[c-nsp] Cisco ASR 9k and Windows RADIUS server

David Wilkinson cisco-nsp at noroutetohost.net
Tue May 3 19:30:31 EDT 2016 

Hi,

We have a RADIUS server running on Windows Server 2008. It currently 
handles the logins for our network devices, a mixture of Cisco IOS, 
NX-OS and Dell F10 blade switches and this has been working fine.
When I went to setup our new ASR 9006 routers to the RADIUS server it 
was failing to authorise the users, on further inspection the RADIUS 
server had the following in the logs.
"A malformed RADIUS message was received from client <device>. The data 
is the RADIUS message."
 From what I can tell via TCPdump the RADIUS packets look OK doesn't 
seem to be malformed. I assume the Windows RADIUS server doesn't like 
one of the options IOS-XR is sending it.

Before I build a FreeRADIUS server to sit in frond of LDAP for auth, I 
was wondering if anyone had got IOS-XR working with a Windows RADIUS 
server and if there was any special configuration needed?

Below is copy of the RADIUS config and "show radius" output.

Thanks

David



Router config

radius-server host <server 1> auth-port 1812 acct-port 1813
  key 7 <key>
!
radius-server host <server 2> auth-port 1812 acct-port 1813
  key 7 <key>
!
!
aaa group server radius radservers
  server <server 1> auth-port 1812 acct-port 1813
  server <server 2> auth-port 1812 acct-port 1813
  vrf mgmt
!
aaa authorization exec default local group radservers
aaa authentication login default local group radservers

#show radius
Server: <server 1>/1812/1813  is UP
   Address family: IPv4
   Total Deadtime: 0s Last Deadtime: 0s
   Timeout: 5 sec, Retransmit limit: 3
   Quarantined: No
   Authentication:
     81 requests, 0 pending, 0 retransmits
     0 accepts, 0 rejects, 0 challenges
     81 timeouts, 0 bad responses, 0 bad authenticators
     0 unknown types, 0 dropped, 0 ms latest rtt
     Throttled: 0 transactions, 0 timeout, 0 failures
     Estimated Throttled Access Transactions: 0
     Maximum Throttled Access Transactions: 0

     Automated TEST Stats:
         0 requests, 0 timeouts, 0 response, 0 pending
   Accounting:
     0 requests, 0 pending, 0 retransmits
     0 responses, 0 timeouts, 0 bad responses
     0 bad authenticators, 0 unknown types, 0 dropped
     0 ms latest rtt
     Throttled: 0 transactions, 0 timeout, 0 failures
     Estimated Throttled Accounting Transactions: 0
     Maximum Throttled Accounting Transactions: 0

     Automated TEST Stats:
         0 requests, 0 timeouts, 0 response, 0 pending

More information about the cisco-nsp mailing list