ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
User avatar
Opeth
Member
Posts:
164
Joined:
Sun Feb 12, 2012 6:11 am

Authentication problem using test aaa command

Mon Aug 22, 2016 1:01 am

Hi guys,

I have virtual lab in GNS3

I have router c3660 (with nm16) that connected to ISE server,

I setup on the ISE this SW1 and some user named "bob", I also setup the radius share key

On the SW1 I have the congifuration as follows:
Code: Select all
SW1#

SW1#s

*Mar  1 02:33:29.755: %SYS-5-CONFIG_I: Configured from console by console

SW1#sh run

Building configuration...

 

Current configuration : 1694 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SW1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$12JI$qm2BtuiKQPZqeAPsklUVt1

!

aaa new-model

!

!

aaa group server radius ISE-group

server 192.168.1.117 auth-port 1812 acct-port 1813

!

aaa authentication login default enable

!

aaa session-id common

memory-size iomem 5

no ip icmp rate-limit unreachable

!

!

ip cef

no ip domain lookup

!

!

ip device tracking

!

!

!

!

!

!

!

!

!

!

!

!

!

!       

!

!

!

ip tcp synwait-time 5

!

!

!

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

!       

interface FastEthernet1/1

!

interface FastEthernet1/2

!

interface FastEthernet1/3

!

interface FastEthernet1/4

!

interface FastEthernet1/5

!

interface FastEthernet1/6

!

interface FastEthernet1/7

!

interface FastEthernet1/8

!

interface FastEthernet1/9

!

interface FastEthernet1/10

!

interface FastEthernet1/11

!

interface FastEthernet1/12

!

interface FastEthernet1/13

!

interface FastEthernet1/14

!

interface FastEthernet1/15

!

interface Vlan1

ip address 192.168.1.121 255.255.255.0

!

no ip http server

no ip http secure-server

!

!

!

no cdp log mismatch duplex

!

!

!

radius-server host 192.168.1.117 auth-port 1812 acct-port 1813 key Nugget!23

radius-server key Nugget!23

radius-server vsa send accounting

radius-server vsa send authentication

!

control-plane

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

!

!

end     





When I tried to test the authentication using "test aaa" commend and it faild:

Code: Select all
SW1#test aaa group radius bob Nugget!23 legacy

Attempting authentication test to server-group radius using radius

No authoritative response from any server.

 

SW1#

*Mar  1 02:37:56.127: RADIUS: Pick NAS IP for u=0x64CD243C tableid=0 cfg_addr=0.0.0.0

*Mar  1 02:37:56.127: RADIUS: ustruct sharecount=1

*Mar  1 02:37:56.127: Radius: radius_port_info() success=0 radius_nas_port=1

*Mar  1 02:37:56.131: RADIUS/ENCODE: Best Local IP-Address 192.168.1.121 for Radius-Server 192.168.1.117

*Mar  1 02:37:56.135: RADIUS(00000000): Send Access-Request to 192.168.1.117:1812 id 1645/27, len 55

*Mar  1 02:37:56.135: RADIUS:  authenticator F4 23 BB F9 D3 5F 9C 8D - F4 FF 63 E8 50 6D 69 66

*Mar  1 02:37:56.135: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.121           

*Mar  1 02:37:56.139: RADIUS:  NAS-Port-Type       [61]  6   Async                     [0]

*Mar  1 02:37:56.139: RADIUS:  User-Name           [1]   5   "bob"

*Mar  1 02:37:56.139: RADIUS:  User-Password       [2]   18  *

*Mar  1 02:37:56.171: RADIUS: Received from id 1645/27 192.168.1.117:1812, Access-Reject, len 20

*Mar  1 02:37:56.171: RADIUS:  authenticator 3C 3C BB 2D 98 D3 6F 6E - DD B3 AE 95 18 E1 C7 E9

*Mar  1 02:37:56.175: RADIUS: response-authenticator decrypt fail, pak len 20

*Mar  1 02:37:56.175: RADIUS: packet dump: 031B00143C3CBB2D98D36F6EDDB3AE9518E1C7E9

*Mar  1 02:37:56.179: RADIUS: expected digest: A597ABE742677AC385AF522A846A50A3

*Mar  1 02:37:56.179: RADIUS: response authen: 3C3CBB2D98D36F6EDDB3AE9518E1C7E9

*Mar  1 02:37:56.179: RADIUS: request  authen: F423BBF9D35F9C8DF4FF63E8506D6966

*Mar  1 02:37:56.179: RADIUS: Response (27) failed decrypt

*Mar  1 02:37:56.179: RADIUS(00000000): Reply for 1645/27 fails decrypt





What I missed? why it doesn’t work?
"Do what thou wilt shall be the whole of the LAW" Aleister Crowley

hubertzw
New Member
Posts:
8
Joined:
Tue Jan 11, 2011 9:05 am

Re: Authentication problem using test aaa command

Thu Dec 22, 2016 6:04 pm

Hi,

Please remove following lines:

radius-server host 192.168.1.117 auth-port 1812 acct-port 1813 key Nugget!23
radius-server key Nugget!23

And modify these:

aaa group server radius ISE-group
no server 192.168.1.117 auth-port 1812 acct-port 1813
server-private 192.168.1.117 auth-port 1812 acct-port 1813 key Nugget!23

and share test results.

'

Return to Cisco Security

Who is online

Users browsing this forum: JasonRow and 67 guests