[c-nsp] Cisco ASR 9k and Windows RADIUS server

Kimaru Mansour kimaru at gmail.com
Mon May 9 03:58:15 EDT 2016 

So I did some more experimenting with this in the lab and I can confirm
that it is not broken in XR 4.3.2
I took PCAPs to compare 5.3.2 based Access-req with 4.3.2 based Access-req
and one thing that stands out, is that in the 5.3.2 Access-req the
NAS-IPv6-Address attribute is sent out with an invalid/wrong length and
that a bug was raised for that with ID CSCuy37396
Furthermore I did some research on NPS handling of errors and I am fairly
confident at this time that the bad NAS-IPv6-Address length is causing it
after reading this: https://technet.microsoft.com/en-us/library/cc735403
I am thinking that the NPS is sensitive to that "broken" attribute and I
have not found a way yet to filter it out or ignore it in NPS. Not even
sure if it is possible.

On Thu, May 5, 2016 at 12:50 PM, David Wilkinson <
cisco-nsp at noroutetohost.net> wrote:

> On 04/05/2016 07:37, Ulrik Ivers wrote:
>
>> Hi David,
>>
>> Has the exact same config, including the shared secret, ever worked? With
>> another RADIUS server?
>>
>> I ask because we had a similar problem getting Radius to work with our
>> ASR 9001 when they were first deployed. Don't remember if we saw any errors
>> on the Radius server though.
>>
>> Root cause - we used a shared secret longer than 22 characters. The ASR
>> happily accepted the config, but it didn't work.
>>
>> IOS XR 4.3
>>
>> Regards,
>> /Ulrik
>>
>
> Each device has its own shared secret, apart from the shared secret it is
> setup the same way as the devices. However this is first IOS XR device we
> have trying to talk to the RADIUS server.
> The shared secret isn't longer than 22  characters, however it does have
> symbols in it, I will try without and see if that is the issue.
>
> On 04/05/2016 10:38, Kimaru Mansour wrote:
>
>> Hi,
>>
>> Having same issue myself. Also noticed the malformed packet messages. We
>> in fact placed a FreeRADIUS implementation in front of the Windows Server
>> as a proxy to forward requests between RADIUS client and Windows RADIUS
>> server. Our key is also shorter than 22 chars so that doesn't seem to be
>> it. Same setup is working fine with IOS XE and classic IOS based RADIUS
>> client so I am also looking forward to read if anyone else has gotten this
>> working for IOS XR and Wndows RADIUS. One difference I noticed, is that the
>> Auth-Req message does differ between Auth-Req message IOS XR and IOS XE
>> with regard to the AV pairs sent but I seem to have misplaced the pcaps.
>>
>> Br,
>>
>> Kimaru
>>
>
> Here are the Auth-Req messages from dumps I did
> IOS XR
>
> Radius Protocol
>     Code: Access-Request (1)
>     Packet identifier: 0x18 (24)
>     Length: 113
>     Authenticator: <removed>
>     Attribute Value Pairs
>         AVP: l=17  t=User-Name(1): <removed>
>             User-Name: <removed>
>         AVP: l=6  t=NAS-IP-Address(4): 0.0.0.0
>             NAS-IP-Address: 0.0.0.0 (0.0.0.0)
>         AVP: l=22  t=NAS-IPv6-Address(95):
>         AVP: l=6  t=NAS-Port(5): 130
>             NAS-Port: 130
>         AVP: l=6  t=NAS-Port-Type(61): Virtual(5)
>             NAS-Port-Type: Virtual (5)
>         AVP: l=6  t=Service-Type(6): Login(1)
>             Service-Type: Login (1)
>         AVP: l=12  t=Calling-Station-Id(31): <removed>
>             Calling-Station-Id: <removed>
>         AVP: l=18  t=User-Password(2):  Encrypted
>             User-Password (encrypted): <removed>
>
>
> Classic IOS.
>
> Radius Protocol
>     Code: Access-Request (1)
>     Packet identifier: 0xe6 (230)
>     Length: 79
>     Authenticator: <removed>
>     Attribute Value Pairs
>         AVP: l=17  t=User-Name(1): <removed>
>             User-Name: <removed>
>         AVP: l=18  t=User-Password(2): Encrypted
>             User-Password (encrypted): <removed>
>         AVP: l=6  t=NAS-Port(5): 1
>             NAS-Port: 1
>         AVP: l=6  t=NAS-Port-Id(87): tty1
>             NAS-Port-Id: tty1
>         AVP: l=6  t=NAS-Port-Type(61): Virtual(5)
>             NAS-Port-Type: Virtual (5)
>         AVP: l=6  t=NAS-IP-Address(4): <removed>
>             NAS-IP-Address: <removed> (<removed>)
>
> On 04/05/2016 11:28, Mick O'Rourke wrote:
>
>>
>> Working on XR 4.3.2 with Microsoft NPS/Radius here.
>>
>> The only special config required was on the NPS side was an attribute
>> specifying the IOS XR IE task group.
>> Nothing special was required on the XR side - your config looks very
>> similar to what we use.
>>
>> Mick
>>
>>
>>
> We are using XR 5.3.3, I wonder if they changed something between 4.x and
> 5.x which broke it with Microsoft NPS
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list