[c-nsp] Cisco ASR 9k and Windows RADIUS server

Kimaru Mansour kimaru at gmail.com
Wed May 4 05:38:20 EDT 2016 

Hi,

Having same issue myself. Also noticed the malformed packet messages. We in
fact placed a FreeRADIUS implementation in front of the Windows Server as a
proxy to forward requests between RADIUS client and Windows RADIUS server.
Our key is also shorter than 22 chars so that doesn't seem to be it. Same
setup is working fine with IOS XE and classic IOS based RADIUS client so I
am also looking forward to read if anyone else has gotten this working for
IOS XR and Wndows RADIUS. One difference I noticed, is that the Auth-Req
message does differ between Auth-Req message IOS XR and IOS XE with regard
to the AV pairs sent but I seem to have misplaced the pcaps.

Br,

Kimaru

On Wed, May 4, 2016 at 1:30 AM, David Wilkinson <cisco-nsp at noroutetohost.net
> wrote:

> Hi,
>
> We have a RADIUS server running on Windows Server 2008. It currently
> handles the logins for our network devices, a mixture of Cisco IOS, NX-OS
> and Dell F10 blade switches and this has been working fine.
> When I went to setup our new ASR 9006 routers to the RADIUS server it was
> failing to authorise the users, on further inspection the RADIUS server had
> the following in the logs.
> "A malformed RADIUS message was received from client <device>. The data is
> the RADIUS message."
> From what I can tell via TCPdump the RADIUS packets look OK doesn't seem
> to be malformed. I assume the Windows RADIUS server doesn't like one of the
> options IOS-XR is sending it.
>
> Before I build a FreeRADIUS server to sit in frond of LDAP for auth, I was
> wondering if anyone had got IOS-XR working with a Windows RADIUS server and
> if there was any special configuration needed?
>
> Below is copy of the RADIUS config and "show radius" output.
>
> Thanks
>
> David
>
>
>
> Router config
>
> radius-server host <server 1> auth-port 1812 acct-port 1813
>  key 7 <key>
> !
> radius-server host <server 2> auth-port 1812 acct-port 1813
>  key 7 <key>
> !
> !
> aaa group server radius radservers
>  server <server 1> auth-port 1812 acct-port 1813
>  server <server 2> auth-port 1812 acct-port 1813
>  vrf mgmt
> !
> aaa authorization exec default local group radservers
> aaa authentication login default local group radservers
>
> #show radius
> Server: <server 1>/1812/1813  is UP
>   Address family: IPv4
>   Total Deadtime: 0s Last Deadtime: 0s
>   Timeout: 5 sec, Retransmit limit: 3
>   Quarantined: No
>   Authentication:
>     81 requests, 0 pending, 0 retransmits
>     0 accepts, 0 rejects, 0 challenges
>     81 timeouts, 0 bad responses, 0 bad authenticators
>     0 unknown types, 0 dropped, 0 ms latest rtt
>     Throttled: 0 transactions, 0 timeout, 0 failures
>     Estimated Throttled Access Transactions: 0
>     Maximum Throttled Access Transactions: 0
>
>     Automated TEST Stats:
>         0 requests, 0 timeouts, 0 response, 0 pending
>   Accounting:
>     0 requests, 0 pending, 0 retransmits
>     0 responses, 0 timeouts, 0 bad responses
>     0 bad authenticators, 0 unknown types, 0 dropped
>     0 ms latest rtt
>     Throttled: 0 transactions, 0 timeout, 0 failures
>     Estimated Throttled Accounting Transactions: 0
>     Maximum Throttled Accounting Transactions: 0
>
>     Automated TEST Stats:
>         0 requests, 0 timeouts, 0 response, 0 pending
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list