Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

webns and load-balancing Radius servers

The customer uses CSS for the load-balancing of Radius servers. He has the following configuration on the CSS:

service acs

  ip address 10.0.252.1

  active

owner vzp.cz

  content acs

    vip address 10.1.48.100

    add service acs

    balance srcip

    advanced-balance sticky-srcip

    active

group acs-snat

  vip address 10.1.48.100

  add destination service acs

  portmap disable

  active

He has the NAS server with IP address 10.1.48.100 defined on the ACS. He uses the same shared secret for radius on switches, CSS and ACS.

But he has the following message in the ACS:

RDS 05/03/2010 12:37:59 D 7536 5460 0x0 NAS: First Request (RequestID:Port) 96:13576 inserted to the lookup table.

RDS 05/03/2010 12:37:59 D 0302 5460 0x0 Request from host 10.1.48.100:1812 code=1, id=96, length=138 on port 2101 RDS 05/03/2010 12:37:59 E 0410 5460 0x0 Request from 10.1.48.100 contains invalid Message-Authenticator, ignoring RDS 05/03/2010 12:37:59 D 7638 5460 0x0 NAS: 10.1.48.100:13576:96 Cleaning lookup entry.

Thanks Roman

1 REPLY
Cisco Employee

Re: webns and load-balancing Radius servers

The CSS does not modify or look at the radius payload.

If the message authenticator is incorrect, it means the NAS sent the wrong one.

You could verify this with a sniffer trace captured in front of the CSS and in front of the ACS.

Gilles.

239
Views
0
Helpful
1
Replies
CreatePlease login to create content