topic Radius - Active Directory authentication. in Network Access Control

Radius - Active Directory authentication.

sslackjcb — Mon, 11 Mar 2019 01:43:31 GMT

Hi All,

Weird issue with radius.

We have quite a few of these switches around the campus all in stacks. We had 4 switches in one stack which we had to split into two seperate stacks. Since then the new stack which we created won't allow us to login using radius.

This is the configuration which mirrors all our other switches:

aaa new-model

aaa authentication login default group radius local

aaa authentication dot1x default group radius

aaa authorization exec default group radius local

aaa authorization network default group radius

ip radius source-interface (LoopbackInterface)

radius-server host RADIUSSERVER auth-port 1812 acct-port 1813 key password

The switches in the stack are running IOS Version 12.2(53)SE2.

Any help would be appreciated as i've remove radius and added it again with no joy.

Ohh also in the logs i get

*Jan 16 22:52:25.537: %RADIUS-4-RADIUS_DEAD: RADIUS server IP:1812,1813 is not responding.
*Jan 16 22:52:25.537: %RADIUS-4-RADIUS_ALIVE: RADIUS server IP:1812,1813 is being marked alive.

Which according to Cisco is purely cosmetic, but not sure if it is relevant here.

Thanks for your time.

Radius - Active Directory authentication.

camejia — Mon, 16 Jan 2012 19:26:01 GMT

Hello Steve,

The DEAD/ALIVE errors might be considered cosmetic as both include the same time: Jan 16 22:52:25.537

Are you getting any attempts being logged on the server side for the failure? Also, are you using ACS, MS IAS, MS NPS? Which specific RADIUS server are you using?

Along with the server logs can you enable "debug aaa authentication", "debug aaa authorization" and "debug radius" and test the authentication again?

Please share the outputs of the server and the IOS device.

Regards.

Radius - Active Directory authentication.

Richard Burts — Mon, 16 Jan 2012 19:38:33 GMT

Steve

Can you verify that the Radius server has a correct and accurate configuration for the client coming from the loopback address of the new stack? And can you verify that the address of the loopback in the new stack is what you expected it to be?

HTH

Rick

Radius - Active Directory authentication.

camejia — Mon, 16 Jan 2012 19:42:57 GMT

Hello Steve,

Richard is thinking on the scenario where moving the switch from stack made the loopback address to change. In that case, the RADIUS server will report an "Unknown RADIUS Client" sending the request and it will deny the access. In that case you need to check that the IP address of the loopback switch stack is properly configured on the RADIUS server as a valid RADIUS client.

Regards.

Radius - Active Directory authentication.

sslackjcb — Tue, 17 Jan 2012 09:07:48 GMT

Hi All,

I really appreciate you taking time to look at this,

One thing i will add is we had another stack which we had to split due to problems at the same time and two switches out of that stack also can't authenticate against with radius.

We are using Microsoft Network Policy Server. There is policy already in place and i have just added the new clients onto the server.

I know the secrets are the same as i have just copied the installation from another.

All the ip addresses are correct for the loopback addresses.

here are the logs:

Jan 17 08:53:55.689: AAA/BIND(0000010A): Bind i/f
Jan 17 08:53:55.689: AAA/AUTHEN/LOGIN (0000010A): Pick method list 'default'
Jan 17 08:53:55.694: RADIUS/ENCODE(0000010A): ask "Username: "
Jan 17 08:53:57.860: RADIUS/ENCODE(0000010A): ask "Password: "
Jan 17 08:54:00.596: RADIUS/ENCODE(0000010A):Orig. component type = EXEC
Jan 17 08:54:00.596: RADIUS: AAA Unsupported Attr: interface         [171] 4
Jan 17 08:54:00.596: RADIUS:   74 74                [ tt]
Jan 17 08:54:00.596: RADIUS/ENCODE(0000010A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Jan 17 08:54:00.596: RADIUS(0000010A): Config NAS IP: (LoopbackIP)
Jan 17 08:54:00.596: RADIUS/ENCODE(0000010A): acct_session_id: 263
Jan 17 08:54:00.596: RADIUS(0000010A): sending
Jan 17 08:54:00.596: RADIUS(0000010A): Send Access-Request to (RadiusServerIP):1812 id 1645/33, len 88
Jan 17 08:54:00.596: RADIUS: authenticator CA C4 C7 F3 CD 5E AB 88 - F1 FD 2B 0E 4F E1 81 DB
Jan 17 08:54:00.596: RADIUS: User-Name           [1]   12 "ciscoadmin"
Jan 17 08:54:00.596: RADIUS: User-Password       [2]   18 *
Jan 17 08:54:00.596: RADIUS: NAS-Port            [5]   6   1
Jan 17 08:54:00.596: RADIUS: NAS-Port-Id         [87] 6   "tty1"
Jan 17 08:54:00.596: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Jan 17 08:54:00.596: RADIUS: Calling-Station-Id [31] 14 "(AdminMachineIP)"
Jan 17 08:54:00.596: RADIUS: NAS-IP-Address      [4]   6   (LoopbackIP)
Jan 17 08:54:00.596: RADIUS(0000010A): Started 5 sec timeout
Jan 17 08:54:05.420: RADIUS(0000010A): Request timed out
Jan 17 08:54:05.420: RADIUS: Retransmit to ((RadiusServerIP):1812,1813) for id 1645/33
Jan 17 08:54:05.420: RADIUS(0000010A): Started 5 sec timeout
Jan 17 08:54:11.066: RADIUS(0000010A): Request timed out
Jan 17 08:54:11.066: RADIUS: Retransmit to ((RadiusServerIP):1812,1813) for id 1645/33
Jan 17 08:54:11.066: RADIUS(0000010A): Started 5 sec timeout
Jan 17 08:54:16.346: RADIUS(0000010A): Request timed out
Jan 17 08:54:16.346: %RADIUS-4-RADIUS_DEAD: RADIUS server (RadiusServerIP):1812,1813 is not responding.
Jan 17 08:54:16.346: %RADIUS-4-RADIUS_ALIVE: RADIUS server (RadiusServerIP):1812,1813 is being marked alive.
Jan 17 08:54:16.346: RADIUS: Retransmit to ((RadiusServerIP):1812,1813) for id 1645/33
Jan 17 08:54:16.346: RADIUS(0000010A): Started 5 sec timeout
Jan 17 08:54:21.584: RADIUS(0000010A): Request timed out
Jan 17 08:54:21.584: RADIUS: No response from ((RadiusServerIP):1812,1813) for id 1645/33
Jan 17 08:54:21.584: RADIUS/DECODE: parse response no app start; FAIL
Jan 17 08:54:21.584: RADIUS/DECODE: parse response; FAIL
Jan 17 08:54:23.586: AAA/AUTHEN/LOGIN (0000010A): Pick method list 'default'
Jan 17 08:54:23.586: RADIUS/ENCODE(0000010A): ask "Username: "

