Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7501
Views
0
Helpful
7
Replies

AAA authentication sequence

Go to solution
bapatsubodh
Level 1
Level 1

‎01-05-2012 11:49 AM - edited ‎03-10-2019 06:41 PM

We have following commands configured on the 2950

aaa new-model

aaa authentication login default group radius local

aaa authentication enable default enable

aaa authorization exec default group radius if-authenticated

username localuser  secret 5 *******

When trying to access the switch it is quering to RADIUS server but it's not getting authenticated.

And then it gets authenticated with local user name.

Following is the log from RADIUS server

It is showing the correct username and correct source IP of the switch.

Authentication-Provider = Windows

Authentication-Server  = <undetermined>

Policy-Name  = <undetermined>

Authentication-Type  = PAP

EAP-Type =  <undetermined>

Reason-Code  = 16

Reason =  Authentication was not successful because an unknown user name or incorrect  password was used.

In principle it was expected that as long as switch is able to connect to the the RADIUS server, it will not use the local username for authentication.

But the switch is using the local username even though it can contact the RADIUS serve.

Please share the experience.

Thanks

Subodh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
camejia
Level 3
Level 3
In response to bapatsubodh

‎01-05-2012 03:33 PM

Hello,

I have indeed recreated the issue when authenticating against an IAS. My switch is running a newer version, however, it still reports the Decrypt error on the logs when the shared secret is incorrect. Configured shared secret as "cisco" on the switch and as "cisco123" on the IAS RADIUS client entry. Got the following:

User priv15 was denied access.

Fully-Qualified-User-Name = CAMEJIA\priv15

NAS-IP-Address = x.x.250.12

NAS-Identifier =

Called-Station-Identifier =

Calling-Station-Identifier =

Client-Friendly-Name = x.x.250.12

Client-IP-Address = x.x.250.12

NAS-Port-Type = Async

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

On the switch debugs:

*Mar  2 06:02:13.600: RADIUS: Received from id 1645/6 x.x.250.20:1645, Access-Reject, len 20

*Mar  2 06:02:13.600: RADIUS:  authenticator 24 84 60 FA B8 43 3E A9 - AC 55 72 70 CE 34 BA 70

*Mar  2 06:02:13.600: RADIUS: response-authenticator decrypt fail, pak len 20

*Mar  2 06:02:13.600: RADIUS: packet dump: 03060014248460FAB8433EA9AC557270CE34BA70

*Mar  2 06:02:13.600: RADIUS: expected digest: D22363698E8862015AC91213B540D77C

*Mar  2 06:02:13.600: RADIUS: response authen: 248460FAB8433EA9AC557270CE34BA70

*Mar  2 06:02:13.600: RADIUS: request  authen: 32B4A229A7EB982A61EB31E29A24AA47

*Mar  2 06:02:13.600: RADIUS: Response (6) failed decrypt

Please, create a new RADIUS client entry for the switch only and use a simple key like "cisco" on both sides. Remember that we should not hit the space bar when configuring the key on the IOS as it will take the space as a valid shared key character.

Hope this helps.

Regards.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
camejia
Level 3
Level 3

‎01-05-2012 12:21 PM

Hello Subodh,

Can you enable "debug aaa authentication" and "debug radius" on the IOS switch and execute the following command:

test aaa group radius legacy

Please, share the IOS debug outputs.

Also, from the RADIUS server output it seems to be a Windows IAS. Can you confirm? Also which OS and SP is the MS server running?

Will be waiting for your response.

Regards

0 Helpful

Go to solution
bapatsubodh
Level 1
Level 1
In response to camejia

‎01-05-2012 12:56 PM

This is switch with IOS --Version 12.1(22)EA4.

It is not supporting test aaa command.

Here is the output of the debug commands aaa and radius.

15w1d: AAA: parse name=tty2 idb type=-1 tty=-1

15w1d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=

0

15w1d: AAA/MEMORY: create_user (0x80CDB730) user='' ruser='' port='tty2' rem_add

r='10.12.28.113' authen_type=ASCII service=LOGIN priv=15

15w1d: AAA/AUTHEN/START (2995812294): port='tty2' list='' action=LOGIN service=L

OGIN

15w1d: AAA/AUTHEN/START (2995812294): using "default" list

15w1d: AAA/AUTHEN/START (2995812294): Method=radius (radius)

15w1d: AAA/AUTHEN (2995812294): status = GETUSER

15w1d: AAA/AUTHEN/CONT (2995812294): continue_login (user='(undef)')

15w1d: AAA/AUTHEN (2995812294): status = GETUSER

15w1d: AAA/AUTHEN (2995812294): Method=radius (radius)

15w1d: AAA/AUTHEN (2995812294): status = GETPASS

15w1d: AAA/AUTHEN/CONT (2995812294): continue_login (user='domain\username')

15w1d: AAA/AUTHEN (2995812294): status = GETPASS

15w1d: AAA/AUTHEN (2995812294): Method=radius (radius)

15w1d: RADIUS: ustruct sharecount=1

15w1d: RADIUS: Initial Transmit tty2 id 98 10.105.6.50:1645, Access-Request, len

86

15w1d:         Attribute 4 6 0A0C7C05

15w1d:         Attribute 5 6 00000002

15w1d:         Attribute 61 6 00000005

15w1d:         Attribute 1 16 626D675C

15w1d:         Attribute 31 14 31302E31

15w1d:         Attribute 2 18 FE414243

15w1d: RADIUS: Received from id 98 10.105.6.50:1645, Access-Reject, len 20

15w1d: RADIUS: Response (98) failed decrypt

15w1d: AAA/AUTHEN (2995812294): status = ERROR

15w1d: AAA/AUTHEN/START (328845936): port='tty2' list='' action=LOGIN service=LO

GIN

15w1d: AAA/AUTHEN/START (328845936): Restart

15w1d: AAA/AUTHEN/START (328845936): Method=LOCAL

15w1d: AAA/AUTHEN (328845936): User not found, end of method list

15w1d: AAA/AUTHEN (328845936): status = FAIL

15w1d: AAA/MEMORY: free_user (0x80CDB730) user='domain\username' ruser='' port='t

ty2' rem_addr='10.12.28.113' authen_type=ASCII service=LOGIN priv=15

15w1d: AAA: parse name=tty2 idb type=-1 tty=-1

15w1d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=

0

15w1d: AAA/MEMORY: create_user (0x80CCC620) user='' ruser='' port='tty2' rem_add

r='10.12.28.113' authen_type=ASCII service=LOGIN priv=15

15w1d: AAA/AUTHEN/START (2996282759): port='tty2' list='' action=LOGIN service=L

OGIN

15w1d: AAA/AUTHEN/START (2996282759): using "default" list

15w1d: AAA/AUTHEN/START (2996282759): Method=radius (radius)

15w1d: AAA/AUTHEN (2996282759): status = GETUSER

sSeattleWACL-1#

15w1d: AAA/AUTHEN/CONT (2996282759): continue_login (user='(undef)')

15w1d: AAA/AUTHEN (2996282759): status = GETUSER

15w1d: AAA/AUTHEN (2996282759): Method=radius (radius)

15w1d: AAA/AUTHEN (2996282759): status = GETPASS

15w1d: AAA/AUTHEN/CONT (2996282759): continue_login (user='cisco')

15w1d: AAA/AUTHEN (2996282759): status = GETPASS

15w1d: AAA/AUTHEN (2996282759): Method=radius (radius)

15w1d: RADIUS: ustruct sharecount=1

15w1d: RADIUS: Initial Transmit tty2 id 99 10.105.6.50:1645, Access-Request, len

77

15w1d:         Attribute 4 6 0A0C7C05

15w1d:         Attribute 5 6 00000002

15w1d:         Attribute 61 6 00000005

15w1d:         Attribute 1 7 63697363

15w1d:         Attribute 31 14 31302E31

15w1d:         Attribute 2 18 1C9128B1

15w1d: RADIUS: Received from id 99 10.105.6.50:1645, Access-Reject, len 20

15w1d: RADIUS: Response (99) failed decrypt

15w1d: AAA/AUTHEN (2996282759): status = ERROR

15w1d: AAA/AUTHEN/START (845261052): port='tty2' list='' action=LOGIN service=LO

GIN

15w1d: AAA/AUTHEN/START (845261052): Restart

15w1d: AAA/AUTHEN/START (845261052): Method=LOCAL

15w1d: AAA/AUTHEN (845261052): status = GETPASS

15w1d: AAA/AUTHEN/CONT (845261052): continue_login (user='cisco')

