Guest

Authentication Protocols

IOS Per VRF RADIUS Troubleshooting

Document ID: 113666

Updated: Aug 24, 2012

Contributed by Jesse Dubois, Cisco TAC Engineer.

   Print

Introduction

RADIUS is used heavily as the authentication protocol to authenticate users for network access. More admins are segregating their management traffic using VPN Routing and Forwarding (VRF). By default, authentication, authorization, and accounting (AAA) on IOS® uses the default routing table in order to send packets. This guide describes how to configure and troubleshoot RADIUS when the RADIUS server is in a VRF.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • RADIUS

  • VRF

  • AAA

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Feature Information

Essentially, a VRF is a virtual routing table on the device. When IOS makes a routing decision, if the feature or interface is using a VRF, routing decisions are made against that VRF routing table. Otherwise, the feature uses the global routing table. With this in mind, here is how you configure RADIUS to use a VRF:

version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vrfAAA
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa group server radius management
 server-private 192.0.2.4 key cisco
 server-private 192.0.2.5 key cisco
 ip vrf forwarding blue
 ip radius source-interface GigabitEthernet0/0
!
aaa authentication login default group management local
aaa authorization exec default group management if-authenticated 
aaa accounting exec default start-stop group management
!
aaa session-id common
!
no ipv6 cef
!
ip vrf blue
!
no ip domain lookup
ip cef
!
interface GigabitEthernet0/0
 ip vrf forwarding blue
 ip address 203.0.113.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route vrf blue 0.0.0.0 0.0.0.0 203.0.113.1
!
line con 0
line aux 0
line vty 0 4
 transport input all

As you can see, there are no globally defined RADIUS servers. If you are migrating the servers into a VRF, you can safely remove the globally configured RADIUS servers.

Troubleshooting Methodology

Complete these steps:

  1. Make sure you have the proper IPVRF forwarding definition under your AAA group server as well as the source interface for the RADIUS traffic.

  2. Check your VRF routing table and make sure there is a route to your RADIUS server. We will use the example above in order to display the VRF routing table:

    vrfAAA#show ip route vrf blue
    
    Routing Table: blue
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
           + - replicated route, % - next hop override
    
    Gateway of last resort is 203.0.113.1 to network 0.0.0.0
    
    S*    0.0.0.0/0 [1/0] via 203.0.113.1
          203.0.113.0/8 is variably subnetted, 2 subnets, 2 masks
    C        203.0.113.0/24 is directly connected, GigabitEthernet0/0
    L        203.0.113.2/32 is directly connected, GigabitEthernet0/0
    
  3. Are you able to ping your RADIUS server? Recall that this needs to be VRF specific as well:

    vrfAAA#ping vrf blue 192.0.2.4
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.0.2.4, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
    
  4. You can use the test aaa command in order to verify connectivity (you must use the new-code option at the end; legacy will not work):

    vrfAAA#test aaa group management cisco Cisco123 new-code
    User successfully authenticated
    
    USER ATTRIBUTES
    
    username             "cisco"

If the routes are in place and you see no hits on your RADIUS server, make sure that ACLs are allowing udp port 1645/1646 or udp port 1812/1813 to reach the server from the router or switch. If you get an authentication failure, troubleshoot RADIUS as normal. The VRF feature is just for the routing of the packet.

Data Analysis

If everything looks correct, aaa and radius debug commands can be enabled in order to troubleshoot the issue. Start with these debug commands:

  • debug radius

  • debug aaa authentication

Here is an example of a debug where something is not configured properly, such as but not limited to:

  • Missing RADIUS source interface

  • Missing IP VRF forwarding commands under the source interface or under the AAA group server

