https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235782#M593736 <P>Yes, but i try login using my radius user and since the credentials didn't work so i use local user. Trying to get some debug log by enabling the '<SPAN>debug radius authentication', try login using radius user and there is no any debug messages.</SPAN></P> Thu, 12 Dec 2024 04:03:48 GMT hs08 2024-12-12T04:03:48Z https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235759#M593731 <P>Hello,</P><P>I configure my C3850 authentication to Active Directory Radius (NPS), and seem this C3850 is not send any radius traffic to the NPS.</P><P>Trying with enable 'debug radius authentication' and i can see there is no debug message in the log. Someone know how to troubleshot this?</P> Thu, 12 Dec 2024 02:23:31 GMT https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235759#M593731 hs08 2024-12-12T02:23:31Z https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235764#M593732 <P>Before running debugs, check the following:</P> <P>Check your config. If your 3850 is sending RADIUS In a VRF, then ensure that the source interface and vrf details are correct</P> <P>&nbsp;</P> <LI-CODE lang="markup">show run | section radius</LI-CODE> <P>&nbsp;</P> <P>Check the status of the aaa servers (the servers should not be "DEAD"</P> <P>&nbsp;</P> <LI-CODE lang="markup">show aaa servers</LI-CODE> <P>&nbsp;</P> <P>And I assume of course that the 3850 can ping the NPS?&nbsp; And that you have added the 3850 into NPS as a RADIUS client, and then configured it accordingly.</P> <P>You can send test commands to the aaa RADIUS group - the username password below can be arbitrary - the IOS will make a PAP request to the RADIUS server - if RADIUS server doesn't handle PAP, then you are likely to get an Access-Reject. But a Reject is also a sign of RADIUS communication. It does not prove the RADIUS shared secret is correct though - it just proves that the UDP traffic is getting answered&nbsp;</P> <LI-CODE lang="markup">test aaa group &lt;radius_group_name&gt; username password new-code</LI-CODE> <P>&nbsp;</P> <P>If you are using IOS-XE from a certain vintage, then the legacy "debug" commands no longer work. I think they are still there, but they don't do anything. IOS-XE replaced all this with the session manager daemon, running on Linux. Try this</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;" lang="en-GB">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">Set the debugs</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">===================</P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;"><SPAN>set platform software trace smd switch active R0</SPAN><SPAN> dot1x-all debug</SPAN></P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;"><SPAN>set platform software trace smd switch active R0</SPAN><SPAN> radius-authen debug</SPAN></P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;"><SPAN>set platform software trace smd switch active R0</SPAN><SPAN> aaa-authen debug</SPAN></P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;"><SPAN>set platform software trace smd switch active R0</SPAN><SPAN> eap-all debug</SPAN></P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;"><SPAN>set platform software trace smd switch active R0</SPAN><SPAN> auth-mgr-all debug</SPAN></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">View the trace levels</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">=========================</P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;" lang="en-GB">show platform software trace level smd switch active R0</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">View the logs with</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">==============================</P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;">show platform software trace message smd switch active R0</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">After test complete, reset the debugs to normal again!!!</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">===========&nbsp;&nbsp;</P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;"><SPAN>set platform software trace smd switch active R0</SPAN><SPAN> dot1x-all notice</SPAN></P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;"><SPAN>set platform software trace smd switch active R0</SPAN><SPAN> radius-authen notice</SPAN></P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;"><SPAN>set platform software trace smd switch active R0</SPAN><SPAN> aaa-authen notice</SPAN></P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;"><SPAN>set platform software trace smd switch active R0</SPAN><SPAN> eap-all notice</SPAN></P> <P style="margin: 0in; font-family: 'Courier New'; font-size: 11.0pt;"><SPAN>set platform software trace smd switch active R0</SPAN><SPAN> auth-mgr-all notice</SPAN></P> <P>&nbsp;</P> Thu, 12 Dec 2024 02:55:59 GMT https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235764#M593732 Arne Bier 2024-12-12T02:55:59Z https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235773#M593733 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;</P><P>Here my radius config</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hs08_0-1733972173976.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/235745iEFE87CCC8676613B/image-size/large?v=v2&amp;px=999" role="button" title="hs08_0-1733972173976.png" alt="hs08_0-1733972173976.png" /></span></P><P>show aaa servers</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hs08_1-1733972222811.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/235746i94B867C963EC27DF/image-size/large?v=v2&amp;px=999" role="button" title="hs08_1-1733972222811.png" alt="hs08_1-1733972222811.png" /></span></P><P>ping to the NPS server is success</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hs08_3-1733972535443.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/235748i634842E348400BD8/image-size/large?v=v2&amp;px=999" role="button" title="hs08_3-1733972535443.png" alt="hs08_3-1733972535443.png" /></span></P><P>Based on show version i can see we use CAT3K ios</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hs08_4-1733972567827.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/235749i6066402A3F030516/image-size/large?v=v2&amp;px=999" role="button" title="hs08_4-1733972567827.png" alt="hs08_4-1733972567827.png" /></span></P><P>All other devices is working normally to the NPS with same configuration.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 12 Dec 2024 03:03:24 GMT https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235773#M593733 hs08 2024-12-12T03:03:24Z https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235781#M593735 <P>The server is UP</P> <P>But your authc is first try local then try radius.</P> <P>And Since it sucess with local it never try radius&nbsp;</P> <P>MHM</P> Thu, 12 Dec 2024 04:00:47 GMT https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235781#M593735 MHM Cisco World 2024-12-12T04:00:47Z https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235782#M593736 <P>Yes, but i try login using my radius user and since the credentials didn't work so i use local user. Trying to get some debug log by enabling the '<SPAN>debug radius authentication', try login using radius user and there is no any debug messages.</SPAN></P> Thu, 12 Dec 2024 04:03:48 GMT https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235782#M593736 hs08 2024-12-12T04:03:48Z https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235784#M593737 <P>Oh right - you're doing AAA (device admin).&nbsp; Share your output for&nbsp;</P> <LI-CODE lang="markup">show run | section line</LI-CODE> <P>Perhaps you have some method list or weird config there.&nbsp;&nbsp;</P> <P>You should run a test command also</P> <LI-CODE lang="markup">test aaa group ADRADIUS username password new-code</LI-CODE> <P>And then check the output of "show aaa servers"&nbsp; - did the authentication counters increment?</P> <P>I would also swap around the "local group ADRADIUS" to be "group ADRADIUS local" instead. I have never seen it done with local first, and I would expect that if the user account is not found locally, then go to the group instead. But it's not good security practice - you want to make local access the method of last resort.</P> Thu, 12 Dec 2024 04:11:00 GMT https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235784#M593737 Arne Bier 2024-12-12T04:11:00Z https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235785#M593738 <P>yeah that work, i'm forgot to add this command in the line vty</P><P>authorization exec ADRADIUS<BR />login authentication ADRADIUS</P> Thu, 12 Dec 2024 04:14:01 GMT https://community.cisco.com/t5/network-access-control/radius-not-working/m-p/5235785#M593738 hs08 2024-12-12T04:14:01Z