topic Re: Having trouble configuring RADIUS on a 3750X switch. in Network Access Control

Having trouble configuring RADIUS on a 3750X switch.

Mogwai — Mon, 08 Jul 2024 16:17:32 GMT

Been at this for the better part of a morning & keep running into issues, I believe it's a small issue (or two), but not 100% sure.

I'm attempting to configure RADIUS authentication on a few new 3750X switches that I installed earlier in the year. Have plans to do the router later in the year also. We have two NPS servers as our AAA servers 10.8.60.200 & 201. & I've already setup the NPS client settings on the mirrored NPS/AAA servers for this new switch.

I currently have the switch using local creds. When I set up the switch I go through the following process.

conf t

(config)aaa new-model

(config)aaa group server radius TEST

(config-sg-radius)server RAD01 [Tests OK]

(config-sg-radius)server RAD02 [Tests OK]

This is where I think I'm having the issue, as when I "?" at this level I see the following options:

CEN-IDF6-3750X(config-sg-radius)#?
RADIUS Server-group commands:
accounting -- Specify a RADIUS attribute filter for accounting
attribute -- Customize selected radius attributes
authorization -- Specify a RADIUS attribute filter for authorization
backoff -- Retry backoff pattern (Default is retransmits with constant delay)
cache -- cached DB profile configuration
deadtime -- Specify time in minutes to ignore an unresponsive server
default -- Set a command to its defaults
exit -- Exit from RADIUS server-group confguration mode
ip -- Internet Protocol config commands
load-balance -- Server group load-balancing options.
no -- Negate a command or set its defaults
server -- Specify a RADIUS server
server-private -- Define a private RADIUS server (per group)

All the info I see online at this point references setting up the secret key, or "address ipv4 x.x.x.x. auth-port acct-port." I'm not sure if I'm just doing something out of order or at the incorrect level, but I can't get the rest to work.

Re: Having trouble configuring RADIUS on a 3750X switch.

Rob Ingram — Mon, 08 Jul 2024 17:59:14 GMT

@Mogwai you don't configure the IP address or shared secret under the radius server group. You must define the AAA server object(s) separately and then reference those objects in the RADIUS server group. Example:

radius server AAA-1
 address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
 automate-tester username switch-probe ignore-acct-port probe-on
 key XXXXXXXX
!
radius server AAA-2
 address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
 automate-tester username switch-probe ignore-acct-port probe-on
 key XXXXXXXX
!
aaa group server radius ISE-RADIUS
 server name AAA-1
 server name AAA-2

HTH

Re: Having trouble configuring RADIUS on a 3750X switch.

MHM Cisco World — Mon, 08 Jul 2024 18:09:32 GMT

Dont confuse, I will explain what you see

IP under Server group is used mainly for config source of radius not use for server IP

Key under server group is override what ypu config under server.

What Is config server with IP and key and optional port

Then use this server under server group.

I. E.

radius server radius-1
 address ipv4 x.x.x.x
 key XXXXXXXX

aaa group server radius Radius-group
 server name radius-1

MHM

Re: Having trouble configuring RADIUS on a 3750X switch.

Mogwai — Mon, 08 Jul 2024 19:01:48 GMT

@Rob Ingram Gotcha, so I think I see what you're saying, but when I tried this I ran into another hiccup, but I think I see the way around it...

radius server AAA-1
 address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
 automate-tester username switch-probe ignore-acct-port probe-on
 key XXXXXXXX

Just to make sure this is under the 'conf t' level?

Re: Having trouble configuring RADIUS on a 3750X switch.

Rob Ingram — Mon, 08 Jul 2024 19:05:44 GMT

@Mogwai correct, you must configure those commands under "conf t"

FYI, the automate-tester commands are optional to confirm the RADIUS server is alive and not mandatory.

Re: Having trouble configuring RADIUS on a 3750X switch.

Mogwai — Tue, 09 Jul 2024 11:50:08 GMT

@Rob Ingram So, another question if you don't mind. As when I go under 'conf t' to setup the radius servers, I run the 1st command 'radius-server host RAD01', it translates & sees the server fine, but then the switch level doesn't change? It still stays at the config level? From my understanding shouldn't I now be moved to different level in order to configure the IP/ports/key for the server?

If I just run 'address ipv4 10.8.60.216 auth-port 1645 acct-port 1646' it takes the command, how can I confirm that it applied those to the correct RAD server?

Re: Having trouble configuring RADIUS on a 3750X switch.

Rob Ingram — Tue, 09 Jul 2024 12:01:23 GMT

@Mogwai you appear to be using a different command than provided previously. The command example previously provided is the newer command syntax, it could be your 3750-X is so old it does not support that command. On older IOS versions you define the RADIUS host and key in one command, the commands are not nested, this method is depreciated on newer versions.

CURRENT SYNTAX

3560(config)#radius server AAA-1
3560(config-radius-server)#address ipv4 192.168.10.12 auth-port 1812 acct-port 1813
3560(config-radius-server)#key Cisco1234

OLD SYNTAX

3560(config)#radius-server host 192.168.10.12 key Cisco1234
Warning: The CLI will be deprecated soon
'radius-server host 192.168.10.12 key Cisco1234'
Please move to 'radius server <name>' CLI.

Use which ever method your software image supports, the result is the same.

Re: Having trouble configuring RADIUS on a 3750X switch.

Mogwai — Tue, 09 Jul 2024 12:29:39 GMT

Awesome & thanks for the clarification, I'll take a look at upgrading them & then another crack at the radius!