AAA and VRF

Radek Zabicki · ‎11-17-2010

Hi all,

I have some problems with the VRF that I made and the radius verification.

The problem is that it's imposlible to make authentication through the radius server.

The debug output is :

000103: Nov 17 14:26:02: RADIUS/ENCODE(00000004):Orig. component type = EXEC

000104: Nov 17 14:26:02: RADIUS: AAA Unsupported Attr: interface [171] 4

000105: Nov 17 14:26:02: RADIUS: 74 74 [ tt]

000107: Nov 17 14:26:02: RADIUS(00000004): Config NAS IP: 0.0.0.0

000108: Nov 17 14:26:02: RADIUS/ENCODE(00000004): acct_session_id: 4

000109: Nov 17 14:26:02: RADIUS(00000004): sending

000110: Nov 17 14:26:02: RADIUS/ENCODE: Best Local IP-Address 192.168.1.50 for Radius-Server 192.168.1.10

000111: Nov 17 14:26:02: RADIUS: No secret to encode request (rctx:0x5935DF4)

000112: Nov 17 14:26:02: RADIUS: Unable to encrypt (rctx:0x5935DF4)

000113: Nov 17 14:26:02: RADIUS(00000004): Send Access-Request to 192.168.1.10:1645 id 1645/4, len 84

000114: Nov 17 14:26:02: RADIUS: authenticator 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00

000115: Nov 17 14:26:02: RADIUS: User-Name [1] 8 "****"

000116: Nov 17 14:26:02: RADIUS: User-Password [2] 18 *

000117: Nov 17 14:26:02: RADIUS: NAS-Port [5] 6 2

000118: Nov 17 14:26:02: RADIUS: NAS-Port-Id [87] 6 "tty2"

vpn003151ro110#

000119: Nov 17 14:26:02: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

000120: Nov 17 14:26:02: RADIUS: Calling-Station-Id [31] 14 "192.168.1.20"

000121: Nov 17 14:26:02: RADIUS: NAS-IP-Address [4] 6 192.168.1.50

000122: Nov 17 14:26:02: RADIUS(00000004): Started 5 sec timeout

000257: Nov 17 14:26:02: RADIUS: Retransmit to (192.168.1.10:1645,1646) for id 1645/8

000258: Nov 17 14:26:02: RADIUS(00000004): Started 5 sec timeout

000268: Nov 17 14:27:05: RADIUS: No response from (192.168.1.10:1645,1646) for id 1645/8

000269: Nov 17 14:27:05: RADIUS/DECODE: parse response no app start; FAIL

000270: Nov 17 14:27:05: RADIUS/DECODE: parse response; FAIL

From witin the vrf I can ping the radius server. From the radius server I can ping the router

So I don't understand where it's gonig wrong

The little config is :

aaa group server radius radius_1

server 192.168.1.10 auth-port 1645 acct-port 1646

ip vrf forwarding vpn01

ip radius source-interface Vlan200

vlan 200

name vpn01

interface Vlan200

ip vrf forwarding vpn01

ip address 192.168.1.50 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip ospf authentication-key 7 ********

In global

radius-server host 192.168.1.10 auth-port 1645 acct-port 1646

ip route vrf vpn01 0.0.0.0 0.0.0.0 192.168.1.254

Thanks

Nicolas Darchis · ‎11-17-2010

Hi,

can you check to see if the radius server is receiving the packets or not ?

Nicolas

krahmani323 · ‎09-08-2011

Hello Radek, Nicolas, community,

I am currently experiencing the same exact issue...Trying to perform authentication on a 6500 12.2(33)SXH6 where multiple vrf are configured (vrf A can communicate with the radius)

My configuration is almost the same as yours with following difference :

In global

radius-server host x.x.x.x auth-port 1812 acct-port 1813 key string

(+ global ‘radius-server key string’)

ip radius source-interface vlan 10 vrf A

The debug is similar as yours (file in attachments), the Radius does receives something but the authentication is denied and nothing is returned to the switch exaplaining the retransmission/timeout messages at the end (same secret and key double checked and validated) .

FYI it is working well for other 6500 without VRF in 12.2(33)SXI)….

Did your authentication issue solved, and if yes how ? Or any idea explaining this authentication problem ?

Any suggestion will be appreciated !

Thank you very much.

Regards.

Karim

Nicolas Darchis · ‎09-08-2011

Troubleshooting path would be the same :

You say that the radius server receives the request. It then sends back an access-reject ? If yes, what is the failure reason marked on the radius server ?

krahmani323 · ‎09-09-2011

Hello Nicolas,

Many thanks for your reply.

As stated the server receives the request, rejects it but the server does not send back an access-reject to the 6500...

================Server log===================================

[unix] invalid password "my_username"

++[unix] returns reject

Failed to authenticate the user.

WARNING: Unprintable characters in the password - Double-check the shared secret on the server and the NAS!

===================================================

What is stucking me is the warning message in the server logs => We DO use the same secret.

And the same user authenticates without any problem in other 6500 not using VRFs...

Thanks anyway.

Regards.

Karim

krahmani323 · ‎09-09-2011

Hello,

Ok problem solved.

I don't know why but my Sup720-10G 12.2(33)SXH5 was sending the request throug Radius extended source-port.

1097078: Sep 8 12:47:22: RADIUS(00000C82): Send Access-Request to X.X.X.X:1812 id 21645/118, len 81

And the server did not like it, thus rejecting the Authentication.

Adding the hidden command in global config =>

"radius-server source-ports 1645-1646" resolved the situation.

The authentificaiton is now OK;

Thanks anyway.

Kind regards.
Karim