Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Surferr2015-11-17 12:31:56
Cisco
Surferr, 2015-11-17 12:31:56

Why is the Radius server not processing all requests?

Good afternoon!
I need help, my head is already buzzing from unrequited love, help!
Essence:
I configure authentication and authorization on Cisco using the Radius server.
1. I configure an AAA group on Cisco (let's say ME 3400):
aaa group server radius MGMT
server-private xxxx auth-port 1812 acct-port 1813 key cisco
ip vrf forwarding MGMT
ip radius source-interface VlanX
The VlanX interface is also in vrf MGMT and has the address yyyy/z
Generally speaking, the radius server is in a different vrf. Routing between vrfs is configured and pings are echoed:
me3400#ping vrf MGMT xxxx
!!!!!
2. Radius - FreeRADIUS Version 2.1.12.
client yyy0/z {
secret = cisco
shortname = internal
nastype = other
}
It also listens on all IP addresses of its interfaces.
3. Necessary allowing rules have been added to iptables.
At first I thought that I still screwed up with routing between vrf. But no, radius requests reach the server:
11:14:07.384541 IP (tos 0x0, ttl 254, id 63552, offset 0, flags [none], proto: UDP (17), length: 111) yyyydatametrics > xxxxradius: RADIUS , length: 83
Access Request (1), id: 0x47, Authenticator: 561ac6bf8539d0792e6fc450b30a5199
Username Attribute (1), length: 6, Value: cisco
Password Attribute (2), length: 18, Value:
NAS Port Attribute (5), length: 6, Value: 3
But during the radiusd -X debug , the received requests do not cause any emotions from the server ...
Debug on cisco confirms this:
Nov 17 11:39:35 3206: 3w1d: RADIUS(00000053): Send Access-Request to xxxx:1812 id 1645/82, len 84
Nov 17 11:39:35 3207: 3w1d: RADIUS: authenticator 7E 4A 02 67 7A D0 2B CF - 7D 4E 79 28 16 24 BB 9A
Nov 17 11:39:35 3208: 3w1d: RADIUS: User-Name[1] 6 "cisco"
Nov 17 11:39:35 3209: 3w1d: RADIUS: User-Password[2] 18*
Nov 17 11:39 :36 3210: 3w1d: RADIUS: NAS-Port-Id [5] 6 3
Nov 17 11:39:36 3211: 3w1d: RADIUS: NAS-Port-Id [87] 6 "tty3"
Nov 17 11:39:36 3212: 3w1d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Nov 17 11:39:36 3214: 3w1d: RADIUS: NAS-IP-Address [4] 6 yyyy
Nov 17 11:39:41 3215: 3w1d: RADIUS: Retransmit to
(xxxx:1812,1813) for id 1645/82
Nov 17 11:39:49 3217: 3w1d: RADIUS: Retransmit to (xxxx:1812,1813) for
id ,1813) for id 1645/82
The culmination of everything: when using a different subnet without vrf and with similar settings, everything works.
It is necessary to persuade to work under such conditions (in a separate vrf).
Share your experience, where you need to tweak something?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
S
Surferr, 2015-11-17
@Surferr

So it was not in the reel, or almost not in it. I hoped for the line:
-A -p udp -m state --state NEW -m udp -- s port 1812 -j ACCEPT
Carelessness.
The question is closed. Thanks to all!

Similar questions
D
Denis Sechin2017-10-07 18:03:35
Will I be able to work with juniper after Cisco? 1Reply
Z
Zar7472020-02-27 11:47:07
What is Rx power low alarm in cisco (optics)? 1Reply
I
Ivan2017-11-02 23:56:15
How on cisco to differentiate VPN access levels to users? 2Reply
K
Kazybek Kasienov2017-11-14 17:39:00
What types of WIC exist in cisco? 1Reply
V
Vladimir2020-04-02 11:34:05
How to properly configure NAT for IPSec VPN clients on ASA 5510? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question