webns and load-balancing Radius servers

Unanswered Question
Mar 23rd, 2010

The customer uses CSS for the load-balancing of Radius servers. He has the following configuration on the CSS:

service acs

  ip address 10.0.252.1

  active

owner vzp.cz

  content acs

    vip address 10.1.48.100

    add service acs

    balance srcip

    advanced-balance sticky-srcip

    active

group acs-snat

  vip address 10.1.48.100

  add destination service acs

  portmap disable

  active

He has the NAS server with IP address 10.1.48.100 defined on the ACS. He uses the same shared secret for radius on switches, CSS and ACS.

But he has the following message in the ACS:

RDS 05/03/2010 12:37:59 D 7536 5460 0x0 NAS: First Request (RequestID:Port) 96:13576 inserted to the lookup table.

RDS 05/03/2010 12:37:59 D 0302 5460 0x0 Request from host 10.1.48.100:1812 code=1, id=96, length=138 on port 2101 RDS 05/03/2010 12:37:59 E 0410 5460 0x0 Request from 10.1.48.100 contains invalid Message-Authenticator, ignoring RDS 05/03/2010 12:37:59 D 7638 5460 0x0 NAS: 10.1.48.100:13576:96 Cleaning lookup entry.

Thanks Roman

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Wed, 03/24/2010 - 06:13

The CSS does not modify or look at the radius payload.

If the message authenticator is incorrect, it means the NAS sent the wrong one.

You could verify this with a sniffer trace captured in front of the CSS and in front of the ACS.

Gilles.

Actions

This Discussion