Radius attribute mismatch

Created Jan 01, 2016 04:17:12Latest reply Aug 08, 2018 06:55:36 2083 3 0 0

Problem: From tcpdump results the Radius server is sending Access Accept message back to switch, after Access Req was sent by switch, but the authentication fails.

 The question is on which side is the problem.

Tcpdump output:

>  radius> radius: [udp sum ok] RADIUS, length: 142
>                 Access Request (1), id: 0x10, Authenticator: d21ac16345bbca51f2a5c2394b426742
>                   Username Attribute (1), length: 10, Value: test
>                     0x0000:  6261 6d67 6261 6c31
>                   Password Attribute (2), length: 18, Value:
>                     0x0000:  0000 0000 0000 0000 0000 0000 0000 0000
>                   Service Type Attribute (6), length: 6, Value: Administrative
>                     0x0000:  0000 0006

>                   Framed Protocol Attribute (7), length: 6, Value: X.75 Synchronous
>                     0x0000:  0000 0006
>                   Framed IP Address Attribute (8), length: 6, Value: abc.net
>                     0x0000:  c099 ae1f
>                   NAS ID Attribute (32), length: 6, Value: cbf0
>                     0x0000:  6362 6630
>                   NAS IP Address Attribute (4), length: 6, Value: abc.net
>                     0x0000:  c1ab 10e9
>                   Vendor Specific Attribute (26), length: 46, Value: Vendor: Unknown (2011)
>                     Vendor Attribute: 59, Length: 4, Value: V&I.
>                     Vendor Attribute: 254, Length: 27, Value: Huawei VRP Software Version
>                     Vendor Attribute: 255, Length: 3, Value: VRP
>                     0x0000:  0000 07db 3b06 5626 499b fe1d 4875 6177
>                     0x0010:  6569 2056 5250 2053 6f66 7477 6172 6520
>                     0x0020:  5665 7273 696f 6eff 0556 5250
>                   Message Authentication Attribute (80), length: 18, Value: ....w...h..(.w..
>                     0x0000:  0fef 90d7 77e9 930e 6806 c828 1d77 e1aa
> 14:03:07.875305 IP (tos 0x0, ttl 64, id 41846, offset 0, flags [DF], proto UDP (17), length 122)
>   radius > radius: [bad udp cksum 0xa7f0 -> 0xe34a!] RADIUS, length: 94
>                 Access Accept (2), id: 0x10, Authenticator: 8f7dd7069a367fb59e894b194f72201b
>                   Service Type Attribute (6), length: 6, Value: NAS Prompt
>                     0x0000:  0000 0007

>                   Vendor Specific Attribute (26), length: 25, Value: Vendor: Cisco (9)
>                     Vendor Attribute: 1, Length: 17, Value: shell:priv-lvl=15
>                     0x0000:  0000 0009 0113 7368 656c 6c3a 7072 6976
>                     0x0010:  2d6c 766c 3d31 35
>                   Service Type Attribute (6), length: 6, Value: NAS Prompt
>                     0x0000:  0000 0007
>                   Vendor Specific Attribute (26), length: 25, Value: Vendor: Cisco (9)
>                     Vendor Attribute: 1, Length: 17, Value: shell:priv-lvl=15
>                     0x0000:  0000 0009 0113 7368 656c 6c3a 7072 6976
>                     0x0010:  2d6c 766c 3d31 35
>                   Vendor Specific Attribute (26), length: 12, Value: Vendor: Foundry (1991)
>                     Vendor Attribute: 1, Length: 4, Value: ....
>                     0x0000:  0000 07c7 0106 0000 0000


From "display aaa online-fail-record":

 User name                      : test
> Domain name                    : default_admin
> User access type               : SSH
> User IP address                : 192.168.3.2
> User ID                        : 58
> User authen state              : Failed
> User author state              : AuthorIdle
> User login time                : 2015-10-21 06:47:21
> Online fail reason             : Internal error

***yzing the tcpdump output we can see that the switch sent a request packets with one service attribute(red highlights), but the radius server replay a packet with two service attributes marked by red color as below.
The switch can not recognize the replay packets, so the authentication is failed, after the Service Type attribute was removed from Access Accept response, the authentication is working.


  • x
  • convention:

user_2790689  Expert   Created Jan 04, 2016 10:41:31 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Lubblyjubbly     Created Jul 15, 2016 17:47:14 Helpful(0) Helpful(0)

Thanks for sharing this. I was just looking at the configuration options using Windows 2012 NPS Policy role.

One of the options was to select "Administrative" as the Service-Type and it's helpful to know that this might happen

  • x
  • convention:

user_3132203     Created Aug 08, 2018 06:55:36 Helpful(0) Helpful(0)

1
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top