cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15132
Views
0
Helpful
5
Replies

Radius Auth not working

mahesh18
Level 6
Level 6

Hi Everyone,

ASA is configured for Radius Auth.

I can login to ASA via username and password configured locally in ASA but Radius auth is not working.

I need to make sure issue is not with ASA config as per logs below

Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-302013: Built inbound TCP connection 67246 for Visitor:172.31.23.107/34287 (172.31.23.107/34287) to identity:10.31.2.81/443 (10.31.2.81/443)
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-302014: Teardown TCP connection 67246 for Visitor:172.31.23.107/34287 to identity:10.31.2.81/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-302013: Built inbound TCP connection 67247 for Visitor:172.31.23.107/34287 (172.31.23.107/34287) to identity:10.31.2.81/443 (10.31.2.81/443)
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-725001: Starting SSL handshake with client MGMT:172.31.23.107/34287 for TLSv1 session.
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725010: Device supports the following 6 cipher(s).
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[1] : RC4-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[4] : AES128-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[5] : AES256-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[6] : DES-CBC3-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725008: SSL client MGMT:172.31.23.107/34287 proposes the following 15 cipher(s).
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[1] : RC4-MD5
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[2] : RC4-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[3] : AES128-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[6] : DES-CBC3-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[7] : EDH-RSA-DES-CBC3-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC3-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[9] : DES-CBC-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[10] : EDH-RSA-DES-CBC-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[11] : EDH-DSS-DES-CBC-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[12] : EXP-RC4-MD5
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[13] : EXP-DES-CBC-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[14] : EXP-EDH-RSA-DES-CBC-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725011: Cipher[15] : EXP-EDH-DSS-DES-CBC-SHA
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client MGMT:172.31.23.107/34287
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-725002: Device completed SSL handshake with client MGMT:172.31.23.107/34287
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user aa1045 : Auth-server group DCNetwork unreachable
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = aa1045
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-611102: User authentication failed: Uname: aa1045
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-605004: Login denied from 172.31.23.107/34287 to MGMT:10.31.2.81/https for user "aa1045"
Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-725007: SSL session with client MGMT:172.31.23.107/34287 terminated.
Feb 18 2014 00:48:01 10.31.2.81 : %ASA-6-302014: Teardown TCP connection 67245 for Visitor:172.31.23.107/29312 to identity:10.31.2.81/443 duration 0:00:00 bytes 1104 TCP FINs
Feb 18 2014 00:48:01 10.31.2.81 : %ASA-6-302014: Teardown TCP connection 67247 for Visitor:172.31.23.107/34287 to identity:10.31.2.81/443 duration 0:00:00 bytes 1104 TCP FINs
Feb 18 2014 00:48:01 10.31.2.81 : %ASA-7-609002: Teardown local-host Visitor:172.31.23.107 duration 0:00:00

I am coming from PC which has IP 172.31.23.107 and ASA has IP 10.31.2.81.

Regards

Mahesh

2 Accepted Solutions

Accepted Solutions

Hello.

Looks like ASA can't communicate with Radius:

Feb 18 2014 00:48:00 10.31.2.81 : %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user aa1045 : Auth-server group DCNetwork unreachable

Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = aa1045

Could you please provide you configuration for aaa and current status for radius?

try:

  • test aaa-server authentication DCNetwork host user aa1045 password
  • show aaa-server
  • show running-config aaa-server


Are you sure that ASA is able to access Radius server (no filtering and route does exist)?

Are you sure server is up and running and has route back to ASA?

You could also try to "debug radius" and check what's wrong.

View solution in original post

Mahesh

While I agree that it seems likely to be some issue with the server, I would also suggest that you try to verify that there is successful IP connectivity between the ASA and the server.

I would suggest that you check the server and see if there is anything in its logs that would help explain the issue. Did the server see the authentication request? That would verify IP connectivity and show that the request was received. Then look and see if there is some error code associated with the request. In my experience problems like this frequently turn out to be that either there was some issue with the server configuration (perhaps an incorrect IP address where the server is expecting one IP address as the source but the remote device is using some other IP as the source in the authentication request) or that the shared secret key between the ASA and the server does not match.

HTH

Rick

HTH

Rick

View solution in original post

5 Replies 5

Hello.

Looks like ASA can't communicate with Radius:

Feb 18 2014 00:48:00 10.31.2.81 : %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user aa1045 : Auth-server group DCNetwork unreachable

Feb 18 2014 00:48:00 10.31.2.81 : %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = aa1045

Could you please provide you configuration for aaa and current status for radius?

try:

  • test aaa-server authentication DCNetwork host user aa1045 password
  • show aaa-server
  • show running-config aaa-server


Are you sure that ASA is able to access Radius server (no filtering and route does exist)?

Are you sure server is up and running and has route back to ASA?

You could also try to "debug radius" and check what's wrong.

Hi,

Here  is output

test aaa-server authentication  DCNetwork  host 172.31.10.10 $

INFO: Attempting Authentication test to IP address <172.31.10.10> (timeout: 12 seconds)

ERROR: Authentication Server not responding: No response from server

ASA is configured correctly and there is no ACL which is blocking it.

aaa-server DCNetwork protocol radius

aaa-server DCNetwork (MGMT) host 172.31.10.10 key xxxxx

here is output of debug radius

radius mkreq: 0x1e8
alloc_rip 0xcb1605f4
    new request 0x1e8 --> 26 (0xcb1605f4)
got user 'cc4708n'
got password
add_req 0xcb1605f4 session 0x1e8 id 26
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=172.31.23.107

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 127).....
01 1a 00 7f e5 46 f7 52 e9 4b 30 9a c1 47 38 82    |  ....F.R.K0..G8.
00 ac 37 74 01 09 63 63 34 37 30 38 6e 02 12 20    |  ..7t..cc4708n..
c1 dc e8 37 36 a5 0c b4 23 c0 ae ff 9e a5 85 04    |  ...76...#.......
06 0a 1f 02 31 05 06 00 00 00 1a 3d 06 00 00 00    |  ....1......=....
05 1a 22 00 00 00 09 01 1c 69 70 3a 73 6f 75 72    |  .."......ip:sour
63 65 2d 69 70 3d 31 37 32 2e 33 31 2e 32 33 2e    |  ce-ip=172.31.23.
31 30 37 1f 1c 69 70 3a 73 6f 75 72 63 65 2d 69    |  107..ip:source-i
70 3d 31 37 32 2e 33 31 2e 32 33 2e 31 30 37       |  p=172.31.23.107

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 26 (0x1A)
Radius: Length = 127 (0x007F)
Radius: Vector: E546F752E94B309AC147388200AC3774
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
63 63 34 37 30 38 6e                               |  cc4708n
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
20 c1 dc e8 37 36 a5 0c b4 23 c0 ae ff 9e a5 85    |   ...76...#......
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.31.2.81 (0x0A1F0231)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1A
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
send pkt 172.31.10.10/1645
RADIUS_SENT:server response timeout
radius mkreq: 0x1e9
alloc_rip 0xcb161e4c
    new request 0x1e9 --> 27 (0xcb161e4c)
got user 'cc4708n'
got password
add_req 0xcb161e4c session 0x1e9 id 27
RADIUS_DELETE
remove_req 0xcb1605f4 session 0x1e8 id 26
free_rip 0xcb1605f4
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=172.31.23.107

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 127).....
01 1b 00 7f 7c 1d 4c 2b 88 ec ff cd 15 d7 28 9d    |  ...|.L+......(.
22 7f c2 f5 01 09 63 63 34 37 30 38 6e 02 12 ca    |  "....cc4708n...
93 ae 60 a9 11 32 47 07 1a ce fb 47 88 bf 47 04    |  ..`..2G....G..G.
06 0a 1f 02 31 05 06 00 00 00 1b 3d 06 00 00 00    |  ....1......=....
05 1a 22 00 00 00 09 01 1c 69 70 3a 73 6f 75 72    |  .."......ip:sour
63 65 2d 69 70 3d 31 37 32 2e 33 31 2e 32 33 2e    |  ce-ip=172.31.23.
31 30 37 1f 1c 69 70 3a 73 6f 75 72 63 65 2d 69    |  107..ip:source-i
70 3d 31 37 32 2e 33 31 2e 32 33 2e 31 30 37       |  p=172.31.23.107

