topic I had the same issue (with in Switches - Small Business

SG300-28 RADIUS login

Martin Oesting — Wed, 05 Jun 2013 16:52:34 GMT

Hi,

I have some 2960s and they work like a charm. I configured RADIUS access on them and had no problems with that.

Now I have two C300 (SG300-28) and I can't get them to work with my RADIUS server, I always get an "authentication failed".

Here are the commands on one of the boxes:

encrypted radius-server key <encrypted key>

radius-server host <radius host IP> auth-port 1645 acct-port 1646

aaa authentication enable SSH radius enable

aaa authentication login SSH radius local

Also, why is it presenting me the login twice when I connect via ssh (first with "login-as:" and no password and then with "User Name:" and with a password?!) ? At the first login I can type whatever I want and only the second login is the real one.

Greetings

Martin

SG300-28 RADIUS login

Brendan Kearney — Wed, 05 Jun 2013 21:08:43 GMT

i have an sg300-28 using radius for auth too. i am able to ssh to the device with no issue using my id. make sure your radius server is sending back the authorization string that is expected (i imagine it is doing so, since your 29xx's are working).

below is the auth config i have for my switch. telnet is shut off, http is shut off, https, ssh and snmp are turned on. only radius is allowed when using ssh or https. console is radius or local.

encrypted radius-server key <<>>

radius-server host 192.168.25.1 source 0.0.0.0

radius-server host 192.168.50.1 source 0.0.0.0

logging host 192.168.25.1

aaa authentication enable Console radius enable

aaa authentication enable SSH radius

aaa authentication enable Telnet radius

ip http authentication aaa login-authentication radius

aaa authentication login Console radius local

aaa authentication login SSH radius

aaa authentication login Telnet radius

aaa authentication dot1x default radius

aaa accounting dot1x start-stop group radius

aaa accounting login start-stop group radius

line telnet

enable authentication Telnet

password <<>> encrypted

exit

line ssh

enable authentication SSH

password <<>> encrypted

exit

line console

enable authentication Console

password <<>> encrypted

exit

SG300-28 RADIUS login

Martin Oesting — Thu, 06 Jun 2013 08:58:26 GMT

Your config looks like mine. The crazy thing is, the event log of the RADIUS server (MS Windows 2008 R2) shows an information event with the details that the login against the RADIUS was a success. So why is the SG300 giving me an

"authentication failed"?

And do you have an answer to the second question of my post?

Martin

SG300-28 RADIUS login

Brendan Kearney — Thu, 06 Jun 2013 21:12:16 GMT

is your RADIUS server replying with

Cisco-AVPair = "shell:priv-lvl=15"

in the auth response? it seems that this is not happening. i have no idea about the other question you have.

SG300-28 RADIUS login

Martin Oesting — Fri, 07 Jun 2013 06:43:29 GMT

Hi,

I did a debug radius on one of the 2960 (didn't find out how to do this on the SG300):

RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"

They use the same Policy on the RADIUS.

Greetings

Martin

SG300-28 RADIUS login

Brendan Kearney — Fri, 07 Jun 2013 20:49:31 GMT

notice that the string i provided and the one you captured are different.

Cisco-AVPair = "shell:priv-lvl=15"

vs.

Cisco AVpair [1] 19 "shell:priv-lvl=15"

as far as i know, only the number at the end of the string (which indicates access level) should change. the extra characters being returned by your RADIUS server might be the issue. maybe try setting a new RadiusReplyItem value, and see if that works.

Re: SG300-28 RADIUS login

Steven Carnahan — Wed, 19 Jun 2013 18:57:24 GMT

I have tried for several days to get this to work on one of our SG300-28 switches. We have been using RADIUS on all our other Cisco gear (switches, routers ans ASA's) with no issue. We are trying to put two of these switches in front of a SAN so we don't need all the bells and whistles of the larger switches.

I have set up aaa through the CLI basically just like Brendan Kearney shows in the post in March. I can see that it is getting to the RADIUS server because this is in the RADIUS log:

"","IAS",06/18/2013,15:00:04,1,"","",,,,,,"",,9,"","",,,,,,,1,,0,"311 1 06/18/2013 10:14:44 63",,,,,,,,,"05000010",,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

With the retries set to 3 it locks out the AD account as well so it is attempting to authenticate. I had to set the console to permit local in order to get access back both through SSH (PuTTy). I then went in and remove almost all of the aaa configuration so that I could get back on through the Web GUI.

I also have the dual logon issue mentioned in the original post.

First login doesn't seem to care what you put in.

I had the same issue (with

theitcrowd — Mon, 23 Jun 2014 09:48:37 GMT

I had the same issue (with SG300 switch) and wasn't able to find a solution, so I am posting what I did here to fix it just in case someone else happens to wander past.

