=NAS-Port-Id(87): tty1
> NAS-Port-Id: tty1
> AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
> NAS-Port-Type: Virtual (5)
> AVP: l=6 t=NAS-IP-Address(4): <removed>
> NAS-IP-Address: <removed> (<removed>)
>
> On 04/05/2016 11:28, Mick O'Rourke wrote:
> >
> > Working on XR 4.3.2 with Microsoft NPS/Radius here.
> >
> > The only special config required was on the NPS side was an attribute
> > specifying the IOS XR IE task group.
> > Nothing special was required on the XR side - your config looks very
> > similar to what we use.
> >
> > Mick
> >
> >
>
> We are using XR 5.3.3, I wonder if they changed something between 4.x
> and 5.x which broke it with Microsoft NPS
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list