Here is the logs from the NPS.

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: ciscoadmin

Account Domain: JA

Fully Qualified Account Name: JA\ciscoadmin

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: -

Calling Station Identifier: (myIP)

NAS:

NAS IPv4 Address: (loopback)

NAS IPv6 Address: -

NAS Identifier: -

NAS Port-Type: Virtual

NAS Port: 1

RADIUS Client:

Client Friendly Name: jb-agg-0201-002

Client IP Address: (loopback)

Authentication Details:

Connection Request Policy Name: Use Windows authentication for all users

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: JA-SRV-SC01-NPS.JA.INTERNAL

Authentication Type: PAP

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 16

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Not sure why it says this because the password/account has been setup from the beginning and works on all other switches besides these two stacks.

Thanks again

Radius - Active Directory authentication.

sslackjcb — Tue, 17 Jan 2012 09:36:40 GMT

Sorry... scrap that about the radius server.

I changed the secret template for that particular client (i'd forgot... troubleshooting)

I've now changed it back and here is the correct log... seems strange because its granted access.

Network Policy Server granted full access to a user because the host met the defined health policy.

User:

Security ID: JA\ciscoadmin

Account Name: ciscoadmin

Account Domain: JA

Fully Qualified Account Name: JA.INTERNAL/JCB Academy/JCBA Users/JCBA SysAdmin Accounts/Cisco Admin

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: -

Calling Station Identifier: (myIP)

NAS:

NAS IPv4 Address: (loopbackIP)

NAS IPv6 Address: -

NAS Identifier: -

NAS Port-Type: Virtual

NAS Port: 1

RADIUS Client:

Client Friendly Name: jb-agg-0201-002

Client IP Address: (loopbackIP)

Authentication Details:

Connection Request Policy Name: Use Windows authentication for all users

Network Policy Name: Cisco Admin

Authentication Provider: Windows

Authentication Server: JA-SRV-SC01-NPS.JA.INTERNAL

Authentication Type: PAP

EAP Type: -

Account Session Identifier: -

Quarantine Information:

Result: Full Access

Extended-Result: -

Session Identifier: -

Help URL: -

System Health Validator Result(s): -

Radius - Active Directory authentication.

camejia — Tue, 17 Jan 2012 15:18:27 GMT

Hello Steve,

Actually, from the IOS debugs the request is timing out:

Jan 17 08:54:21.584: RADIUS(0000010A): Request timed out

Can you try increasing the RADIUS Timeout from the default value to 15 or 20 seconds? If the Authentication still fails change it back to the default setting of 5 seconds.

Command:

radius-server timeout 20

Please share the results.

NOTE: If the above does not work, a capture on the NPS server when authenticating with the faulty units might be needed. However, with the capture you might need to share the Secret Key in order to decrypt the packets.

Regards.

Radius - Active Directory authentication.

sslackjcb — Tue, 17 Jan 2012 16:00:12 GMT

Hi,

That didn't work do want the logs from the switch? as its the same just says timeout 20.

Attached it a capture from the NPS server at time of authentication

Is this ok?

Radius - Active Directory authentication.

camejia — Tue, 17 Jan 2012 16:18:57 GMT

Steve,

The capture is just showing Access-Request from the switch to the NPS but no response (Access-Accept or Access-Reject) from the NPS to the switch. Were there any RADIUS packets going from the NPS to the switch?

Regards.

Radius - Active Directory authentication.

sslackjcb — Wed, 18 Jan 2012 08:58:06 GMT

Sorry Carlos.. it would probably help if i included that wouldn't it.

Can you see from this?

Radius - Active Directory authentication.

sslackjcb — Wed, 18 Jan 2012 09:35:51 GMT

Fixed it!!!

Having seen the TTL exceeded messages on the capture it appealed to me that the router had no way back to the switch..

so i added a route back to the switch and it worked straight away.

Thanks so much for your help..

Re: Radius - Active Directory authentication.

camejia — Wed, 18 Jan 2012 16:47:17 GMT

Hello Steve,

Thanks for the update. Will keep it in mind next time I get TTL Excedeed on a capture from a NPS server.

Regards.