[c-nsp] Cisco ASR 9k and Windows RADIUS server

Ulrik Ivers ulrik.ivers at excanto.se
Wed May 4 02:37:59 EDT 2016 

Hi David,

Has the exact same config, including the shared secret, ever worked? With another RADIUS server?

I ask because we had a similar problem getting Radius to work with our ASR 9001 when they were first deployed. Don't remember if we saw any errors on the Radius server though. 

Root cause - we used a shared secret longer than 22 characters. The ASR happily accepted the config, but it didn't work.

IOS XR 4.3

Regards,
/Ulrik

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Wilkinson
Sent: den 4 maj 2016 01:31
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco ASR 9k and Windows RADIUS server

Hi,

We have a RADIUS server running on Windows Server 2008. It currently handles the logins for our network devices, a mixture of Cisco IOS, NX-OS and Dell F10 blade switches and this has been working fine.
When I went to setup our new ASR 9006 routers to the RADIUS server it was failing to authorise the users, on further inspection the RADIUS server had the following in the logs.
"A malformed RADIUS message was received from client <device>. The data is the RADIUS message."
 From what I can tell via TCPdump the RADIUS packets look OK doesn't seem to be malformed. I assume the Windows RADIUS server doesn't like one of the options IOS-XR is sending it.

Before I build a FreeRADIUS server to sit in frond of LDAP for auth, I was wondering if anyone had got IOS-XR working with a Windows RADIUS server and if there was any special configuration needed?

Below is copy of the RADIUS config and "show radius" output.

Thanks

David



Router config

radius-server host <server 1> auth-port 1812 acct-port 1813
  key 7 <key>
!
radius-server host <server 2> auth-port 1812 acct-port 1813
  key 7 <key>
!
!
aaa group server radius radservers
  server <server 1> auth-port 1812 acct-port 1813
  server <server 2> auth-port 1812 acct-port 1813
  vrf mgmt
!
aaa authorization exec default local group radservers aaa authentication login default local group radservers

#show radius
Server: <server 1>/1812/1813  is UP
   Address family: IPv4
   Total Deadtime: 0s Last Deadtime: 0s
   Timeout: 5 sec, Retransmit limit: 3
   Quarantined: No
   Authentication:
     81 requests, 0 pending, 0 retransmits
     0 accepts, 0 rejects, 0 challenges
     81 timeouts, 0 bad responses, 0 bad authenticators
     0 unknown types, 0 dropped, 0 ms latest rtt
     Throttled: 0 transactions, 0 timeout, 0 failures
     Estimated Throttled Access Transactions: 0
     Maximum Throttled Access Transactions: 0

     Automated TEST Stats:
         0 requests, 0 timeouts, 0 response, 0 pending
   Accounting:
     0 requests, 0 pending, 0 retransmits
     0 responses, 0 timeouts, 0 bad responses
     0 bad authenticators, 0 unknown types, 0 dropped
     0 ms latest rtt
     Throttled: 0 transactions, 0 timeout, 0 failures
     Estimated Throttled Accounting Transactions: 0
     Maximum Throttled Accounting Transactions: 0

     Automated TEST Stats:
         0 requests, 0 timeouts, 0 response, 0 pending

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list