On 04/05/2016 07:37, Ulrik Ivers wrote:
Hi David,
Has the exact same config, including the shared secret, ever worked? With
another RADIUS server?
I ask because we had a similar problem getting Radius to work with our ASR 9001
when they were first deployed. Don't remember if we saw any errors on the
Radius server though.
Root cause - we used a shared secret longer than 22 characters. The ASR happily
accepted the config, but it didn't work.
IOS XR 4.3
Regards,
/Ulrik
Each device has its own shared secret, apart from the shared secret it
is setup the same way as the devices. However this is first IOS XR
device we have trying to talk to the RADIUS server.
The shared secret isn't longer than 22 characters, however it does have
symbols in it, I will try without and see if that is the issue.
On 04/05/2016 10:38, Kimaru Mansour wrote:
Hi,
Having same issue myself. Also noticed the malformed packet messages.
We in fact placed a FreeRADIUS implementation in front of the Windows
Server as a proxy to forward requests between RADIUS client and
Windows RADIUS server. Our key is also shorter than 22 chars so that
doesn't seem to be it. Same setup is working fine with IOS XE and
classic IOS based RADIUS client so I am also looking forward to read
if anyone else has gotten this working for IOS XR and Wndows RADIUS.
One difference I noticed, is that the Auth-Req message does differ
between Auth-Req message IOS XR and IOS XE with regard to the AV pairs
sent but I seem to have misplaced the pcaps.
Br,
Kimaru
Here are the Auth-Req messages from dumps I did
IOS XR
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x18 (24)
Length: 113
Authenticator: <removed>
Attribute Value Pairs
AVP: l=17 t=User-Name(1): <removed>
User-Name: <removed>
AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0
NAS-IP-Address: 0.0.0.0 (0.0.0.0)
AVP: l=22 t=NAS-IPv6-Address(95):
AVP: l=6 t=NAS-Port(5): 130
NAS-Port: 130
AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
NAS-Port-Type: Virtual (5)
AVP: l=6 t=Service-Type(6): Login(1)
Service-Type: Login (1)
AVP: l=12 t=Calling-Station-Id(31): <removed>
Calling-Station-Id: <removed>
AVP: l=18 t=User-Password(2): Encrypted
User-Password (encrypted): <removed>
Classic IOS.
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0xe6 (230)
Length: 79
Authenticator: <removed>
Attribute Value Pairs
AVP: l=17 t=User-Name(1): <removed>
User-Name: <removed>
AVP: l=18 t=User-Password(2): Encrypted
User-Password (encrypted): <removed>
AVP: l=6 t=NAS-Port(5): 1
NAS-Port: 1
AVP: l=6 t=NAS-Port-Id(87): tty1
NAS-Port-Id: tty1
AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
NAS-Port-Type: Virtual (5)
AVP: l=6 t=NAS-IP-Address(4): <removed>
NAS-IP-Address: <removed> (<removed>)
On 04/05/2016 11:28, Mick O'Rourke wrote:
Working on XR 4.3.2 with Microsoft NPS/Radius here.
The only special config required was on the NPS side was an attribute
specifying the IOS XR IE task group.
Nothing special was required on the XR side - your config looks very
similar to what we use.
Mick
We are using XR 5.3.3, I wonder if they changed something between 4.x
and 5.x which broke it with Microsoft NPS
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
