[c-nsp] Cisco ASR 9k and Windows RADIUS server

Mick O'Rourke mkorourke at gmail.com
Wed May 4 06:28:02 EDT 2016 

Working on XR 4.3.2 with Microsoft NPS/Radius here.

The only special config required was on the NPS side was an attribute
specifying the IOS XR IE task group.
Nothing special was required on the XR side - your config looks very
similar to what we use.

Mick
On 4 May 2016 09:31, "David Wilkinson" <cisco-nsp at noroutetohost.net> wrote:

> Hi,
>
> We have a RADIUS server running on Windows Server 2008. It currently
> handles the logins for our network devices, a mixture of Cisco IOS, NX-OS
> and Dell F10 blade switches and this has been working fine.
> When I went to setup our new ASR 9006 routers to the RADIUS server it was
> failing to authorise the users, on further inspection the RADIUS server had
> the following in the logs.
> "A malformed RADIUS message was received from client <device>. The data is
> the RADIUS message."
> From what I can tell via TCPdump the RADIUS packets look OK doesn't seem
> to be malformed. I assume the Windows RADIUS server doesn't like one of the
> options IOS-XR is sending it.
>
> Before I build a FreeRADIUS server to sit in frond of LDAP for auth, I was
> wondering if anyone had got IOS-XR working with a Windows RADIUS server and
> if there was any special configuration needed?
>
> Below is copy of the RADIUS config and "show radius" output.
>
> Thanks
>
> David
>
>
>
> Router config
>
> radius-server host <server 1> auth-port 1812 acct-port 1813
>  key 7 <key>
> !
> radius-server host <server 2> auth-port 1812 acct-port 1813
>  key 7 <key>
> !
> !
> aaa group server radius radservers
>  server <server 1> auth-port 1812 acct-port 1813
>  server <server 2> auth-port 1812 acct-port 1813
>  vrf mgmt
> !
> aaa authorization exec default local group radservers
> aaa authentication login default local group radservers
>
> #show radius
> Server: <server 1>/1812/1813  is UP
>   Address family: IPv4
>   Total Deadtime: 0s Last Deadtime: 0s
>   Timeout: 5 sec, Retransmit limit: 3
>   Quarantined: No
>   Authentication:
>     81 requests, 0 pending, 0 retransmits
>     0 accepts, 0 rejects, 0 challenges
>     81 timeouts, 0 bad responses, 0 bad authenticators
>     0 unknown types, 0 dropped, 0 ms latest rtt
>     Throttled: 0 transactions, 0 timeout, 0 failures
>     Estimated Throttled Access Transactions: 0
>     Maximum Throttled Access Transactions: 0
>
>     Automated TEST Stats:
>         0 requests, 0 timeouts, 0 response, 0 pending
>   Accounting:
>     0 requests, 0 pending, 0 retransmits
>     0 responses, 0 timeouts, 0 bad responses
>     0 bad authenticators, 0 unknown types, 0 dropped
>     0 ms latest rtt
>     Throttled: 0 transactions, 0 timeout, 0 failures
>     Estimated Throttled Accounting Transactions: 0
>     Maximum Throttled Accounting Transactions: 0
>
>     Automated TEST Stats:
>         0 requests, 0 timeouts, 0 response, 0 pending
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list