  • No route to the RADIUS server in the VRF routing table

    Aug  1 13:39:28.571: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' 
    Aug  1 13:39:28.571: RADIUS/ENCODE(00000000):Orig. component type = Invalid
    Aug  1 13:39:28.571: RADIUS/ENCODE(00000000): dropping service type, 
       "radius-server attribute 6 on-for-login-auth" is off
    Aug  1 13:39:28.571: RADIUS(00000000): Config NAS IP: 203.0.113.2
    Aug  1 13:39:28.571: RADIUS(00000000): Config NAS IPv6: ::
    Aug  1 13:39:28.571: RADIUS(00000000): sending
    Aug  1 13:39:28.575: RADIUS(00000000): Send Access-Request to 192.0.2.4:1645
       id 1645/2, len 51
    Aug  1 13:39:28.575: RADIUS:  authenticator 12 C8 65 2A C5 48 B8 1F - 
       33 FA 38 59 9C 5F D3 3A
    Aug  1 13:39:28.575: RADIUS:  User-Password       [2]   18  *
    Aug  1 13:39:28.575: RADIUS:  User-Name           [1]   7   "cisco"
    Aug  1 13:39:28.575: RADIUS:  NAS-IP-Address      [4]   6   203.0.113.2              
    Aug  1 13:39:28.575: RADIUS(00000000): Sending a IPv4 Radius Packet
    Aug  1 13:39:28.575: RADIUS(00000000): Started 5 sec timeout
    Aug  1 13:39:32.959: RADIUS(00000000): Request timed out 
    Aug  1 13:39:32.959: RADIUS: Retransmit to (192.0.2.4:1645,1646) for id 1645/2
    Aug  1 13:39:32.959: RADIUS(00000000): Started 5 sec timeout
    Aug  1 13:39:37.823: RADIUS(00000000): Request timed out 
    Aug  1 13:39:37.823: RADIUS: Retransmit to (192.0.2.4:1645,1646) for id 1645/2
    Aug  1 13:39:37.823: RADIUS(00000000): Started 5 sec timeout
    Aug  1 13:39:42.199: RADIUS(00000000): Request timed out 
    Aug  1 13:39:42.199: RADIUS: Retransmit to (192.0.2.4:1645,1646) for id 1645/2
    Aug  1 13:39:42.199: RADIUS(00000000): Started 5 sec timeout
    Aug  1 13:39:47.127: RADIUS(00000000): Request timed out 
    Aug  1 13:39:47.127: RADIUS: Fail-over to (192.0.2.5:1645,1646) for id 1645/2
    Aug  1 13:39:47.127: RADIUS(00000000): Started 5 sec timeout
    Aug  1 13:39:51.927: RADIUS(00000000): Request timed out 
    Aug  1 13:39:51.927: RADIUS: Retransmit to (192.0.2.5:1645,1646) for id 1645/2
    Aug  1 13:39:51.927: RADIUS(00000000): Started 5 sec timeout
    Aug  1 13:39:56.663: RADIUS(00000000): Request timed out 
    Aug  1 13:39:56.663: RADIUS: Retransmit to (192.0.2.5:1645,1646) for id 1645/2
    Aug  1 13:39:56.663: RADIUS(00000000): Started 5 sec timeout
    Aug  1 13:40:01.527: RADIUS(00000000): Request timed out 
    Aug  1 13:40:01.527: RADIUS: Retransmit to (192.0.2.5:1645,1646) for id 1645/2
    Aug  1 13:40:01.527: RADIUS(00000000): Started 5 sec timeoutUser rejected

Unfortunately, with RADIUS there is no distinction between a timeout and a missing route.

Here is an example of a successful authentication:

Aug  1 13:35:51.791: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' 

Aug  1 13:35:51.791: RADIUS/ENCODE(00000000):Orig. component type = Invalid

Aug  1 13:35:51.791: RADIUS/ENCODE(00000000): dropping service type, 
   "radius-server attribute 6 on-for-login-auth" is off

Aug  1 13:35:51.791: RADIUS(00000000): Config NAS IP: 203.0.113.2

Aug  1 13:35:51.791: RADIUS(00000000): Config NAS IPv6: ::

Aug  1 13:35:51.791: RADIUS(00000000): sending

Aug  1 13:35:51.791: RADIUS(00000000): Send Access-Request to 192.0.2.4:1645 id 
   1645/1, len 51

Aug  1 13:35:51.791: RADIUS:  authenticator F4 E3 00 93 3F B7 79 A9 - 
   2B DC 89 18 8D B9 FF 16

Aug  1 13:35:51.791: RADIUS:  User-Password       [2]   18  *

Aug  1 13:35:51.791: RADIUS:  User-Name           [1]   7   "cisco"

Aug  1 13:35:51.791: RADIUS:  NAS-IP-Address      [4]   6   203.0.113.2              

Aug  1 13:35:51.791: RADIUS(00000000): Sending a IPv4 Radius Packet

Aug  1 13:35:51.791: RADIUS(00000000): Started 5 sec timeout

Aug  1 13:35:51.799: RADIUS: Received from id 1645/1 14.36.142.31:1645, 
   Access-Accept, len 62

Aug  1 13:35:51.799: RADIUS:  authenticator B0 0B AA FF B1 27 17 BD - 
   3F AD 22 30 C6 03 5C 2D

Aug  1 13:35:51.799: RADIUS:  User-Name           [1]   7   "cisco"

Aug  1 13:35:51.799: RADIUS:  Class               [25]  35  

Aug  1 13:35:51.799: RADIUS:   43 41 43 53 3A 6A 65 64 75 62 6F 69 73 2D 61 63 
   [CACS:ACS1]

Aug  1 13:35:51.799: RADIUS:   73 2D 35 33 2F 31 33 32 34 35 33 37 33 35 2F 33 
   [s-53/132453735/3]

Aug  1 13:35:51.799: RADIUS:   38                 [ 8]

Aug  1 13:35:51.799: RADIUS(00000000): Received from id 1645/1.

Common Problems

  • The most common problem is that of configuration. Many times the admin will put in the aaa group server but not update the aaa lines to point to the server group. Instead of this:

    aaa authentication login default group management local
    aaa authorization exec default group management if-authenticated 
    aaa accounting exec default start-stop group management

    The admin will have put in this:

    aaa authentication login default grout radius local
    aaa authorization exec default group radius if-authenticated 
    aaa accounting exec default start-stop group radius

    Simply update the configuration with the correct server group.

  • A second common problem is that a user will see this error when trying to add IP VRF forwarding under the server group:

    % Unknown command or computer name, or unable to find computer address

    This means the command was not found. If you see this error, make sure the version of IOS supports per VRF RADIUS.

Related Information

Updated: Aug 24, 2012
Document ID: 113666