Security

Reply
MVP

Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

I have been using MobaXterm as my SSH client for many months, with mostly no problems. Good thing I've kept PuTTY installed "just in case"

 

On Tuesday I was able to SSH in to my Cisco gear - which all look to CPPM for RADIUS auth - and then last thing Tuesday I patched ClearPass.

 

Being snowed-in meant I couldn't test on Wednesday.

 

Thursday I couldn't connect from MobaXterm's SSH client, but PuTTY could. I just realized that the change coincided with the patch.

 

Anyone got an idea what to troubleshoot first?

RADIUS warning

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

Hi,

It's unusual that one SSH client works and the other fails to authenticate with that message. Are there any configuration differences between the SSH clients?

Also, I'd recommend to us TACACS+ instead of RADIUS for admin user authentication. ;) But that's a different matter.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

Now we have two SSH clients failing - on Cisco 1941 and 2960, but not ASA or non-Cisco gear.

I'm queued up for TAC now.

 

I'll let you all know what we get.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

TAC gave me a quick and straight forward answer:

This is expected and is mentioned in the Release notes(http://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.6.3/Default.htm#WhatsNew/ImportantChanges.htm?Highlight=35712) . 

Seems I hadn't realized my Cisco switches and routers make those malformed requests when I use MobaXterm or the SolarWinds SSH clients, yet not when I use PuTTY.

 

Anyone know how to "fix" a cisco RADIUS request?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

..
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

Oops duplicate post
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

Use TACACS+ instead. :)
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

I'd love to, but I need to manage them to change the auth methods.

Can't manage them if I can't connect from the management platform.

 

I've asked TAC for a workaround, or to tell me how to roll-back to patch 2 while we fix the Cisco side of the equation.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

Ouch. Disabled all local auth?

I guess it's a lot of devices to console into or role back cppm.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Community Administrator

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

@msabin any update on your situation?

CWNA, ACMP, Security +
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: