topic Re: Issues getting radius authentication working on switch with vrf in Network Access Control

Issues getting radius authentication working on switch with vrf

Gallain — Tue, 21 Nov 2023 22:44:07 GMT

Hello,

I've been on a project to point all our cisco network switches to our new NPS servers, so that multi factor authentication is done when someone logs in. I've been able to do all the switches except 2 which happen to have a vrf configuration on it.

From my troubleshooting (looking at a firewall between the switch and the nps), it doesn't look like it even attempts to send a radius packet out of the switch. It's like it's looking at it's local AAA instead.

I just get a failed authentication error when trying to ssh in.

I've tested icmp connectivity between the switch and the NPS server, that's working fine.

I've attached the switch configuration

Re: Issues getting radius authentication working on switch with vrf

MHM Cisco World — Tue, 21 Nov 2023 22:55:58 GMT

Use

Server-private instead of server name

If tge server reachable via mgmt vrf rib

Re: Issues getting radius authentication working on switch with vrf

Gallain — Wed, 22 Nov 2023 04:11:34 GMT

i added your command so the group server radius config looks like this:

aaa group server radius RadiusServerGroup
server-private 10.4.85.31
ip vrf forwarding Mgmt-vrf
ip radius source-interface GigabitEthernet0/0

Here are pings showing the accessibility:

ord-hl2s-1#ping vrf Mgmt-vrf 10.4.85.31 sourc gigabitEthernet 0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.85.31, timeout is 2 seconds:
Packet sent with a source address of 10.1.130.132
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

However, it still looks like no radius attempt is made. I still get a Access denied when putting in my normal credentials.

Re: Issues getting radius authentication working on switch with vrf

MHM Cisco World — Wed, 22 Nov 2023 04:34:31 GMT

I check config again

Under vty

You dont specify the aaa auth method VTY so it use defualt.

Add

Under vty 0 4 and check access again.

MHM

Re: Issues getting radius authentication working on switch with vrf

Arne Bier — Wed, 22 Nov 2023 22:20:51 GMT

Yep - your aaa authentication login contains the method list name "VTY" - therefore you must match that to the relevant vty lines as MHM said. Same goes for authorization. If you had left this as keyword "default" in your aaa statements, then the vty lines would have worked by default. It's generally a good idea to use method lists, but they can cause for extra confusion

Buty in general, you can also send RADIUS test authentication requests using this IOS command

test aaa group RadiusServerGroup somename somepassword new-code

Re: Issues getting radius authentication working on switch with vrf

Gallain — Wed, 22 Nov 2023 22:36:29 GMT

Thank you so much. This worked!