topic of course after hours of in Network Access Control

AAA not working on cisco 3560 Switch ,Their is no communications between the Swicth and NAP server

salmanearn — Mon, 11 Mar 2019 05:37:03 GMT

Dear All,

I am trying to apply AAA configuration on Cisco C3560E switch.The same setting is working on other 16 networks switches.

The following configuration is applied on the switch

(config)#service password-encryption
(config)#aaa new-model
(config)#aaa authorization network default group radius
(config)#username NORAD priv 15 secret dasdsadaa
(config)#aaa group server radius NPS-RADIUS-SERVERS
sw1(config-sg-radius)#server-private 192.168.1.11 auth-port 1812 acct-port 1812 key secret
sw1(config-sg-radius)#exit
sw1(config)#aaa authentication login default group NPS-RADIUS-SERVERS local
sw1(config)#aaa authorization exec default group NPS-RADIUS-SERVERS local if-authenticated
sw1(config)#aaa authorization console

Plus This switch is added as a radius client in the radius server
The Switch can ping the radius server visevarsa
Tried different auth-port 1645 acct-port 1646 and others still to luck

NO LOG present in NPS server for comunication between the switch and NPS server.It is apprent that swicth is not talking to NPS(AAA) can not figure out the reason

What interface are you using

nspasov — Wed, 08 Apr 2015 21:14:28 GMT

What interface are you using to source your Radius packets from? Make sure that:

- You can ping the Radius server while sourcing the packets from that interface

- Make sure the IP address of that interface is the IP address configured on the Radius server

Thank you for rating helpful posts!

The radius server can ping

salmanearn — Thu, 09 Apr 2015 06:37:11 GMT

The radius server can ping the switch and the switch can ping radius server.

There are approx 40 plus other switches, this configuration is working on them perfectly. However all the 3560 switches the same thing is happening.

The switches are not talking to radius server no logs. But the local authentication is working on all of them. But not the AAA.

Is it possible some setting in the switch is giving precedence to local authentication rather then going for AAA.

Please suggest

It is strange that you are

nspasov — Thu, 09 Apr 2015 16:50:11 GMT

It is strange that you are not seeing any logs...this would usually suggest that the communication is blocked by Firewall/access-list. I know that you said that ping is working but perhaps something else is blocking the Radius ports. Have you tried to do a packet capture and see if you are seeing the Radius packets.

Also, on the switch, you can issue the show aaa servers command and see the status.

Thank you for rating helpful posts!

Was this issue ever resolved?

onnigsaya — Mon, 22 Aug 2016 18:22:08 GMT

Was this issue ever resolved? I have the same problem. Configuration seems appropriate but no packets reaching out to configured radius server. Telnet over authorization and authentication ports 1646 and 1645 works, data passes and logged by firewall, but when I try to ssh to the box with radius configuration, nothing.

of course after hours of

onnigsaya — Mon, 22 Aug 2016 18:54:33 GMT

of course after hours of trying/testing I figure it out after I post the question here. The problem was that I was missing the radius server addresses after the aaa command:

aaa group server radius RADIUSSERVERGROUPNAME
server 1.1.1.1 auth-port 1645 acct-port 1646
server 2.2.2.2 auth-port 1645 acct-port 1646