https://community.cisco.com/t5/network-access-control/c2960x-error-radius-through-ssh/m-p/3913800#M24716 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/300873">@Steveosh72</a>&nbsp;</P> <P>&nbsp;</P> <P>You need to share your ISE config as well since that would tell us whether your RADIUS Policy Set is correct <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>I have pasted the ISE 2.3/2.4/2.6 Style RADIUS Policy Set below for Cisco IOS and WLC devices</P> <P>&nbsp;</P> <P>It shows what RADIUS attributes are expected during a device authentication via RADIUS at the Top Level of the Policy Set:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RADIUS.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/43756i3D7C060766D96701/image-size/large?v=v2&amp;px=999" role="button" title="RADIUS.PNG" alt="RADIUS.PNG" /></span></P> <P>&nbsp;</P> <P>The point is this: you need to allow PAP only, and then depending on the Conditions shown above, create an Authentication and Authorization Policy accordingly - the top level conditions shown above are required to match on the RADIUS traffic that results from a device admin AAA event.</P> <P>&nbsp;</P> Mon, 26 Aug 2019 03:37:45 GMT Arne Bier 2019-08-26T03:37:45Z https://community.cisco.com/t5/network-access-control/c2960x-error-radius-through-ssh/m-p/3912681#M24713 <P>Hi there</P><P>&nbsp;</P><P>I have a new C2960X that we are replacing a couple old ones with.</P><P>I can not get RADIUS working&nbsp; .&nbsp; yes the switch can ping the radius server .. i took out the key but it is there</P><P>&nbsp;</P><P>HELP</P><P>&nbsp;</P><P>I have it programmed like this</P><P>aaa new-model<BR />!<BR />!<BR />aaa group server radius RADIUS_AUTH<BR />!<BR />aaa authentication login networkaccess group RADIUS_AUTH local enable<BR />aaa authorization exec default group RADIUS_AUTH local if-authenticated</P><P><BR />!<BR />radius server RADIUS_AUTH<BR />address ipv4 172.20.253.222 auth-port 1812 acct-port 1813<BR />key 7 0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXD</P><P><BR />line con 0<BR />exec-timeout 0 0<BR />line vty 0 4<BR />access-class 99 in<BR />exec-timeout 0 0<BR />password 7 09584B051A0403<BR />login authentication networkaccess<BR />length 0<BR />transport input ssh<BR />line vty 5 15<BR />access-class 99 in<BR />exec-timeout 0 0<BR />password 7 09584B051A0403<BR />login authentication networkaccess<BR />transport input ssh</P><P><BR />crypto key gener rsa</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>what i get is&nbsp;</P><P>&nbsp;</P><P>login as: xxxxxxx<BR />Keyboard-interactive authentication prompts from server:<BR />| Password:<BR />End of keyboard-interactive prompts from server<BR />Access denied<BR />Keyboard-interactive authentication prompts from server:<BR />| Password:</P><P>&nbsp;</P> Thu, 22 Aug 2019 23:32:09 GMT https://community.cisco.com/t5/network-access-control/c2960x-error-radius-through-ssh/m-p/3912681#M24713 Steveosh72 2019-08-22T23:32:09Z https://community.cisco.com/t5/network-access-control/c2960x-error-radius-through-ssh/m-p/3913800#M24716 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/300873">@Steveosh72</a>&nbsp;</P> <P>&nbsp;</P> <P>You need to share your ISE config as well since that would tell us whether your RADIUS Policy Set is correct <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>I have pasted the ISE 2.3/2.4/2.6 Style RADIUS Policy Set below for Cisco IOS and WLC devices</P> <P>&nbsp;</P> <P>It shows what RADIUS attributes are expected during a device authentication via RADIUS at the Top Level of the Policy Set:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RADIUS.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/43756i3D7C060766D96701/image-size/large?v=v2&amp;px=999" role="button" title="RADIUS.PNG" alt="RADIUS.PNG" /></span></P> <P>&nbsp;</P> <P>The point is this: you need to allow PAP only, and then depending on the Conditions shown above, create an Authentication and Authorization Policy accordingly - the top level conditions shown above are required to match on the RADIUS traffic that results from a device admin AAA event.</P> <P>&nbsp;</P> Mon, 26 Aug 2019 03:37:45 GMT https://community.cisco.com/t5/network-access-control/c2960x-error-radius-through-ssh/m-p/3913800#M24716 Arne Bier 2019-08-26T03:37:45Z