topic Radius Authentication Cisco Switch in Network Access Control

Radius Authentication Cisco Switch

James Hoggard — Mon, 11 Mar 2019 04:20:50 GMT

Hi,

I have a cisco 2960 switch and currently trying to setup radius authentication. My microsoft guy does the server side we have matching keys and he says there is no problem on his side, but we still canno get it to work.

Config on switch

aaa new-model
aaa authentication login default group radius local

radius-server host 10.0.0.13 auth-port 1812
radius-server key 0 test

line vty 0 4
login authentication default

switch and radius server are on the same network. I have done a debug and confused on the output. Can anyone point me in the right direction.

I have done a debug aaa authentication and debug radius

AccessSwitch#

RADIUS/ENCODE(00001586):Orig. component type = Exec

RADIUS: AAA Unsupported Attr: interface [221] 4 92269176

RADIUS/ENCODE(00001586): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

RADIUS(00001586): Config NAS IP: 0.0.0.0

RADIUS(00001586): Config NAS IPv6: ::

RADIUS/ENCODE(00001586): acct_session_id: 20

RADIUS(00001586): sending

RADIUS/ENCODE: Best Local IP-Address 10.0.0.56 for Radius-Server 10.0.0.13

RADIUS(00001586): Sending a IPv4 Radius Packet

RADIUS(00001586): Send Access-Request to 10.0.0.13:1812 id 1645/18,len 77

RADIUS: authenticator 7C B1 A0 55 62 45 7B AF - F2 E2 48 4C C3 F0 72 98

RADIUS: User-Name [1] 15 "james.hoggard"

RADIUS: User-Password [2] 18 *

RADIUS: NAS-Port [5] 6 2

RADIUS: NAS-Port-Id [87] 6 "tty2"

RADIUS: NAS-Port-Type [61] 6 Virtual [5]

RADIUS: NAS-IP-Address [4] 6 10.0.0.56

RADIUS(00001586): Started 5 sec timeout

RADIUS: Received from id 1645/18 10.0.0.13:1812, Access-Reject, len 20

RADIUS: authenticator 80 CE C9 C2 D6 30 65 A9 - 07 D8 12 4C 9E 80 A9 3C

RADIUS(00001586): Received from id 1645/18

AAA/AUTHEN/LOGIN (00001586): Pick method list 'default'

RADIUS/ENCODE(00001586): ask "Password: "

RADIUS/ENCODE(00001586): send packet; GET_PASSWORD

Thanks

James.

Radius Authentication Cisco Switch

Jatin Katyal — Sat, 01 Feb 2014 16:53:19 GMT

Since radius server is sending access-reject so you need to check the NPS/IAS Event Viewer logs to find the reason of failure. My guess, PAP as an authetication method is not enabled under Remote access policy > properties >authentication. But you still need to check the event viewer logs to determine the exact reason.

~BR
Jatin Katyal

**Do rate helpful posts**

Radius Authentication Cisco Switch

James Hoggard — Sat, 01 Feb 2014 19:10:33 GMT

Thanks.

PAP is unencrypted isn't it? is there a way i can get the cisco device to use an encrypted method?

James

Re: Radius Authentication Cisco Switch

Jatin Katyal — Sat, 01 Feb 2014 20:05:45 GMT

yes, PAP always use plain text and that doesn't provide any kind of security. However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.

If you need secure communication then you may implement TACACS.

TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.

~BR
Jatin Katyal

**Do rate helpful posts**