webns and load-balancing Radius servers

Unanswered Question
Mar 23rd, 2010
User Badges:

The customer uses CSS for the load-balancing of Radius servers. He has the following configuration on the CSS:

service acs

  ip address


owner vzp.cz

  content acs

    vip address

    add service acs

    balance srcip

    advanced-balance sticky-srcip


group acs-snat

  vip address

  add destination service acs

  portmap disable


He has the NAS server with IP address defined on the ACS. He uses the same shared secret for radius on switches, CSS and ACS.

But he has the following message in the ACS:

RDS 05/03/2010 12:37:59 D 7536 5460 0x0 NAS: First Request (RequestID:Port) 96:13576 inserted to the lookup table.

RDS 05/03/2010 12:37:59 D 0302 5460 0x0 Request from host code=1, id=96, length=138 on port 2101 RDS 05/03/2010 12:37:59 E 0410 5460 0x0 Request from contains invalid Message-Authenticator, ignoring RDS 05/03/2010 12:37:59 D 7638 5460 0x0 NAS: Cleaning lookup entry.

Thanks Roman

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 03/24/2010 - 06:13
User Badges:
  • Cisco Employee,

The CSS does not modify or look at the radius payload.

If the message authenticator is incorrect, it means the NAS sent the wrong one.

You could verify this with a sniffer trace captured in front of the CSS and in front of the ACS.



This Discussion