Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3111
Views
0
Helpful
2
Replies

RADIUS/DECODE: parse VSA parts error

naveed.nazir
Level 1
Level 1

‎03-29-2004 07:33 PM - edited ‎03-10-2019 07:43 AM

I am configuring a 5350 to work with a RADIUS server. The 5350 sends an Access Request and receives the access request, as seen below. But it is not parsing proper values in my TCL script variables. I have configured the NAS using Cisco manuals: aaa authorization, vsa etc are all enabled as shown below. What is it that I am missing or not doing properly.

Any pointers / help will be highly appreciated

Naveed

All IP and identifiable info sanitized. The sanitized configuration info is attached for reference.

21:10:18: RADIUS(00000048): Storing nasport 0 in rad_db

21:10:18: RADIUS(00000048): Config NAS IP: 0.0.0.0

21:10:18: RADIUS/ENCODE(00000048): acct_session_id: 98

21:10:18: RADIUS(00000048): sending

21:10:18: RADIUS/ENCODE: Best Local IP-Address 222.222.222.22 for Radius-Server 222.x.x.x

21:10:18: RADIUS(00000048): Send Access-Request to 222.222.222.222:1812 id 21645/7

4, len 211

21:10:18: RADIUS: authenticator C7 AE ED E4 B2 BB AF FC - 62 CD 39 78 FB 6A 45

6E

21:10:18: RADIUS: User-Name [1] 12 "1234567890"

21:10:18: RADIUS: User-Password [2] 18 *

21:10:18: RADIUS: Vendor, Cisco [26] 56

21:10:18: RADIUS: Conf-Id [24] 50 "h323-conf-id=AD47C155 BFC611D3

8050E329 E47CB85B"

21:10:18: RADIUS: Vendor, Cisco [26] 37

21:10:18: RADIUS: Cisco AVpair [1] 31 "h323-ivr-out=transactionID:26"

21:10:18: RADIUS: Calling-Station-Id [31] 12 "1234567890"

21:10:18: RADIUS: NAS-Port-Type [61] 6 Async [0]

21:10:18: RADIUS: Vendor, Cisco [26] 20

21:10:18: RADIUS: cisco-nas-port [2] 14 "ISDN 3/0:D:1"

21:10:18: RADIUS: NAS-Port [5] 6 0

21:10:18: RADIUS: Calling-Station-Id [31] 12 "1234567890"

21:10:18: RADIUS: Service-Type [6] 6 Login [1]

21:10:18: RADIUS: NAS-IP-Address [4] 6 222.x.x.22

21:10:18: RADIUS: Received from id 21645/74 222.222.222.222:1812, Access-Accept, l

en 71

21:10:18: RADIUS: authenticator E1 B0 04 C6 5D 73 96 D5 - 72 03 81 65 A2 54 16

42

21:10:18: RADIUS: Vendor, Cisco [26] 9

21:10:18: RADIUS: h323-return-code [103] 3 "0"

21:10:18: RADIUS: Vendor, Cisco [26] 9

21:10:18: RADIUS: h323-currency [110] 3 "1"

21:10:18: RADIUS: Vendor, Cisco [26] 9

21:10:18: RADIUS: h323-billing-model [109] 3 "0"

21:10:18: RADIUS: Vendor, Cisco [26] 9

21:10:18: RADIUS: h323-preferred-lang[107] 3 "1"

21:10:18: RADIUS: Vendor, Cisco [26] 15

21:10:18: RADIUS: h323-credit-amount [101] 9 "20.0000"

21:10:18: RADIUS(00000048): Received from id 21645/74

21:10:18: RADIUS/DECODE: parse VSA parts error

21:10:18: RADIUS/DECODE: convert VSA string; FAIL

21:10:18: RADIUS/DECODE: decoder; FAIL

21:10:18: RADIUS/DECODE: attribute h323-return-code; FAIL

21:10:18: RADIUS/DECODE: cisco VSA type 103; FAIL

21:10:18: RADIUS/DECODE: VSA; FAIL

21:10:18: RADIUS/DECODE: decoder; FAIL

21:10:18: RADIUS/DECODE: attribute Vendor-Specific; FAIL

21:10:18: RADIUS/DECODE: parse response op decode; FAIL

21:10:18: RADIUS/DECODE: parse response; FAIL

21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:

h323-return-code = 0

21:10:18:

21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:

h323-currency =

21:10:18:

21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:

h323-billing-model =

21:10:18:

21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:

h323-preferred-lang =

21:10:18:

21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:

h323-credit-amount =

21:10:18:

21:10:18: //-1//TCL2:HN048B0090:/tcl_PutsObjCmd:

Labels:
Preview file
4 KB
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎03-30-2004 04:25 PM

Looks like you have configured the return attributes incorrectly, as IOS should parse these no problem. I see the following from your debug output:

21:10:18: RADIUS: Vendor, Cisco [26] 9

21:10:18: RADIUS: h323-return-code [103] 3 "0"

21:10:18: RADIUS: Vendor, Cisco [26] 9

21:10:18: RADIUS: h323-currency [110] 3 "1"

21:10:18: RADIUS: Vendor, Cisco [26] 9

21:10:18: RADIUS: h323-billing-model [109] 3 "0"

21:10:18: RADIUS: Vendor, Cisco [26] 9

21:10:18: RADIUS: h323-preferred-lang[107] 3 "1"

21:10:18: RADIUS: Vendor, Cisco [26] 15

21:10:18: RADIUS: h323-credit-amount [101] 9 "20.0000"

meaning you set the values for these attributes to 0, 1, 0, 1, 20.0000 respectively. However, for h323 Av pairs specifically, the actual attribute return values should not just be the value, but be the attribute name and the value.

For example, a working debug on my router here shows the following:

Nov 29 101409 RADIUS Vendor, Cisco [26] 26

Nov 29 101409 RADIUS h323-return-code [103] 20 "h323-return-code=0"

Nov 29 101409 RADIUS Vendor, Cisco [26] 30

Nov 29 101409 RADIUS h323-preferred-lang[107] 24 "h323-preferred-lang=en"

Nov 29 101409 RADIUS Vendor, Cisco [26] 34

Nov 29 101409 RADIUS h323-credit-amount [101] 28 "h323-credit-amount=-180.26"

Nov 29 101409 RADIUS Vendor, Cisco [26] 23

Nov 29 101409 RADIUS h323-billing-model [109] 17 "billing-model=0"

Nov 29 101409 RADIUS Vendor, Cisco [26] 25

Nov 29 101409 RADIUS h323-currency [110] 19 "currency-type=USD"

See how the attribute value as defined on my Radius server for h323-return-code is "h323-return-code=0", as opposed to just "0" like you have defined. Never been sure why you have to do it this way, it's just the way the IOS coders implemented it.

The documentation is not overly clear on this, but this is how IOS expects to see the attributes. See http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/vsaig3.htm#146580 for details, and the debug output near the bottom to see how the attributes are set.

0 Helpful

naveed.nazir
Level 1
Level 1
In response to gfullage

‎04-05-2004 09:35 PM

Thanks. It did fix my problem.

Naveed

0 Helpful
Customers Also Viewed These Support Documents