https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285787#M596116 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/237724">M02@rt37</a>&nbsp;</P> <P>ping is succeeded</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hs08_0-1745818806622.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/244219i8FD1B439D3C73AA9/image-size/large?v=v2&amp;px=999" role="button" title="hs08_0-1745818806622.png" alt="hs08_0-1745818806622.png" /></span></P> <P>&nbsp;</P> Mon, 28 Apr 2025 05:40:38 GMT hs08 2025-04-28T05:40:38Z https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285758#M596112 <P>Hello,</P> <P>I setup Network Policy Server as Radius server to authenticate all my cisco ssh login.</P> <P>I found one issue with my C9300 where i already set command 'ip radius source-interface Loopback0' and my loopback ip is 10.107.107.1</P> <P>But when this request come to the NPS, the source come from different ip address. The NPS detect request come from ip 10.4.3.254 where this ip belong to interface vlan1. Anyone know why?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hs08_0-1745811000936.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/244208iDFEEA588E57052EA/image-size/medium?v=v2&amp;px=400" role="button" title="hs08_0-1745811000936.png" alt="hs08_0-1745811000936.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hs08_1-1745811030725.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/244209iAE8C29727DE86EAE/image-size/medium?v=v2&amp;px=400" role="button" title="hs08_1-1745811030725.png" alt="hs08_1-1745811030725.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 28 Apr 2025 03:31:10 GMT https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285758#M596112 hs08 2025-04-28T03:31:10Z https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285761#M596113 <P>Hi friend,&nbsp;</P> <P>You assigned source under radius group are you use this group in authc/authz</P> <P>Also why this group don't have and server host?</P> <P>MHM</P> Mon, 28 Apr 2025 04:08:46 GMT https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285761#M596113 MHM Cisco World 2025-04-28T04:08:46Z https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285777#M596114 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;</P> <P>Here my radius config</P> <P>aaa new-model<BR />!<BR />!<BR />aaa group server radius ADRADIUS<BR />server-private 10.103.248.31 key 7 xxxxx<BR />!<BR />aaa authentication login ADRADIUS local group ADRADIUS<BR />aaa authorization exec ADRADIUS local group ADRADIUS</P> <P>!<BR />ip radius source-interface Loopback0</P> <P>line vty 0 4<BR />authorization exec ADRADIUS<BR />login authentication ADRADIUS<BR />transport input ssh<BR />line vty 5 15<BR />authorization exec ADRADIUS<BR />login authentication ADRADIUS<BR />transport input ssh</P> <P>and here debug message</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hs08_0-1745818014076.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/244216iEBCF1E8324C43F90/image-size/large?v=v2&amp;px=999" role="button" title="hs08_0-1745818014076.png" alt="hs08_0-1745818014076.png" /></span></P> <P>&nbsp;</P> Mon, 28 Apr 2025 05:27:26 GMT https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285777#M596114 hs08 2025-04-28T05:27:26Z https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285782#M596115 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1437984">@hs08</a>&nbsp;</P> <P>Do you try to ping radius server with lo0 as source ip address ?</P> <P>ping 10.103.248.31 source Loopback0</P> <P>If it fails, that’s 100% why your radius is sourced from vlan1 instead of your loopback0.</P> <P>Regarding your log:</P> <P>The C9300 send the packet multiple times (retransmissions) but receive no reply:&nbsp;Request timed out!<BR />No response from (10.103.248.31:1645)</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 28 Apr 2025 05:50:20 GMT https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285782#M596115 M02@rt37 2025-04-28T05:50:20Z https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285787#M596116 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/237724">M02@rt37</a>&nbsp;</P> <P>ping is succeeded</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hs08_0-1745818806622.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/244219i8FD1B439D3C73AA9/image-size/large?v=v2&amp;px=999" role="button" title="hs08_0-1745818806622.png" alt="hs08_0-1745818806622.png" /></span></P> <P>&nbsp;</P> Mon, 28 Apr 2025 05:40:38 GMT https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285787#M596116 hs08 2025-04-28T05:40:38Z https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285794#M596117 <P>Mmm OK</P> <P>This log, <EM>NAS-IP-Address [4] 6 10.107.107.1</EM>,&nbsp;shows that the switch is sending the RADIUS Access-Request with loopback0 as the source ip...</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-nas-ip-cfg.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-nas-ip-cfg.html</A></P> <P>What is you IOS-xe version please ?</P> <P>&nbsp;</P> Mon, 28 Apr 2025 06:04:27 GMT https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285794#M596117 M02@rt37 2025-04-28T06:04:27Z https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285797#M596118 <P>Do debug ip packet &lt;list&gt;</P> <P>In list specify the udp port you use for radius and IP.</P> <P>Let see if device send from correct IP or there is something else drop traffic.</P> <P>MHM</P> <P>&nbsp;</P> Mon, 28 Apr 2025 06:18:13 GMT https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285797#M596118 MHM Cisco World 2025-04-28T06:18:13Z https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285848#M596120 <P>my version is 16.12.4</P> Mon, 28 Apr 2025 08:17:29 GMT https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285848#M596120 hs08 2025-04-28T08:17:29Z https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285858#M596121 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1437984">@hs08</a>,</P> <P>you need to configure the radius source-interface under the server-group you created:</P> <P>aaa group server radius ADRADIUS<BR />&nbsp;&nbsp;&nbsp; ip radius source-interface Loopback0<BR />&nbsp;&nbsp;&nbsp; server-private 10.103.248.31 key 7 xxxxx</P> <P>You configured this command in global config mode so that it would be used by the default server-group "radius".<BR />However, you created your own server group ADRADIUS so that this command must be issued in config-sg-radius mode because each server group uses its own radius source-interface.</P> <P>As you noticed a ping can only test the IP reachability of the radius server.<BR />However, in order to test the reachability of the radius <U>service</U> you can use the following command:</P> <LI-CODE lang="markup">test aaa group ADRADIUS &lt;username&gt; &lt;password&gt; [new-code|legacy]</LI-CODE> <P>&nbsp;Whether you need to use new-code or legacy depends on your radius server and in some cases both options might work.</P> <P>HTH!</P> Mon, 28 Apr 2025 09:00:28 GMT https://community.cisco.com/t5/network-access-control/radius-wrong-interface/m-p/5285858#M596121 Jens Albrecht 2025-04-28T09:00:28Z