[c-nsp] Cisco ASR 9k and Windows RADIUS server

David Wilkinson cisco-nsp at noroutetohost.net
Thu May 5 06:50:51 EDT 2016 

On 04/05/2016 07:37, Ulrik Ivers wrote:
> Hi David,
>
> Has the exact same config, including the shared secret, ever worked? With another RADIUS server?
>
> I ask because we had a similar problem getting Radius to work with our ASR 9001 when they were first deployed. Don't remember if we saw any errors on the Radius server though.
>
> Root cause - we used a shared secret longer than 22 characters. The ASR happily accepted the config, but it didn't work.
>
> IOS XR 4.3
>
> Regards,
> /Ulrik

Each device has its own shared secret, apart from the shared secret it 
is setup the same way as the devices. However this is first IOS XR 
device we have trying to talk to the RADIUS server.
The shared secret isn't longer than 22  characters, however it does have 
symbols in it, I will try without and see if that is the issue.

On 04/05/2016 10:38, Kimaru Mansour wrote:
> Hi,
>
> Having same issue myself. Also noticed the malformed packet messages. 
> We in fact placed a FreeRADIUS implementation in front of the Windows 
> Server as a proxy to forward requests between RADIUS client and 
> Windows RADIUS server. Our key is also shorter than 22 chars so that 
> doesn't seem to be it. Same setup is working fine with IOS XE and 
> classic IOS based RADIUS client so I am also looking forward to read 
> if anyone else has gotten this working for IOS XR and Wndows RADIUS. 
> One difference I noticed, is that the Auth-Req message does differ 
> between Auth-Req message IOS XR and IOS XE with regard to the AV pairs 
> sent but I seem to have misplaced the pcaps.
>
> Br,
>
> Kimaru

Here are the Auth-Req messages from dumps I did
IOS XR

Radius Protocol
     Code: Access-Request (1)
     Packet identifier: 0x18 (24)
     Length: 113
     Authenticator: <removed>
     Attribute Value Pairs
         AVP: l=17  t=User-Name(1): <removed>
             User-Name: <removed>
         AVP: l=6  t=NAS-IP-Address(4): 0.0.0.0
             NAS-IP-Address: 0.0.0.0 (0.0.0.0)
         AVP: l=22  t=NAS-IPv6-Address(95):
         AVP: l=6  t=NAS-Port(5): 130
             NAS-Port: 130
         AVP: l=6  t=NAS-Port-Type(61): Virtual(5)
             NAS-Port-Type: Virtual (5)
         AVP: l=6  t=Service-Type(6): Login(1)
             Service-Type: Login (1)
         AVP: l=12  t=Calling-Station-Id(31): <removed>
             Calling-Station-Id: <removed>
         AVP: l=18  t=User-Password(2):  Encrypted
             User-Password (encrypted): <removed>


Classic IOS.

Radius Protocol
     Code: Access-Request (1)
     Packet identifier: 0xe6 (230)
     Length: 79
     Authenticator: <removed>
     Attribute Value Pairs
         AVP: l=17  t=User-Name(1): <removed>
             User-Name: <removed>
         AVP: l=18  t=User-Password(2): Encrypted
             User-Password (encrypted): <removed>
         AVP: l=6  t=NAS-Port(5): 1
             NAS-Port: 1
         AVP: l=6  t=NAS-Port-Id(87): tty1
             NAS-Port-Id: tty1
         AVP: l=6  t=NAS-Port-Type(61): Virtual(5)
             NAS-Port-Type: Virtual (5)
         AVP: l=6  t=NAS-IP-Address(4): <removed>
             NAS-IP-Address: <removed> (<removed>)

On 04/05/2016 11:28, Mick O'Rourke wrote:
>
> Working on XR 4.3.2 with Microsoft NPS/Radius here.
>
> The only special config required was on the NPS side was an attribute 
> specifying the IOS XR IE task group.
> Nothing special was required on the XR side - your config looks very 
> similar to what we use.
>
> Mick
>
>

We are using XR 5.3.3, I wonder if they changed something between 4.x 
and 5.x which broke it with Microsoft NPS

More information about the cisco-nsp mailing list