Saturday, August 2, 2008

Radius server and Cisco IOS 12.4-15(T)

I had this experience after sometime got problem b/w this IOS and ACS radius server, ACS TACAC S is still no issue. The communication is always got respond of failed decrypt.

Aug 2 07:45:05.173: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Aug 2 07:45:05.173: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Aug 2 07:45:05.173: RADIUS(00000000): Config NAS IP: 172.16.45.5
Aug 2 07:45:05.177: RADIUS(00000000): sending
Aug 2 07:45:05.181: RADIUS(00000000): Send Access-Request to 192.168.1.219:1645 id 1645/11, len 50
Aug 2 07:45:05.181: RADIUS: authenticator 34 A3 1C B8 15 6E 99 72 - D1 78 5D C5 60 0B DE CF
Aug 2 07:45:05.181: RADIUS: User-Name [1] 6 "phuc"
Aug 2 07:45:05.181: RADIUS: User-Password [2] 18 *
Aug 2 07:45:05.181: RADIUS: NAS-IP-Address [4] 6 172.16.45.5
Aug 2 07:45:05.197: RADIUS: Received from id 1645/11 192.168.1.219:1645, Access-Reject, len 32
Aug 2 07:45:05.201: RADIUS: authenticator 81 12 BD 60 C8 C8 FE 77 - 8A D6 8F 84 0E 8E 99 AD
Aug 2 07:45:05.205: RADIUS: Reply-Message [18] 12
Aug 2 07:45:05.205: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]
Aug 2 07:45:05.205: RADIUS: response-authenticator decrypt fail, pak len 32
Aug 2 07:45:05.205: RADIUS: packet dump: 030B00208112BD60C8C8FE778AD68F840E8E99AD120C52656A65637465640A0D
Aug 2 07:45:05.217: RADIUS: expected digest: FFFFFFD012FFFFFFE42CFFFFFFECFFFFFFFA2EFFFFFF8105FFFFFFC5FFFFFF9DFFFFFFE8FFFFFFEDFFFFFFA4FFFFFF9B13
Aug 2 07:45:05.225: RADIUS: response authen: FFFFFF8112FFFFFFBD60FFFFFFC8FFFFFFC8FFFFFFFE77FFFFFF8AFFFFFFD6FFFFFF8FFFFFFF840EFFFFFF8EFFFFFF99FFFFFFAD
Aug 2 07:45:05.237: RADIUS: request authen: 34A31CB8156E9972D1785DC5600BDECF
Aug 2 07:45:05.241: RADIUS: Response (11) failed decrypt
Aug 2 07:45:10.089: RADIUS: Retransmit to (192.168.1.219:1645,1646) for id 1645/11
Aug 2 07:45:10.109: RADIUS: Received from id 1645/11 192.168.1.219:1645, Access-Reject, len 32
Aug 2 07:45:10.113: RADIUS: authenticator 81 12 BD 60 C8 C8 FE 77 - 8A D6 8F 84 0E 8E 99 AD
Aug 2 07:45:10.117: RADIUS: Reply-Message [18] 12
Aug 2 07:45:10.121: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]


I had to configure aaa server on routers with "non-standard" keyword, ex:
"radius-server host 192.168.1.219 auth-port 1645 acct-port 1646 non-standard key shasta"

Everything works fine after that. There's no problem like that with IOS 12.4-10 main version.
Posted by at

1 comment:

Jon Major said...

Absolute freaking life saver. I've been beating my head against my desk getting this IOS v15 router to auth against a Windows 2008 NPS, and error logs from the NPS kept showing "NULL SID". Immediately after tagging the non-standard key word in authentication was working. Thanks a million!

October 7, 2011 at 9:28 AM

Post a Comment

Subscribe to: Post Comments (Atom)