Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1545
Views
1
Helpful
7
Replies

Any pointer to setup ISE as RADIUS server for IOS or IOS-XR devices?

brhong
Cisco Employee
Cisco Employee

‎10-27-2016 12:24 PM

Hi there, I am trying to use ISE 2.1 as RADIUS sever for my IOS-XR device. I got authentication passed, but having issues with authorization. It seems RADIUS combine authentication and authorization. How can I overcome this. The following is the output from device:

=====

RP/0/RP0/CPU0:T2_VRR1#RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Dispatching message type 3

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Received clinfop lwm_info - 0x200001

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Received a message type - 1 rctx 0x128d0f8

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: [100] Received ASCII LOGIN/login from <unknown> with user=brhong, ifh=0x0, tty=/dev/pts/0

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: method = server group map # 1001

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute User Name = brhong(6)

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: NAS IP before adding 0.0.0.0

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute NAS-IP-Address = 0.0.0.0

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute NAS IPv6 address = ::

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute NAS-Port = -2113929216

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute NAS-Port-Type = 5 0 0 0 ...

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute Service-Type = Login

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute Calling-Station-Id = 32 32 33 2e ...

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: Added standard attribute User Password = *

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: IETF attr 1 8 0: 6f687262

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: IETF attr 95 18 1: 0

RP/0/RP0/CPU0:Oct 27 11:17:06.830 : radiusd[1109]: IETF attr 61 6 1: 5

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: IETF attr 6 6 1: 1

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: IETF attr 31 17 0: 2e333232

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Trying to find the first radius server to use.

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Created transaction_id (71000015) for server group 9F000001

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Copying remote address 5.14.18.108

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Copying remote address 5.14.18.108

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Remote address 5.14.18.108

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: Picking the rad id 21:0 sockfd 0x11CBF48

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: rctx 0x128d0f8 added successfully

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: interface [MgmtEth0_RP0_CPU0_0] valid 1 flags 0x0, state 3

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]: found ipv4 5.14.18.23 vrf =0x60000001

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]:  RADIUS: Send Access-Request to 5.14.18.108:1645 id 21, len 105

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]:  RADIUS:  authenticator 00 00 00 00 00 00 00 00 - 00 00 00 00 31 63 54 D0

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]:  RADIUS:  User-Name           [1]     8       brhong 

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]:  RADIUS:  NAS-IP-Address      [4]     6       5.14.18.23

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]:  RADIUS:  NAS-IPv6-Address    [95]    18      ::     

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]:  RADIUS:  NAS-Port            [5]     6       130    

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]:  RADIUS:  NAS-Port-Type       [61]    6       Async[5]

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]:  RADIUS:  Service-Type        [6]     6       error[1]   <===== I am hitting an error

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]:  RADIUS:  Calling-Station-Id  [31]    17      223.255.254.248

RP/0/RP0/CPU0:Oct 27 11:17:06.831 : radiusd[1109]:  RADIUS:  User-Password       [2]     18      *      

RP/0/RP0/CPU0:Oct 27 11:17:06.832 : radiusd[1109]: Got global deadtime 0

RP/0/RP0/CPU0:Oct 27 11:17:06.832 : radiusd[1109]: Using global deadtime = 0 sec

RP/0/RP0/CPU0:Oct 27 11:17:06.832 : radiusd[1109]: Start timer thread rad_ident 21 remote_port 1645 remote_addr 5.14.18.108, socket 18661192 rctx 0x128d0f8

RP/0/RP0/CPU0:Oct 27 11:17:06.832 : radiusd[1109]: Successfully sent packet and started timeout handler for rctx 0x128d0f8

I am seeing RADIUS drops on ISE, see the attached screenshoot.

Any pointer to overcome this?

Preview file
70 KB
7 Replies 7

brhong
Cisco Employee
Cisco Employee

‎10-27-2016 01:10 PM

I am also seeing this:

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Radius packet decryption complete with rc = 0

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]:  RADIUS: Received from id 24 5.14.18.108:1645, Access-Accept, len 176

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]:  RADIUS:  authenticator 64 68 BC E7 1D 63 BB 50 - 75 AC 13 09 1B 94 08 88

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]:  RADIUS:  User-Name           [1]     8       braven 

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]:  RADIUS:  State               [24]    67      52 65 61 75 74 68 53 65 73 73 69 6f 6e 3a 30 61

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]:  RADIUS:                                      35 35 36 33 36 63 33 4c 51 4d 70 6e 61 6c 38 56

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]:  RADIUS:                                      45 75 50 39 79 36 62 62 36 50 5f 61 47 70 72 63

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]:  RADIUS:  Class               [25]    81      43 41 43 53 3a 30 61 35 35 36 33 36 63 33 4c 51

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]:  RADIUS:                                      4d 70 6e 61 6c 38 56 45 75 50 39 79 36 62 62 36

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]:  RADIUS:                                      50 5f 61 47 70 72 63 6b 7a 75 37 66 74 56 67 6b

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Freeing server group transaction_id (81000018)

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: pack_length = 176 radius_len = 176

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Calling app inf callback

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: IETF attr 1 8 0: 76617262

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Choosing 'shell' proto for service login

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Bad attr (radius_net_author: unsupported): type=User Name len=8

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: IETF attr 24 67 0: 75616552

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Choosing 'shell' proto for service login

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Bad attr (radius_net_author: unsupported): type=State len=67

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: IETF attr 25 81 0: 53434143

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Choosing 'shell' proto for service login

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: No appropriate authorization type for user <===

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Add last used server

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Add last used server = 0.0.0.0

RP/0/RP0/CPU0:Oct 27 12:03:31.089 : radiusd[1109]: Sending sync reply (status PASS) to the client

RP/0/RP0/CPU0:Oct 27 12:03:31.099 : radiusd[1109]: Dispatching message type 5

RP/0/RP0/CPU0:Oct 27 12:03:31.099 : radiusd[1109]: Received clinfop lwm_info - 0x200001

RP/0/RP0/CPU0:Oct 27 12:03:31.099 : radiusd[1109]: Received a message type - 18 rctx 0x128cfd0

RP/0/RP0/CPU0:Oct 27 12:03:31.099 : radiusd[1109]: [0] Received AUTHOR SHELL/exec from <unknown> with user=braven, ifh=0x0, tty=/dev/pts/0

RP/0/RP0/CPU0:Oct 27 12:03:31.099 : radiusd[1109]: method = server group map # 3

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute User Name = braven(6)

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: NAS IP before adding 0.0.0.0

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute NAS-IP-Address = 0.0.0.0

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute NAS IPv6 address = ::

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute NAS-Port = -2113929216

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute NAS-Port-Type = 5 0 0 0 ...

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute Service-Type = EXEC

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute Calling-Station-Id = 32 32 33 2e ...

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Added standard attribute User Password = *

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: IETF attr 1 8 0: 76617262

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: IETF attr 95 18 1: 0

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: IETF attr 61 6 1: 5

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: IETF attr 6 6 1: 7

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: IETF attr 31 17 0: 2e333232

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Trying to find the first radius server to use.

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Created transaction_id (B1000019) for server group 33000000

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Copying remote address 5.14.18.108

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Copying remote address 5.14.18.108

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Remote address 5.14.18.108

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Picking the rad id 25:0 sockfd 0x11CBF48

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: rctx 0x128cfd0 added successfully

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]:  RADIUS: Send Access-Request to 5.14.18.108:1645 id 25, len 105

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]:  RADIUS:  authenticator 00 00 00 00 31 63 54 D0 - 73 7F 00 00 27 97 47 00

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]:  RADIUS:  User-Name           [1]     8       braven 

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]:  RADIUS:  NAS-IP-Address      [4]     6       0.0.0.0

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]:  RADIUS:  NAS-IPv6-Address    [95]    18      ::     

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]:  RADIUS:  NAS-Port            [5]     6       130    

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]:  RADIUS:  NAS-Port-Type       [61]    6       Async[5]

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]:  RADIUS:  Service-Type        [6]     6       error[7]

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]:  RADIUS:  Calling-Station-Id  [31]    17      223.255.254.248

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]:  RADIUS:  User-Password       [2]     18      *      

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Got global deadtime 0

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Using global deadtime = 0 sec

RP/0/RP0/CPU0:Oct 27 12:03:31.100 : radiusd[1109]: Start timer thread rad_ident 25 remote_port 1645 remote_addr 5.14.18.108, socket 18661192 rctx 0x128cfd0

I am seeing 'No appropriate authorization type for user', where I can set the authorization for user?

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to brhong

‎10-30-2016 08:54 AM

No appropriate authorization type for user

is from the NAD itself, but not from ISE. It's likely a message to indicate the NAD unable to grant access to the user.

Why are you using RADIUS instead of T+? For T+, we have guides @ ISE Device Administration (TACACS+)

Please note that IOS-XR differing greatly in term of device administration from regular IOS (e.g. IOS-XE). See ASR9000/XR Using Task groups and understanding Priv levels and authorization | XR OS and Platforms | Cisco Support Community | 5996 | 61306

You could enable DEBUG on runtime-AAA, recreate, and then collect prrt-server.log. If you need help in troubleshooting this, please open a TAC case.

0 Helpful

brhong
Cisco Employee
Cisco Employee
In response to hslai

‎10-31-2016 06:38 AM

Hi hslai,

I figured it out using TACACS+ already. Need to test RADIUS. By searching youtube, I found a good video for config RADIUS on ACS5.8. I also tried it on ACS5.8, but I couldn't save the policy in ACS5.8 for some reason. Then I guess what should be configed on ISE2.1, then I got it working. I wish our Cisco documentation can be more helpful, so that I don't have to guess and sip through ~800 pages user guide, but the user guide is general, I couldn't find the info I need.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to brhong

‎10-31-2016 06:41 AM

Thanks for the comments. Please share the link to the youtube video that has helped you. Better yet, contribute an article how you got it working.

0 Helpful

brhong
Cisco Employee
Cisco Employee
In response to hslai

‎10-31-2016 07:03 AM

Here is the youtube link: TACACS+ & RADIUS Configuration on ACS for Cisco ASA - YouTube

0 Helpful

brhong
Cisco Employee
Cisco Employee

‎10-31-2016 06:32 AM

I finally figured it out. I wish our Cisco Documentation can be more helpful.

0 Helpful

Ping Zhou
Level 8
Level 8
In response to brhong

‎10-31-2016 06:45 AM

Please share the YouTube link that helped you. Thanks a lot.

0 Helpful
Customers Also Viewed These Support Documents