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 27 (0x1B)
Radius: Length = 127 (0x007F)
Radius: Vector: 7C1D4C2B88ECFFCD15D7289D227FC2F5
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
63 63 34 37 30 38 6e                               |  cc4708n
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
ca 93 ae 60 a9 11 32 47 07 1a ce fb 47 88 bf 47    |  ...`..2G....G..G
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.31.2.81 (0x0A1F0231)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1B
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
send pkt 172.31.10.10/1645
RADIUS_SENT:server response timeout
radius mkreq: 0x1ea
alloc_rip 0xcb1605f4
    new request 0x1ea --> 28 (0xcb1605f4)
got user 'cc4708n'
got password
add_req 0xcb1605f4 session 0x1ea id 28
RADIUS_DELETE
remove_req 0xcb161e4c session 0x1e9 id 27
free_rip 0xcb161e4c
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=172.31.23.107

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 127).....
01 1c 00 7f 68 af ee 2c 81 56 0e 3e ff ba 47 ce    |  ...h..,.V.>..G.
cc 72 aa 59 01 09 63 63 34 37 30 38 6e 02 12 60    |  .r.Y..cc4708n..`
07 3a d9 45 c0 8a b0 48 be 67 34 72 7b 06 50 04    |  .:.E...H.g4r{.P.
06 0a 1f 02 31 05 06 00 00 00 1c 3d 06 00 00 00    |  ....1......=....
05 1a 22 00 00 00 09 01 1c 69 70 3a 73 6f 75 72    |  .."......ip:sour
63 65 2d 69 70 3d 31 37 32 2e 33 31 2e 32 33 2e    |  ce-ip=172.31.23.
31 30 37 1f 1c 69 70 3a 73 6f 75 72 63 65 2d 69    |  107..ip:source-i
70 3d 31 37 32 2e 33 31 2e 32 33 2e 31 30 37       |  p=172.31.23.107

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 28 (0x1C)
Radius: Length = 127 (0x007F)
Radius: Vector: 68AFEE2C81560E3EFFBA47CECC72AA59
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
63 63 34 37 30 38 6e                               |  cc4708n
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
60 07 3a d9 45 c0 8a b0 48 be 67 34 72 7b 06 50    |  `.:.E...H.g4r{.P
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.31.2.81 (0x0A1F0231)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1C
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
send pkt 172.31.10.10/1645
RADIUS_SENT:server response timeout
radius mkreq: 0x1eb
alloc_rip 0xcb161e4c
    new request 0x1eb --> 29 (0xcb161e4c)
got user 'cc4708n'
got password
add_req 0xcb161e4c session 0x1eb id 29
RADIUS_DELETE
remove_req 0xcb1605f4 session 0x1ea id 28
free_rip 0xcb1605f4
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=172.31.23.107

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 127).....
01 1d 00 7f 50 41 08 fc c2 bc a6 3e 0c c5 82 9e    |  ...PA.....>....
8a a5 f1 88 01 09 63 63 34 37 30 38 6e 02 12 ca    |  ......cc4708n...
91 e1 d3 bc 19 56 bf f9 8a 47 5a 11 e9 1a f4 04    |  .....V...GZ.....
06 0a 1f 02 31 05 06 00 00 00 1d 3d 06 00 00 00    |  ....1......=....
05 1a 22 00 00 00 09 01 1c 69 70 3a 73 6f 75 72    |  .."......ip:sour
63 65 2d 69 70 3d 31 37 32 2e 33 31 2e 32 33 2e    |  ce-ip=172.31.23.
31 30 37 1f 1c 69 70 3a 73 6f 75 72 63 65 2d 69    |  107..ip:source-i
70 3d 31 37 32 2e 33 31 2e 32 33 2e 31 30 37       |  p=172.31.23.107

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 29 (0x1D)
Radius: Length = 127 (0x007F)
Radius: Vector: 504108FCC2BCA63E0CC5829E8AA5F188
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
63 63 34 37 30 38 6e                               |  cc4708n
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
ca 91 e1 d3 bc 19 56 bf f9 8a 47 5a 11 e9 1a f4    |  ......V...GZ....
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.31.2.81 (0x0A1F0231)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1D
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
send pkt 172.16.10.10/1645
RADIUS_SENT:server response timeout
radius mkreq: 0x1ec
alloc_rip 0xcb1605f4
    new request 0x1ec --> 30 (0xcb1605f4)
got user 'cc4708n'
got password
add_req 0xcb1605f4 session 0x1ec id 30
RADIUS_DELETE
remove_req 0xcb161e4c session 0x1eb id 29
free_rip 0xcb161e4c
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=172.31.23.107