15w1d: AAA/AUTHEN (845261052): status = GETPASS

15w1d: AAA/AUTHEN/CONT (845261052): Method=LOCAL

15w1d: AAA/AUTHEN (845261052): status = PASS

Radius looks fine as it is working okay for all other devices.

Thanks

Subodh

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to bapatsubodh

‎01-05-2012 01:04 PM

Hello,

Can you retype the Shared Secret key on the "radius-server" command and on the IAS RADIUS Client Entry?

The IOS is reporting "RADIUS: Response (98) failed decrypt" which is 99% of the times a Shared Secret Mismatch.

Regards.

0 Helpful

Go to solution
bapatsubodh
Level 1
Level 1
In response to camejia

‎01-05-2012 01:17 PM

Same reault. It is getting authenticated locally.

Do we need to add the IP address of the switch  even in AD server. We have added this subnet in RADIUS.

Thanks!

Subodh

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to bapatsubodh

‎01-05-2012 02:25 PM

Hello,

For testing it would be better if we add a single entry for the Switch IP address keeping it separated from the Subnet defined for it.

Again, usually the "RADIUS: Response (98) failed decrypt" refers to an issue with the keys.

When configuring the "radius-server" command we need to be sure that we do not leave a space after configuring the key. If we add a space after the key it will be considered as valid character for the key as well. This might cause a shared secret mismatch as the IOS has the key configured with a space at the end but the IAS RADIUS Client entry has no space on it.

Regards.

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to bapatsubodh

‎01-05-2012 03:33 PM

Hello,

I have indeed recreated the issue when authenticating against an IAS. My switch is running a newer version, however, it still reports the Decrypt error on the logs when the shared secret is incorrect. Configured shared secret as "cisco" on the switch and as "cisco123" on the IAS RADIUS client entry. Got the following:

User priv15 was denied access.

Fully-Qualified-User-Name = CAMEJIA\priv15

NAS-IP-Address = x.x.250.12

NAS-Identifier =

Called-Station-Identifier =

Calling-Station-Identifier =

Client-Friendly-Name = x.x.250.12

Client-IP-Address = x.x.250.12

NAS-Port-Type = Async

NAS-Port =

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

On the switch debugs:

*Mar  2 06:02:13.600: RADIUS: Received from id 1645/6 x.x.250.20:1645, Access-Reject, len 20

*Mar  2 06:02:13.600: RADIUS:  authenticator 24 84 60 FA B8 43 3E A9 - AC 55 72 70 CE 34 BA 70

*Mar  2 06:02:13.600: RADIUS: response-authenticator decrypt fail, pak len 20

*Mar  2 06:02:13.600: RADIUS: packet dump: 03060014248460FAB8433EA9AC557270CE34BA70

*Mar  2 06:02:13.600: RADIUS: expected digest: D22363698E8862015AC91213B540D77C

*Mar  2 06:02:13.600: RADIUS: response authen: 248460FAB8433EA9AC557270CE34BA70

*Mar  2 06:02:13.600: RADIUS: request  authen: 32B4A229A7EB982A61EB31E29A24AA47

*Mar  2 06:02:13.600: RADIUS: Response (6) failed decrypt

Please, create a new RADIUS client entry for the switch only and use a simple key like "cisco" on both sides. Remember that we should not hit the space bar when configuring the key on the IOS as it will take the space as a valid shared key character.

Hope this helps.

Regards.

0 Helpful

Go to solution
bapatsubodh
Level 1
Level 1
In response to camejia

‎01-06-2012 09:35 AM

After reseting the key on the RADIUS server it's working. Thanks for help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents