[RADIATOR] [*** Newsletter ***] Re: Cisco NX-OS TACACS+ problems

[Alexander Hartmaier]

On 2013-10-18 11:07, Heikki Vatiainen wrote:
> On 10/18/2013 11:23 AM, Alexander Hartmaier wrote:
>> On 2013-10-11 13:56, Caporossi, Steve G. wrote:
>>> We also have issues with NXOS; in our case using RADIUS.
>>>
>>> It always seems to begin with these syslog messages;
>>> 2013 Oct 10 19:56:14.103 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server <server address>
>>> 2013 Oct 10 19:56:14.105 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server <server address>
>>> 2013 Oct 10 19:56:14.106 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server <server address>
>>> 2013 Oct 10 19:56:14.107 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: All RADIUS servers failed to respon
>>> d after retries.
>>>
>>>  Authentication fails and we to fallback to local authentication to "fix" the issue by sending test authentication to the RADIUS servers.
>>>
>>> We have the DNS entries configured on the Nexus devices and when this is happening the device can ping the servers using the hostname. Another strange thing is it happens primarily in one VDC and much less frequently on the others using the same OOB management network.
>> What do you mean with 'dns entries configured *on* the Nexus'? Does it
>> happen too if you configure the radius servers ip addresses instead of
>> their dns names?
>>
>> @Radiator guys: any update from you?
> For the RADIUS/DNS problem above, I can only think of configuring the
> server with address instead of name. Why it fails? Maybe there's a rate
> limit on the DNS side. If there are lots of RADIUS requests each causing
> a DNS lookup, that might cause the lookup failures.
>
> What comes to NX-OS problems Alexander sees, could it be possible that
> accounting requests are sent to different Radiators than authentication
> or authorization requests?
>
> If so, then there might be a different shared key configured on the
> NX-OS than on Radiator? In this case Radiator logs should show errors
> hinting about 'Bad key?'. If Radiator thinks the key is bad, it will
> disconnect and this may be logged as 'All servers failed to respond'.
The requests are sent to two Radiator servers forming a faiover pair
which both have the same TACACS key.
It only happens from time to time, the authentication and accouting
requests usually work.

>
> Thanks,
> Heikki
>



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*