The issue seemed to be the assumption that "Cisco-AVPair = "shell:priv-lvl=15"" should be passed back to the device from the RADIUS server as it does with IOS devices. Once I removed this, I was able to logon to the SG300 switch successfully using RADIUS for SSH. Web Authentication still didn't like this though... not sure about that, so have left web authentication as local.

That line is required for our IOS based devices. We use Microsoft NPS for our Radius Server, so I now have two network policies, one for SG devices and one for IOS devices.

As for the 'double logon' it still seems to be an issue, but couldn't find a resolution.

Thanks.

OMG .... 2 years + and this

WalterCoria — Mon, 29 Dec 2014 01:29:18 GMT

OMG .... 2 years + and this is still an issue? WTF?

brendankearney's semi-workaround did work for me.

Strange part is that I have a small lab setup and it worked there ... in production it did not. As stated in the other comments above all other "Big Boy" switches work without issue ... however these SBS switches do not without Brendan's work around!

I've wasted 12 hours on this today! And still not solution.

On FW version 1.4.0.88 ... Late Dec 2014. No joy!

Hi Walter,You need to make

Aleksandra Dargiel — Mon, 29 Dec 2014 06:38:55 GMT

Hi Walter,

You need to make sure both the “Administrative-User” and the privilege 15 values are to be seen in the accept message from the Radius server.

Regards,

Aleksandra

To fix double-login you have

Michal Bruncko — Mon, 29 Dec 2014 12:45:33 GMT

To fix double-login you have to enable ssh-like password authentication on switch using command:

ip ssh password-auth

You need to set your Standard

Jeremy Gibbs — Mon, 05 Jan 2015 17:53:08 GMT

You need to set your Standard radius attributes Service-Type from Login to Administrative. That should fix it. Let me know if it works.

I tried your command and it

Steven Carnahan — Tue, 06 Jan 2015 23:22:59 GMT

I tried your command and it fails:

iib-san-3#ip ssh password-auth
% Unrecognized command

Here is the help for the ip command:

iib-san-3#ip
dhcp Dhcp configuration commands
source-guard IP Source Guard action commands

I don't see ssh as an option.

it is an configuration

Michal Bruncko — Tue, 06 Jan 2015 23:25:41 GMT

it is an configuration command, so you have to put it inside configuration mode

Thank you, that worked like a

Steven Carnahan — Tue, 06 Jan 2015 23:28:52 GMT

Thank you, that worked like a charm. Now only get the Login as prompt and not the additional Username prompt.

Now I just need to get the Radius working properly. :)

Still not working even after

Michal Bruncko — Tue, 06 Jan 2015 23:51:01 GMT

Still not working even after two years? :)
- do you have similar configuration like mentioned here: http://www.tech-recipes.com/rx/1478/how-to-setup-ias-to-use-radius-to-authenticate-cisco-device/ ?
- did you tried to increase IAS logging verbosity?
- did you performed packet capture to see RADIUS conversation between both parties? If so, did you saw Access-Accept or Access-Reject response coming from RADIUS server?
- if it is "Access-Reject", are you sure you are using correct login name password? did you see correct values (username and password) inside RADIUS conversation (inside message Access-Request)? If so, are you use complicated password with non ASCII characters? Have you tried to simplify it to include only ASCII characters in password (I hope this is requirement)?
- if it is "Access-Accept" message coming from RADIUS and you still not having access to device, have you checked mandatory fields inside "Access-Accept" message? both following were required in my scenario:

Service-Type = Administrative-User,
Cisco-AVPair = "shell:priv-lvl=15"

For me it is working well, but I am using FreeRADIUS instead of IAS (but this should not matter at all).

Thanks Michael Bruncko.

Michael Donaldson — Mon, 21 Nov 2016 06:13:11 GMT

Thanks Michael Bruncko. Changing the service-type from "Login" to "Administrative" on my NPS Win 2012 R2 server fixed it.

Would never have gotten there without your post.

Cheers!

Re: SG300-28 RADIUS login

00u17ijrcn4iTTKHb5d7 — Fri, 23 Jul 2021 11:49:19 GMT

SG300 Switches doesn’t allow AAA authentication. Request your support.

Following are the commands used for the config.

· Radius-server host <IP> key <key>

· Aaa authentication login <SSH_list_name> radius local

· Aaa authentication login <Console_list_name> radius local

· Aaa authentication enable <SSH_list_name> radius

· Aaa authentication enable <Console_list_name> radius

· Line ssh

· Login authentication <SSH_list_name>

· Line console

· Login authentication <Console_list_name>

Note : Same config works fine in SG350 switches.

: SG300s are running on 1.4.11.5 (Boot Version: 1.3.5.06)

Re: You need to set your Standard

dtapley1 — Tue, 11 Apr 2023 13:23:46 GMT

I took our Radius setup over from a former colleague who said it would not work on an SG300. Made the change suggested by Jeremy and everything is good to go. Thanks!