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 127).....
01 1e 00 7f 84 af e5 9d 62 2d f7 85 7e c2 25 af    |  .......b-..~.%.
70 8c fd 47 01 09 63 63 34 37 30 38 6e 02 12 3e    |  p..G..cc4708n..>
d8 97 60 ab 2c 1a 0b 0c 42 71 96 de a3 6d 23 04    |  ..`.,...Bq...m#.
06 0a 1f 02 31 05 06 00 00 00 1e 3d 06 00 00 00    |  ....1......=....
05 1a 22 00 00 00 09 01 1c 69 70 3a 73 6f 75 72    |  .."......ip:sour
63 65 2d 69 70 3d 31 37 32 2e 33 31 2e 32 33 2e    |  ce-ip=172.31.23.
31 30 37 1f 1c 69 70 3a 73 6f 75 72 63 65 2d 69    |  107..ip:source-i
70 3d 31 37 32 2e 33 31 2e 32 33 2e 31 30 37       |  p=172.31.23.107

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 30 (0x1E)
Radius: Length = 127 (0x007F)
Radius: Vector: 84AFE59D622DF7857EC225AF708CFD47
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
63 63 34 37 30 38 6e                               |  cc4708n
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
3e d8 97 60 ab 2c 1a 0b 0c 42 71 96 de a3 6d 23    |  >..`.,...Bq...m#
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.31.2.81 (0x0A1F0231)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1E
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
send pkt 172.16.10.10/1645
RADIUS_SENT:server response timeout
radius mkreq: 0x1ed
alloc_rip 0xcb161e4c
    new request 0x1ed --> 31 (0xcb161e4c)
got user 'cc4708n'
got password
add_req 0xcb161e4c session 0x1ed id 31
RADIUS_DELETE
remove_req 0xcb1605f4 session 0x1ec id 30
free_rip 0xcb1605f4
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=172.31.23.107

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 127).....
01 1f 00 7f a3 7d 60 5f 31 b4 ae 1a aa 1b 3b b7    |  ....}`_1.....;.
e7 15 46 52 01 09 63 63 34 37 30 38 6e 02 12 9f    |  ..FR..cc4708n...
8d 26 ed a4 0b 1a b9 5b 9d c7 af 91 6c da e2 04    |  .&.....[....l...
06 0a 1f 02 31 05 06 00 00 00 1f 3d 06 00 00 00    |  ....1......=....
05 1a 22 00 00 00 09 01 1c 69 70 3a 73 6f 75 72    |  .."......ip:sour
63 65 2d 69 70 3d 31 37 32 2e 33 31 2e 32 33 2e    |  ce-ip=172.31.23.
31 30 37 1f 1c 69 70 3a 73 6f 75 72 63 65 2d 69    |  107..ip:source-i
70 3d 31 37 32 2e 33 31 2e 32 33 2e 31 30 37       |  p=172.31.23.107

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 31 (0x1F)
Radius: Length = 127 (0x007F)
Radius: Vector: A37D605F31B4AE1AAA1B3BB7E7154652
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
63 63 34 37 30 38 6e                               |  cc4708n
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
9f 8d 26 ed a4 0b 1a b9 5b 9d c7 af 91 6c da e2    |  ..&.....[....l..
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.31.2.81 (0x0A1F0231)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1F
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 33 31 2e 32 33 2e 31 30 37                      |  .31.23.107
send pkt 172.16.10.10/1645
RADIUS_SENT:server response timeout
RADIUS_DELETE
remove_req 0xcb161e4c session 0x1ed id 31
free_rip 0xcb161e4c
radius: send queue empty

      

To me seems issue with server?

Regards

MAhesh

Mahesh

While I agree that it seems likely to be some issue with the server, I would also suggest that you try to verify that there is successful IP connectivity between the ASA and the server.

I would suggest that you check the server and see if there is anything in its logs that would help explain the issue. Did the server see the authentication request? That would verify IP connectivity and show that the request was received. Then look and see if there is some error code associated with the request. In my experience problems like this frequently turn out to be that either there was some issue with the server configuration (perhaps an incorrect IP address where the server is expecting one IP address as the source but the remote device is using some other IP as the source in the authentication request) or that the shared secret key between the ASA and the server does not match.

HTH

Rick

HTH

Rick

Hi Rick,

Thanks for valuable inputs i will check with server team and will update you.

Regards

Mahesh

Hi Rick,

We have configured radius group which includes 2 radius servers.

Seems for some reason they are not replicating there config with each other.

So i removed one server from the group and now Radius authen works fine.

So now we can say the issue was with radius server.

Best regards

MAhesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: