radius stops working 1

[volleyman]

All,

per a previous post, I just upgraded the IOS version on my router to support a new hwic card.

prior to the upgrade, I was using ssh only on vty 04 and authenticating using a radius server. both of these were working.

The upgrade worked with no apparent hitches except that radius doesn't work, ssh connections aren't accepted, and when I use a console connection the only local account on the router doesn't work either.

The only way I can get into it right now is through rommon.

any ideas why a IOS upgrade would break local authentication, radius authentication, and ssh connectivity via vty 0 4?

thanks in advance.

Zane D.
Systems Admin

 

[ADB100]

Did the new image have SSH in it? i.e. Crypto (K9 somewhere in the filename). As for Radius I am not sure as I think all images have this capability (except maybe some of the SoHo routers?).
It is probably worth booting it with a console cable attached and seeing if any lines of config are rejected when it starts. If there aren't then get in via ROMMON, reboot and ignore the config, get to privilege 15 (enable) and then 'copy start run' and have a look if the commands for Radius are still there. If they are, debug.

HTH

Andy

 

[volleyman]

yep, the image name has k9 in it...so its ssh-capable.

I have come in through rommon and did the copy start run command.

all of the ssh and radius commands are still in the config. This time, I was able to exit and log in using the local account, which wasn't working last time. nothing has changed...so strange. still no radius though. and no ssh after I reenable the ethernet interface.



Zane D.
Systems Admin

 

[ADB100]

Is the crypto key still there (or certificate if you enrolled it with a CA)? I think debug is your next port of call.

Andy

 

[volleyman]

yeah, its still there...

Zane D.
Systems Admin

 

[volleyman]

here are the debug results. I turned on telnet access and it allows me to connect but not log in, same error. I can see that the radius server is accepting the credentials but it still failing for some reason:



Mar 5 19:12:27.719: RADIUS/ENCODE(00000006): ask "Username: "
Mar 5 19:12:27.719: RADIUS/ENCODE(00000006): send packet; GET_USER
Mar 5 19:12:29.851: RADIUS/ENCODE(00000006): ask "Password: "
Mar 5 19:12:29.851: RADIUS/ENCODE(00000006): send packet; GET_PASSWORD
Mar 5 19:12:32.659: RADIUS/ENCODE(00000006):Orig. component type = EXEC
Mar 5 19:12:32.659: RADIUS: AAA Unsupported Attr: interface [174] 6
Mar 5 19:12:32.659: RADIUS: 74 74 79 35 [tty5]
Mar 5 19:12:32.659: RADIUS/ENCODE(00000006): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Mar 5 19:12:32.659: RADIUS(00000006): Config NAS IP: 0.0.0.0
Mar 5 19:12:32.659: RADIUS/ENCODE(00000006): acct_session_id: 4
Mar 5 19:12:32.659: RADIUS(00000006): sending
Mar 5 19:12:32.659: RADIUS/ENCODE: Best Local IP-Address 10.10.4.52 for Radius-Server 10.10.1.251
Mar 5 19:12:32.663: RADIUS(00000006): Send Access-Request to 10.10.1.251:1812 id 1645/6, len 83
Mar 5 19:12:32.663: RADIUS: authenticator 98 CF 80 52 47 5D AF A0 - E3 96 B4 0F F0 78 32 75
Mar 5 19:12:32.663: RADIUS: User-Name [1] 7 "zaned"
Mar 5 19:12:32.663: RADIUS: User-Password [2] 18 *
Mar 5 19:12:32.663: RADIUS: NAS-Port [5] 6 514
Mar 5 19:12:32.663: RADIUS: NAS-Port-Id [87] 8 "tty514"
Mar 5 19:12:32.663: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Mar 5 19:12:32.663: RADIUS: Calling-Station-Id [31] 12 "10.10.4.51"
Mar 5 19:12:32.663: RADIUS: NAS-IP-Address [4] 6 10.10.4.52
Mar 5 19:12:32.667: RADIUS: Received from id 1645/6 10.10.1.251:1812, Access-Accept, len 44
Mar 5 19:12:32.667: RADIUS: authenticator 8A 52 1F 11 41 AA C8 C7 - 0F 08 25 28 B9 3E 1A 5D
Mar 5 19:12:32.667: RADIUS: Service-Type [6] 6 Administrative [6]
Mar 5 19:12:32.667: RADIUS: Vendor, Cisco [26] 18
Mar 5 19:12:32.667: RADIUS: Cisco AVpair [1] 12 "shell:cmd*"
Mar 5 19:12:32.667: RADIUS(00000006): Received from id 1645/6
Mar 5 19:12:32.667: RADIUS/DECODE: convert VSA string; FAIL
Mar 5 19:12:32.667: RADIUS/DECODE: cisco VSA type 1; FAIL
Mar 5 19:12:32.667: RADIUS/DECODE: VSA; FAIL
Mar 5 19:12:32.667: RADIUS/DECODE: decoder; FAIL
Mar 5 19:12:32.667: RADIUS/DECODE: attribute Vendor-Specific; FAIL
Mar 5 19:12:32.671: RADIUS/DECODE: parse response op decode; FAIL
Mar 5 19:12:32.671: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

Zane D.
Systems Admin

 

[ADB100]

I just debugged a router I have and all the messages look the same except the 'Cisco AVpair "shell:cmd*". I have just replicated the AVpair on my Radius server (MS IAS) and it fails when I add the AVpair you are sending. If I remove the AVpair I can login OK, however I need to enter the enable secret to gain level-15 privilege.

I use the following AVpair on IAS "shellriv-lvl=15" and as long as the IAS policy is matched the user gets level-15 privilege by default. (I have other IAS policies that allow some other users lower privileges).

HTH

Andy

 

[volleyman]

Andy,

you were 100% correct. I removed that avpair and it logged right in via telnet! I still can't get it to respond to an ssh connection...working that next if you have any ideas.

thanks again!



Zane D.
Systems Admin

 

[ADB100]

I would start by removing the existing key and generating a new one. If you do a

show crypto key mypubkey rsa

it all appears OK doesn't it?

Andy

 

[volleyman]

fixed again...thanks for helping a newbie! its a real pain in the rump that an ios upgrade breaks these things.



Zane D.
Systems Admin