10-27-2016 12:24 PM
Hi there, I am trying to use ISE 2.1 as RADIUS sever for my IOS-XR device. I got authentication passed, but having issues with authorization. It seems RADIUS combine authentication and authorization. How can I overcome this. The following is the output from device:
=====
RP/0/RP0/CPU0:T2_VRR1#RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Dispatching message type 3
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Received clinfop lwm_info - 0x200001
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Received a message type - 1 rctx 0x128d0f8
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: [100] Received ASCII LOGIN/login from <unknown> with user=brhong, ifh=0x0, tty=/dev/pts/0
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: method = server group map # 1001
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute User Name = brhong(6)
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: NAS IP before adding 0.0.0.0
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute NAS-IP-Address = 0.0.0.0
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute NAS IPv6 address = ::
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute NAS-Port = -2113929216
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute NAS-Port-Type = 5 0 0 0 ...
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute Service-Type = Login
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute Calling-Station-Id = 32 32 33 2e ...
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute User Password = *
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: IETF attr 1 8 0: 6f687262
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: IETF attr 95 18 1: 0
RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: IETF attr 61 6 1: 5
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: IETF attr 6 6 1: 1
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: IETF attr 31 17 0: 2e333232
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Trying to find the first radius server to use.
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Created transaction_id (71000015) for server group 9F000001
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Copying remote address 5.14.18.108
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Copying remote address 5.14.18.108
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Remote address 5.14.18.108
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Picking the rad id 21:0 sockfd 0x11CBF48
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: rctx 0x128d0f8 added successfully
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: interface [MgmtEth0_RP0_CPU0_0] valid 1 flags 0x0, state 3
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: found ipv4 5.14.18.23 vrf =0x60000001
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: RADIUS: Send Access-Request to 5.14.18.108:1645 id 21, len 105
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: RADIUS: authenticator 00 00 00 00 00 00 00 00 - 00 00 00 00 31 63 54 D0
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: RADIUS: User-Name [1] 8 brhong
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: RADIUS: NAS-IP-Address [4] 6 5.14.18.23
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: RADIUS: NAS-IPv6-Address [95] 18 ::
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: RADIUS: NAS-Port [5] 6 130
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: RADIUS: NAS-Port-Type [61] 6 Async[5]
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: RADIUS: Service-Type [6] 6 error[1] <===== I am hitting an error
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: RADIUS: Calling-Station-Id [31] 17 223.255.254.248
RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: RADIUS: User-Password [2] 18 *
RP/0/RP0/CPU0:Oct 27 11:17:06.832 : radiusd[1109]: Got global deadtime 0
RP/0/RP0/CPU0:Oct 27 11:17:06.832 : radiusd[1109]: Using global deadtime = 0 sec
RP/0/RP0/CPU0:Oct 27 11:17:06.832 : radiusd[1109]: Start timer thread rad_ident 21 remote_port 1645 remote_addr 5.14.18.108, socket 18661192 rctx 0x128d0f8
RP/0/RP0/CPU0:Oct 27 11:17:06.832 : radiusd[1109]: Successfully sent packet and started timeout handler for rctx 0x128d0f8
I am seeing RADIUS drops on ISE, see the attached screenshoot.
Any pointer to overcome this?
10-27-2016 01:10 PM
I am also seeing this:
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Radius packet decryption complete with rc = 0
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: RADIUS: Received from id 24 5.14.18.108:1645, Access-Accept, len 176
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: RADIUS: authenticator 64 68 BC E7 1D 63 BB 50 - 75 AC 13 09 1B 94 08 88
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: RADIUS: User-Name [1] 8 braven
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: RADIUS: State [24] 67 52 65 61 75 74 68 53 65 73 73 69 6f 6e 3a 30 61
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: RADIUS: 35 35 36 33 36 63 33 4c 51 4d 70 6e 61 6c 38 56
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: RADIUS: 45 75 50 39 79 36 62 62 36 50 5f 61 47 70 72 63
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: RADIUS: Class [25] 81 43 41 43 53 3a 30 61 35 35 36 33 36 63 33 4c 51
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: RADIUS: 4d 70 6e 61 6c 38 56 45 75 50 39 79 36 62 62 36
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: RADIUS: 50 5f 61 47 70 72 63 6b 7a 75 37 66 74 56 67 6b
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Freeing server group transaction_id (81000018)
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: pack_length = 176 radius_len = 176
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Calling app inf callback
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: IETF attr 1 8 0: 76617262
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Choosing 'shell' proto for service login
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Bad attr (radius_net_author: unsupported): type=User Name len=8
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: IETF attr 24 67 0: 75616552
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Choosing 'shell' proto for service login
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Bad attr (radius_net_author: unsupported): type=State len=67
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: IETF attr 25 81 0: 53434143
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Choosing 'shell' proto for service login
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: No appropriate authorization type for user <===
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Add last used server
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Add last used server = 0.0.0.0
RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Sending sync reply (status PASS) to the client
RP/0/RP0/CPU0:Oct 27 12:03:31.099 : radiusd[1109]: Dispatching message type 5
RP/0/RP0/CPU0:Oct 27 12:03:31.099 : radiusd[1109]: Received clinfop lwm_info - 0x200001
RP/0/RP0/CPU0:Oct 27 12:03:31.099 : radiusd[1109]: Received a message type - 18 rctx 0x128cfd0
RP/0/RP0/CPU0:Oct 27 12:03:31.099 : radiusd[1109]: [0] Received AUTHOR SHELL/exec from <unknown> with user=braven, ifh=0x0, tty=/dev/pts/0
RP/0/RP0/CPU0:Oct 27 12:03:31.099 : radiusd[1109]: method = server group map # 3
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute User Name = braven(6)
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: NAS IP before adding 0.0.0.0
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute NAS-IP-Address = 0.0.0.0
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute NAS IPv6 address = ::
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute NAS-Port = -2113929216
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute NAS-Port-Type = 5 0 0 0 ...
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute Service-Type = EXEC
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute Calling-Station-Id = 32 32 33 2e ...
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute User Password = *
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: IETF attr 1 8 0: 76617262
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: IETF attr 95 18 1: 0
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: IETF attr 61 6 1: 5
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: IETF attr 6 6 1: 7
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: IETF attr 31 17 0: 2e333232
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Trying to find the first radius server to use.
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Created transaction_id (B1000019) for server group 33000000
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Copying remote address 5.14.18.108
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Copying remote address 5.14.18.108
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Remote address 5.14.18.108
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Picking the rad id 25:0 sockfd 0x11CBF48
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: rctx 0x128cfd0 added successfully
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: RADIUS: Send Access-Request to 5.14.18.108:1645 id 25, len 105
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: RADIUS: authenticator 00 00 00 00 31 63 54 D0 - 73 7F 00 00 27 97 47 00
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: RADIUS: User-Name [1] 8 braven
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: RADIUS: NAS-IP-Address [4] 6 0.0.0.0
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: RADIUS: NAS-IPv6-Address [95] 18 ::
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: RADIUS: NAS-Port [5] 6 130
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: RADIUS: NAS-Port-Type [61] 6 Async[5]
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: RADIUS: Service-Type [6] 6 error[7]
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: RADIUS: Calling-Station-Id [31] 17 223.255.254.248
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: RADIUS: User-Password [2] 18 *
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Got global deadtime 0
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Using global deadtime = 0 sec
RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Start timer thread rad_ident 25 remote_port 1645 remote_addr 5.14.18.108, socket 18661192 rctx 0x128cfd0
I am seeing 'No appropriate authorization type for user', where I can set the authorization for user?
10-30-2016 08:54 AM
No appropriate authorization type for user
is from the NAD itself, but not from ISE. It's likely a message to indicate the NAD unable to grant access to the user.
Why are you using RADIUS instead of T+? For T+, we have guides @ ISE Device Administration (TACACS+)
Please note that IOS-XR differing greatly in term of device administration from regular IOS (e.g. IOS-XE). See ASR9000/XR Using Task groups and understanding Priv levels and authorization | XR OS and Platforms | Cisco Support Community | 5996 | 61306
You could enable DEBUG on runtime-AAA, recreate, and then collect prrt-server.log. If you need help in troubleshooting this, please open a TAC case.
10-31-2016 06:38 AM
Hi hslai,
I figured it out using TACACS+ already. Need to test RADIUS. By searching youtube, I found a good video for config RADIUS on ACS5.8. I also tried it on ACS5.8, but I couldn't save the policy in ACS5.8 for some reason. Then I guess what should be configed on ISE2.1, then I got it working. I wish our Cisco documentation can be more helpful, so that I don't have to guess and sip through ~800 pages user guide, but the user guide is general, I couldn't find the info I need.
10-31-2016 06:41 AM
Thanks for the comments. Please share the link to the youtube video that has helped you. Better yet, contribute an article how you got it working.
10-31-2016 07:03 AM
Here is the youtube link: TACACS+ & RADIUS Configuration on ACS for Cisco ASA - YouTube
10-31-2016 06:32 AM
I finally figured it out. I wish our Cisco Documentation can be more helpful.
10-31-2016 06:45 AM
Please share the YouTube link that helped you. Thanks a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide