Re: AAA not working on cisco MSFC2 with SUP as WS-X6K-SUP2-2GE

Raghavendra Bandaru · ‎11-14-2010

When AAA is configured on Routing engine, it is not working and iam not able to login with the username and password.

When i enabled the debug, it shows me as STATUS=ERROR.

Please suggest what is wrong with the configuration.

aaa new-model
aaa authentication login default group radius line local
aaa authentication enable default group radius enable
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius if-authenticated
radius-server host 10.100.1.10 auth-port 1645
radius-server host 10.200.2.20 auth-port 1645
radius-server deadtime 5
radius-server timeout 10
radius-server retransmit 3
radius-server key topsecret

aaa session-id common

Raghavendra Bandaru · ‎11-14-2010

Sorry...forgot to add the debug message that i received.....below are the debug messages...

*Nov 14 09:02:47 gmt: AAA: parse name=tty2 idb type=-1 tty=-1
*Nov 14 09:02:47 gmt: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0port=2 channel=0
*Nov 14 09:02:47 gmt: AAA/MEMORY: create_user (0x42E647E8) user='' ruser='' port='tty2' rem_addr='10.179.250.13' authen_type=ASCII service=LOGIN priv=1
*Nov 14 09:02:47 gmt: AAA/AUTHEN/START (1847412412): port='tty2' list='' action=LOGIN service=LOGIN
*Nov 14 09:02:47 gmt: AAA/AUTHEN/START (1847412412): using "default" list
*Nov 14 09:02:47 gmt: AAA/AUTHEN/START (1847412412): Method=radius (radius)
*Nov 14 09:02:47 gmt: AAA/AUTHEN (1847412412): status = GETUSER
*Nov 14 09:02:51 gmt: AAA/AUTHEN/CONT (1847412412): continue_login (user='(undef)')
*Nov 14 09:02:51 gmt: AAA/AUTHEN (1847412412): status = GETUSER
*Nov 14 09:02:51 gmt: AAA/AUTHEN (1847412412): Method=radius (radius)
*Nov 14 09:02:51 gmt: AAA/AUTHEN (1847412412): status = GETPASS
*Nov 14 09:02:56 gmt: AAA/AUTHEN/CONT (1847412412): continue_login (user='XPVQ74')
*Nov 14 09:02:56 gmt: AAA/AUTHEN (1847412412): status = GETPASS
*Nov 14 09:02:56 gmt: AAA/AUTHEN (1847412412): Method=radius (radius)
*Nov 14 09:07:37 gmt: AAA/AUTHEN (1847412412): status = ERROR
*Nov 14 09:07:37 gmt: AAA/AUTHEN/START (2826681296): port='tty2' list='' action=LOGIN service=LOGIN
*Nov 14 09:07:37 gmt: AAA/AUTHEN/START (2826681296): Restart
*Nov 14 09:07:37 gmt: AAA/AUTHEN/START (2826681296): Method=LINE
*Nov 14 09:07:37 gmt: AAA/AUTHEN (2826681296): status = GETPASS
*Nov 14 09:07:47 gmt: AAA/AUTHEN/CONT (2826681296): continue_login (user='(undef)')
*Nov 14 09:07:47 gmt: AAA/AUTHEN (2826681296): status = GETPASS
*Nov 14 09:07:47 gmt: AAA/AUTHEN/CONT (2826681296): Method=LINE
*Nov 14 09:07:47 gmt: AAA/AUTHEN (2826681296): status = PASS

Richard Burts · ‎11-14-2010

When someone says that AAA authentication to a Radius server is not working my first thought is whether the Radius server is correctly configured (correct address, correct password, etc). And whether the Radius server is correctly configured to recognize the Cisco as a client.

And my second thought is to verify whether there is connectivity from the Cisco to the Radius server.

Can you check on the server and see whether there are logs that might help to clarify what the problem is? Is the Radius server seeing the authentication request? Does the Radius server recognize the Cisco as a valid client? Is there anything in the logs that helps identify what kind of error the Radius server generated?

These debugs show that your device attempted to authenticate with the Radius server, saw some error condition, and performed authentication using the line password (as your config had specified). If the logs from the Radius server are not helpful then I would suggest that the next step would be to run debug radius and retest. The radius debug output might show what the problem is.

HTH

Rick

HTH

Rick

Raghavendra Bandaru · ‎11-14-2010

Thanks for the reply...

I could not see any failed attempts with my login id in ACS server for this switch....however I did see passed attempts on the switches where it is working fine with the same login id......its working fine for cat os switches....but for all the IOS like MSFC, Routers...it is not working....

No failed attempts means....the switch has not contacted ACS server ? any thing wrong you see in the configuration of AAA ? anything to add/change in the config ? Pl

I will again do a debug radius and post for more clarification...

Tiago Antunes · ‎11-14-2010

No failed attempts means that nothing arrived to the ACS.

BTW, what version of ACS are you using?

The "debug radius" and "debug aaa authnetication" will show more details regarding what is happening.

If your ACS is not replying you may want to double-check the ports that the ACS is listening to, the connectivity to the ACS, the shared secret, etc...

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Richard Burts · ‎11-15-2010

I do not want to be overly picking at details, but your response says that you did not see failed attempts for your login ID. You want to look for any failed attempt messages during the time that you were testing and not just attempts with your login ID.

I have looked at your AAA config and do not see any obvious problems. You might want to check to be sure that the server key value in the config does match the key used by ACS. And as suggested in the other response you might want to check the ports specified in your config and verify that those are the ports used in ACS.

Here are a couple of ideas:

- is there more than one interface you could forward traffic and get to the ACS server? If so you might want to specify the radius source address in the config. ACS can have only one address for a remote client and unless you specify the source address, the default is to use the outbound interface address as the source address of the request.

- you might want to check basic IP connectivity to the address of the authentication servers. Can you ping the addresses is a good place to start.

- you might also do a traceroute to the addresses of the authentication server and then to look to see if the device at each hop in the traceroute might have some kind of packet filtering (access list etc) which could be denying the requests.

If none of these help to identify the problem then the output of debug radius would be the next step.

HTH

Rick

HTH

Rick

Raghavendra Bandaru · ‎11-15-2010

Ping response is good from switch to ACS server, and the same key is working for other CAT OS switches, but not working for all IOS devices....

When i did debug radius, it was searching for 1812 and 1813 along with the configured 1645 and 1646 ports...not sure why... Below is the debug result..

*Nov 15 07:24:38 gmt: AAA/AUTHEN/START (4076811788): using "default" list
*Nov 15 07:24:38 gmt: AAA/AUTHEN/START (4076811788): Method=radius (radius)
*Nov 15 07:24:38 gmt: AAA/AUTHEN (4076811788): status = GETUSER
*Nov 15 07:24:42 gmt: AAA/AUTHEN/CONT (4076811788): continue_login (user='(undef)')
*Nov 15 07:24:42 gmt: AAA/AUTHEN (4076811788): status = GETUSER
*Nov 15 07:24:42 gmt: AAA/AUTHEN (4076811788): Method=radius (radius)
*Nov 15 07:24:42 gmt: AAA/AUTHEN (4076811788): status = GETPASS
*Nov 15 07:24:46 gmt: AAA/AUTHEN/CONT (4076811788): continue_login (user='NBD1FKC')
*Nov 15 07:24:46 gmt: AAA/AUTHEN (4076811788): status = GETPASS
*Nov 15 07:24:46 gmt: AAA/AUTHEN (4076811788): Method=radius (radius)
*Nov 15 07:24:46 gmt: RADIUS: ustruct sharecount=1
*Nov 15 07:24:46 gmt: RADIUS: Initial Transmit tty3 id 12 10.100.1.10:1812, Access-Request, len 79
*Nov 15 07:24:46 gmt:         Attribute 4 6 0AA02BFD
*Nov 15 07:24:46 gmt:         Attribute 5 6 00000003
*Nov 15 07:24:46 gmt:         Attribute 61 6 00000005
*Nov 15 07:24:46 gmt:         Attribute 1 8 58505651
*Nov 15 07:24:46 gmt:         Attribute 31 15 31302E31
*Nov 15 07:24:46 gmt:         Attribute 2 18 C3DF8087
*Nov 15 07:24:56 gmt: RADIUS: Retransmit id 12
*Nov 15 07:25:06 gmt: RADIUS: Retransmit id 12
*Nov 15 07:25:16 gmt: RADIUS: Retransmit id 12
*Nov 15 07:25:26 gmt: RADIUS: Marking server 10.100.1.10:1812,1813 dead
*Nov 15 07:25:26 gmt: RADIUS: Trying next server (10.200.2.20:1812,1813) for id12
*Nov 15 07:25:26 gmt: RADIUS: Retransmit id 12
*Nov 15 07:25:27 gmt: RADIUS: Received from id 137 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:25:27 gmt:         Attribute 79 8 01330006
*Nov 15 07:25:27 gmt:         Attribute 24 36 4541503D
*Nov 15 07:25:27 gmt:         Attribute 80 18 B0BB4B6D
*Nov 15 07:25:27 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:25:36 gmt: RADIUS: Retransmit id 12
*Nov 15 07:25:37 gmt: RADIUS: Received from id 229 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:25:37 gmt:         Attribute 79 8 01370006
*Nov 15 07:25:37 gmt:         Attribute 24 36 4541503D
*Nov 15 07:25:37 gmt:         Attribute 80 18 42B50E83
*Nov 15 07:25:37 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:25:37 gmt: RADIUS: Received from id 216 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:25:37 gmt:         Attribute 79 8 01350006
*Nov 15 07:25:37 gmt:         Attribute 24 36 4541503D
*Nov 15 07:25:37 gmt:         Attribute 80 18 47965044
*Nov 15 07:25:37 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:25:37 gmt: RADIUS: Received from id 131 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:25:37 gmt:         Attribute 79 8 01360006
*Nov 15 07:25:37 gmt:         Attribute 24 36 4541503D
*Nov 15 07:25:37 gmt:         Attribute 80 18 56E14E49
*Nov 15 07:25:37 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:25:46 gmt: RADIUS: Retransmit id 12
*Nov 15 07:25:56 gmt: RADIUS: Retransmit id 12
*Nov 15 07:26:06 gmt: RADIUS: Marking server 10.200.2.20:1812,1813 dead
*Nov 15 07:26:46 gmt: RADIUS: Trying next server (10.100.1.10:1645,1813) for id12
*Nov 15 07:26:46 gmt: RADIUS: Retransmit id 12
*Nov 15 07:26:56 gmt: RADIUS: Retransmit id 12
*Nov 15 07:27:06 gmt: RADIUS: Retransmit id 12
*Nov 15 07:27:16 gmt: RADIUS: Retransmit id 12
*Nov 15 07:27:26 gmt: RADIUS: Marking server 10.100.1.10:1645,1813 dead
*Nov 15 07:27:26 gmt: RADIUS: Trying next server (10.130.115.10:1645,1813) for id12
*Nov 15 07:27:26 gmt: RADIUS: Retransmit id 12
*Nov 15 07:27:36 gmt: RADIUS: Retransmit id 12
*Nov 15 07:27:37 gmt: RADIUS: Received from id 25 10.130.115.10:1645, Access-Challenge, len 82
*Nov 15 07:27:37 gmt:         Attribute 79 8 01AC0006
*Nov 15 07:27:37 gmt:         Attribute 24 36 4541503D
*Nov 15 07:27:37 gmt:         Attribute 80 18 FD960F84
*Nov 15 07:27:37 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:27:37 gmt: RADIUS: Received from id 96 10.130.115.10:1645, Access-Challenge, len 82
*Nov 15 07:27:37 gmt:         Attribute 79 8 01AE0006
*Nov 15 07:27:37 gmt:         Attribute 24 36 4541503D
*Nov 15 07:27:37 gmt:         Attribute 80 18 B15F853B
*Nov 15 07:27:37 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:27:38 gmt: RADIUS: Received from id 96 10.130.115.10:1645, Access-Challenge, len 82
*Nov 15 07:27:38 gmt:         Attribute 79 8 01AE0006
*Nov 15 07:27:38 gmt:         Attribute 24 36 4541503D
*Nov 15 07:27:38 gmt:         Attribute 80 18 B15F853B
*Nov 15 07:27:38 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:27:46 gmt: RADIUS: Retransmit id 12
*Nov 15 07:27:56 gmt: RADIUS: Retransmit id 12
*Nov 15 07:28:06 gmt: RADIUS: Marking server 10.130.115.10:1645,1813 dead
*Nov 15 07:28:06 gmt: RADIUS: Trying next server (10.200.2.20:1645,1813) for id12
*Nov 15 07:28:06 gmt: RADIUS: Retransmit id 12
*Nov 15 07:28:16 gmt: RADIUS: Retransmit id 12
*Nov 15 07:28:26 gmt: RADIUS: Retransmit id 12
*Nov 15 07:28:27 gmt: RADIUS: Received from id 140 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:28:27 gmt:         Attribute 79 8 01770006
*Nov 15 07:28:27 gmt:         Attribute 24 36 4541503D
*Nov 15 07:28:27 gmt:         Attribute 80 18 4E6FDD94
*Nov 15 07:28:27 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:28:36 gmt: RADIUS: Retransmit id 12
*Nov 15 07:28:37 gmt: RADIUS: Received from id 134 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:28:37 gmt:         Attribute 79 8 017B0006
*Nov 15 07:28:37 gmt:         Attribute 24 36 4541503D
*Nov 15 07:28:37 gmt:         Attribute 80 18 0FB6F424
*Nov 15 07:28:37 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:28:37 gmt: RADIUS: Received from id 232 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:28:37 gmt:         Attribute 79 8 017C0006
*Nov 15 07:28:37 gmt:         Attribute 24 36 4541503D
*Nov 15 07:28:37 gmt:         Attribute 80 18 5248654E
*Nov 15 07:28:37 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:28:37 gmt: RADIUS: Received from id 219 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:28:37 gmt:         Attribute 79 8 017A0006
*Nov 15 07:28:37 gmt:         Attribute 24 36 4541503D
*Nov 15 07:28:37 gmt:         Attribute 80 18 833EC8BA
*Nov 15 07:28:37 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:28:38 gmt: RADIUS: Received from id 134 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:28:38 gmt:         Attribute 79 8 017B0006
*Nov 15 07:28:38 gmt:         Attribute 24 36 4541503D
*Nov 15 07:28:38 gmt:         Attribute 80 18 0FB6F424
*Nov 15 07:28:38 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:28:46 gmt: RADIUS: Marking server 10.200.2.20:1645,1813 dead
*Nov 15 07:30:06 gmt: RADIUS: Trying next server (10.130.115.10:1645,1646) for id12
*Nov 15 07:30:06 gmt: RADIUS: Retransmit id 12
*Nov 15 07:30:16 gmt: RADIUS: Retransmit id 12
*Nov 15 07:30:26 gmt: RADIUS: Retransmit id 12
*Nov 15 07:30:36 gmt: RADIUS: Retransmit id 12
*Nov 15 07:30:46 gmt: RADIUS: Marking server 10.130.115.10:1645,1646 dead
*Nov 15 07:30:46 gmt: RADIUS: Trying next server (10.200.2.20:1645,1646) for id12
*Nov 15 07:30:46 gmt: RADIUS: Retransmit id 12
*Nov 15 07:30:47 gmt: RADIUS: Received from id 99 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:30:47 gmt:         Attribute 79 8 01A50006
*Nov 15 07:30:47 gmt:         Attribute 24 36 4541503D
*Nov 15 07:30:47 gmt:         Attribute 80 18 5FC9BEB7
*Nov 15 07:30:47 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:30:56 gmt: RADIUS: Retransmit id 12
*Nov 15 07:30:57 gmt: RADIUS: Received from id 215 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:30:57 gmt:         Attribute 79 8 01A90006
*Nov 15 07:30:57 gmt:         Attribute 24 36 4541503D
*Nov 15 07:30:57 gmt:         Attribute 80 18 C6038CF6
*Nov 15 07:30:57 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:31:06 gmt: RADIUS: Retransmit id 12
*Nov 15 07:31:16 gmt: RADIUS: Retransmit id 12
*Nov 15 07:31:17 gmt: RADIUS: Received from id 212 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:31:17 gmt:         Attribute 79 8 01B00006
*Nov 15 07:31:17 gmt:         Attribute 24 36 4541503D
*Nov 15 07:31:17 gmt:         Attribute 80 18 541D7DEC
*Nov 15 07:31:17 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:31:18 gmt: RADIUS: Received from id 212 10.200.2.20:1645, Access-Challenge, len 82
*Nov 15 07:31:18 gmt:         Attribute 79 8 01B00006
*Nov 15 07:31:18 gmt:         Attribute 24 36 4541503D
*Nov 15 07:31:18 gmt:         Attribute 80 18 541D7DEC
*Nov 15 07:31:18 gmt: RADIUS: Response for non-existent request ident
*Nov 15 07:31:26 gmt: RADIUS: Marking server 10.200.2.20:1645,1646 dead
*Nov 15 07:31:26 gmt: RADIUS: Tried all servers.
*Nov 15 07:31:26 gmt: RADIUS: No valid server found. Trying any viable server
*Nov 15 07:31:26 gmt: RADIUS: Tried all servers.
*Nov 15 07:31:26 gmt: RADIUS: No response for id 12
*Nov 15 07:31:26 gmt: RADIUS: No response from server
*Nov 15 07:31:26 gmt: AAA/AUTHEN (4076811788): status = ERROR
*Nov 15 07:31:26 gmt: AAA/AUTHEN/START (3863010286): port='tty3' list='' action=LOGIN service=LOGIN
*Nov 15 07:31:26 gmt: AAA/AUTHEN/START (3863010286): Restart
*Nov 15 07:31:26 gmt: AAA/AUTHEN/START (3863010286): Method=LINE
*Nov 15 07:31:26 gmt: AAA/AUTHEN (3863010286): status = GETPASS
*Nov 15 07:31:26 gmt: AAA/AUTHEN/CONT (3863010286): continue_login (user='(undef)')
*Nov 15 07:31:26 gmt: AAA/AUTHEN (3863010286): status = GETPASS
*Nov 15 07:31:26 gmt: AAA/AUTHEN/CONT (3863010286): Method=LINE

Richard Burts · ‎11-15-2010

If Radius is working for multiple Catalyst switches and is not working for any configured IOS devices then I must believe that there is something generic in the config that is not right and not an issue with a particular device (as I had been assuming).

There seems to be some mismatch between what was show as config in your original post and what is on this device. I see the device attempt to use 10.100.1.10 (as would be expected). It receives no response and retries and when that fails it moves on and tries 10.200.2.20 and receives an access challenge. From this I would assume that the address and the shared key are probably correct. But your device rejects the received access challenge. It tries the first server again and get no response. Then it goes to a server that is not listed in the config that you posted:

Trying next server (10.130.115.10:1645,1813)

Where does this come from?

Perhaps it would help if you would post a fresh copy of the config of the IOS device since something may have changed since your original post. And perhaps it would be helpful for comparison if you would post the output of show radius from one of your catalyst switches.

HTH

Rick

HTH

Rick