Cisco ASA - Radius - Invalid response received from server
We have run into an issue with Radius Authentication with one set of Cisco ASA Firewalls.
The issues is as follows:
Initially, the radius preshared key was not configured for our primary radius server. This was noticed and corrected immediately. However, upon correcting this, we started receiving the following error:
ERROR: Authentication Error: Invalid response received from server
I looked at the radius server and it reports that the user was successfully authenticated. The output of the debug aaa-server authentication is as follows:
ASA# test aaa-server authentication la-radius-group Server IP Address or name: <RADIUS> Username: <USERNAME> Password: ********* INFO: Attempting Authentication test to IP address <RADIUS> (timeout: 10 seconds) radius mkreq: 0x1fa alloc_rip 0x00007ffecc0b3f48 new request 0x1fa --> 14 (0x00007ffecc0b3f48) got user 'username' got password add_req 0x00007ffecc0b3f48 session 0x1fa id 14 RADIUS_REQUEST radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
-------------------------------------- Raw packet data (length = 65)..... | .
Parsed packet data..... Radius: Code = 1 (0x01) Radius: Identifier = 14 (0x0E) Radius: Length = 65 (0x0041) Radius: Vector: E27330A92ECF5C653AEB48E106C7F41D Radius: Type = 1 (0x01) User-Name Radius: Length = 9 (0x09) Radius: Value (String) = Radius: Type = 2 (0x02) User-Password Radius: Length = 18 (0x12) Radius: Value (String) = Radius: Type = 4 (0x04) NAS-IP-Address Radius: Length = 6 (0x06) Radius: Value (IP Address) = <ASA> (0xD04A88FD) Radius: Type = 5 (0x05) NAS-Port Radius: Length = 6 (0x06) Radius: Value (Hex) = 0xE Radius: Type = 61 (0x3D) NAS-Port-Type Radius: Length = 6 (0x06) Radius: Value (Hex) = 0x5 send pkt <RADIUS>/1645 rip 0x00007ffecc0b3f48 state 7 id 14 rad_vrfy() : response message verified rip 0x00007ffecc0b3f48 : chall_state '' : state 0x7 : reqauth: : info 0x00007ffecc0b4088 session_id 0x1fa request_id 0xe user '<USERNAME>' response '***' app 0 reason 0 skey '<KEY>' sip <RADIUS> type 1
RADIUS packet decode (response)
-------------------------------------- Raw packet data (length = 78).....
Parsed packet data..... Radius: Code = 2 (0x02) Radius: Identifier = 14 (0x0E) Radius: Length = 78 (0x004E) Radius: Vector: 206B152DB5DD5C7996E4F1DD650F96A9 Radius: Type = 26 (0x1A) Vendor-Specific Radius: Length = 6 (0x06) Radius: Vendor ID = 9 (0x00000009) Radius: Type = 6 (0x06) Unknown Radius: Length = 6 (0x06) Radius: Type = 6 (0x06) Service-Type Radius: Length = 6 (0x06) Radius: Value (Hex) = 0x1 Radius: Type = 25 (0x19) Class Radius: Length = 46 (0x2E) Radius: Value (String) = rad_procpkt: ACCEPT RADIUS_DELETE remove_req 0x00007ffecc0b3f48 session 0x1fa id 14 free_rip 0x00007ffecc0b3f48 radius: send queue empty ERROR: Authentication Error: Invalid response received from server
When looking at the logs on the Radius Server, I receive the following entry:
"Network Policy Server granted access to a user."
We have cleared the configuration, rebooted the ASA, and re-applied the radius configuration and the issue persisted.
We have multiple Cisco Devices that connect to this RADIUS server and this is the only device that has an issue.
Has anyone seen this before? I have not seen any articles stating an issue like this.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...