topic Radius authentication issue: Switch is not even communicating wi in Network Access Control

Radius authentication issue: Switch is not even communicating with radius server

vincehgov — Mon, 11 Mar 2019 04:03:29 GMT

I'm having a strange issue. I'm running a 3560 8 port switch with c3560-ipbasek9-mz.122-58.SE2.bin.

Here is the relevant config:

interface Vlan140

ip address 172.20.40.18 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.20.40.1

aaa new-model

aaa group server radius RADIUSGROUP

server name RADIUS-SERVER1

aaa authentication login default group RADIUSGROUP local

radius server RADIUS-SERVER1

address ipv4 172.20.1.2 auth-port 1812 acct-port 1813

key 7 xxx

-----------------------

I am able to ping the radius server from the switch so there is L3 connectivity. However, when I try to login using my radius credentials, I get:

Request timed out.

00:58:35: RADIUS(00000014): Request timed out

00:58:35: RADIUS: No response from (172.20.1.2:1812,1813) for id 1645/14

00:58:35: RADIUS/DECODE: No response from radius-server; parse response; FAIL

00:58:35: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

A packet capture shows that pings go across, but I don't see any packets being sent at all for the radius authentication attempt.

I am not running any VRFs or packet filter ACLs.

Does anyone have any ideas?

Thank you in advance.

Radius authentication issue: Switch is not even communicating wi

vincehgov — Fri, 01 Nov 2013 17:00:15 GMT

By the way, I forgot to mention that I've tried it with the "ip radius source-interface" of the vlan interface but still no game.

Radius authentication issue: Switch is not even communicating wi

Jatin Katyal — Fri, 01 Nov 2013 20:48:19 GMT

What radius server are you running? Could you please verify the shared-secret key on server and switch side.

~BR
Jatin Katyal

**Do rate helpful posts**

Radius authentication issue: Switch is not even communicating wi

vincehgov — Fri, 01 Nov 2013 21:10:20 GMT

Hey Jatin,

I wish it was that simple as a mismatched shared-secret. The problem is that the switch isn't even sending any packets out to the radius server AT ALL.

Vince

Radius authentication issue: Switch is not even communicating wi

dal — Sat, 02 Nov 2013 09:38:00 GMT

Hi.

What radius server are you using? Some radius servers (Windows for example) do not use port 1812 and 1813 for communication, but 1645 and 1646 instead.

Could be worth checking out.

- Dal

Radius authentication issue: Switch is not even communicating wi

vincehgov — Sat, 02 Nov 2013 16:20:10 GMT

I'm sorry guys, I forgot the name of the radius server. However, I want to focus on why there is no traffic coming out of the switch when it is attempting to communicate with the radius server. I don't see any packets coming out of the switch destined for the radius server in the first place. The radius server works when I configure it on other switches. I used the exact same configuration on all the switches. They are the same model with the same firmware. I checksummed the firmware and it is good.

Radius authentication issue: Switch is not even communicating wi

dal — Sat, 02 Nov 2013 23:09:38 GMT

What are you trying to achieve? Do you want to use radius for managment login into the switch?

If so, I think you must add this line:

aaa authorization exec default group RADIUSGROUP local

Radius authentication issue: Switch is not even communicating wi

vincehgov — Wed, 06 Nov 2013 23:01:58 GMT

Hi, yes, I have that line in there as well. I'm trying to ssh into the switch and authenticate using radius. I am able to SSH in, but when I attempt to authenticate, it doesn't look like the switch is communicating with the radius server at all. A packet capture shows that there are no radius traffic. It is really strange and probably one of those rare issues. I've set up dozens of switch like this and never had any problems before.