cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

313
Views
5
Helpful
10
Replies
drwolcot
Beginner

Radius Auth Works for SSH but not HTTP - Cat1k

I have aaa authentication with radius to a Windows NPS server along with the Azure MFA dll extension.

 

This is working and I am able to login via SSH but it isn't working for HTTPs/Web GUI. It will continuously prompt for user/pw on the web. 

 

I have enabled debug for aaa and radius and it appears to accept the response from the NPS server with "Access-Accept"

 

I have included the config statements and output of debug below

 

 

 

 


Config

 

aaa new-model
!
!
aaa group server radius NPS-Servers
 server-private 10.x.y.158 auth-port 1812 acct-port 1813 key ########################
 server-private 10.x.y.159 auth-port 1812 acct-port 1813 key ########################
!
aaa authentication login default group NPS-Servers local
aaa authorization console
aaa authorization exec default group NPS-Servers local if-authenticated
!
aaa session-id common
!
no ip http server
ip http banner
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server
ip http secure-trustpoint domain-ca
ip http session-idle-timeout 30 

 

 

 

 


Debug

 

 

*Apr 18 02:47:21.888: AAA/BIND(0000000C): Bind i/f  
*Apr 18 02:47:21.888: AAA/ACCT/HC(0000000C): Register HTTP/08194C30 64 bit counter support not configured
*Apr 18 02:47:21.888: AAA/ACCT/HC(0000000C): Update HTTP/08194C30 
*Apr 18 02:47:21.888: AAA/ACCT/HC(0000000C): no HC HTTP/08194C30 
*Apr 18 02:47:21.888: AAA/ACCT/EVENT/(0000000C): CALL START
*Apr 18 02:47:21.889: Getting session id for NET(0000000C) : db=5767FE0
*Apr 18 02:47:21.889: AAA/ACCT(00000000): add node, session 2
*Apr 18 02:47:21.889: AAA/ACCT/NET(0000000C): add, count 1
*Apr 18 02:47:21.889: AAA/AUTHEN/LOGIN (0000000C): Pick method list 'default' 
*Apr 18 02:47:21.889: RADIUS/ENCODE(0000000C):Orig. component type = HTTP
*Apr 18 02:47:21.889: RADIUS/ENCODE(0000000C): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:21.889: RADIUS(0000000C): Config NAS IP: 0.0.0.0
*Apr 18 02:47:21.889: RADIUS(0000000C): Config NAS IPv6: ::
*Apr 18 02:47:21.889: Getting session id for EXEC(0000000C) : db=5767FE0
*Apr 18 02:47:21.889: RADIUS/ENCODE(0000000C): acct_session_id: 2
*Apr 18 02:47:21.889: RADIUS(0000000C): sending
*Apr 18 02:47:21.890: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:21.890: RADIUS(0000000C): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/2, len 57
*Apr 18 02:47:21.890: RADIUS:  authenticator 20 A6 AE 08 54 06 AE 61 - 91 82 C9 5F 8B 96 A0 D9
*Apr 18 02:47:21.890: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:21.890: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:21.890: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:21.890: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:21.890: RADIUS(0000000C): Sending a IPv4 Radius Packet
*Apr 18 02:47:21.891: RADIUS(0000000C): Started 5 sec timeout
*Apr 18 02:47:26.124: RADIUS: Received from id 1645/2 10.x.y.158:1812, Access-Accept, len 97
*Apr 18 02:47:26.124: RADIUS:  authenticator 01 3C E9 CC 92 6A 12 D4 - 1F 47 95 F3 82 6E 61 8F
*Apr 18 02:47:26.124: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Apr 18 02:47:26.124: RADIUS:  Class               [25]  46  
*Apr 18 02:47:26.125: RADIUS:   8B 2C 07 E3 00 00 01 37 00 01 02 00 0A FE FF 9E 00 00 00 00 00 00 00 00 00 00 00 00 01 D8 31 8C DC C2 86 5E 00 00 00 00 00 00 1E CC              [ ,71^]
*Apr 18 02:47:26.125: RADIUS:  Vendor, Cisco       [26]  25  
*Apr 18 02:47:26.125: RADIUS:   Cisco AVpair       [1]   19  "shell:priv-lvl=15"
*Apr 18 02:47:26.125: RADIUS(0000000C): Received from id 1645/2
*Apr 18 02:47:26.126: AAA/ACCT/HC(0000000C): Update HTTP/08194C30 
*Apr 18 02:47:26.126: AAA/ACCT/HC(0000000C): no HC HTTP/08194C30 
*Apr 18 02:47:26.127: AAA/ACCT/EVENT/(0000000C): CALL STOP
*Apr 18 02:47:26.127: AAA/ACCT/CALL STOP(0000000C): Sending stop requests
*Apr 18 02:47:26.127: AAA/ACCT(0000000C): Send all stops
*Apr 18 02:47:26.127: AAA/ACCT/NET(0000000C): STOP
*Apr 18 02:47:26.127: AAA/ACCT/NET(0000000C): Method list not found
*Apr 18 02:47:26.128: AAA/ACCT(0000000C): del node, session 2
*Apr 18 02:47:26.128: AAA/ACCT/NET(0000000C): free_rec, count 0
*Apr 18 02:47:26.128: /AAA/ACCTNET(0000000C) reccnt 0, csr TRUE, osr 0
*Apr 18 02:47:26.128: AAA/ACCT/NET(0000000C): Last rec in db, intf not enqueued
*Apr 18 02:47:26.128: AAA/BIND(0000000D): Bind i/f  
*Apr 18 02:47:26.128: AAA/ACCT/EVENT/(0000000D): CALL START
*Apr 18 02:47:26.128: Getting session id for NET(0000000D) : db=8195B20
*Apr 18 02:47:26.128: AAA/ACCT(00000000): add node, session 3
*Apr 18 02:47:26.128: AAA/ACCT/NET(0000000D): add, count 1
*Apr 18 02:47:26.152: AAA/ACCT/EVENT/(0000000D): CALL STOP
*Apr 18 02:47:26.152: AAA/ACCT/CALL STOP(0000000D): Sending stop requests
*Apr 18 02:47:26.152: AAA/ACCT(0000000D): Send all stops
*Apr 18 02:47:26.152: AAA/ACCT/NET(0000000D): STOP
*Apr 18 02:47:26.152: AAA/ACCT/NET(0000000D): Method list not found
*Apr 18 02:47:26.152: AAA/ACCT(0000000D): del node, session 3
*Apr 18 02:47:26.152: AAA/ACCT/NET(0000000D): free_rec, count 0
*Apr 18 02:47:26.152: /AAA/ACCTNET(0000000D) reccnt 0, csr TRUE, osr 0
*Apr 18 02:47:26.152: AAA/ACCT/NET(0000000D): Last rec in db, intf not enqueued
*Apr 18 02:47:26.293: AAA/BIND(0000000E): Bind i/f  
*Apr 18 02:47:26.293: AAA/ACCT/HC(0000000E): Register HTTP/08194C30 64 bit counter support not configured
*Apr 18 02:47:26.293: AAA/ACCT/HC(0000000E): Update HTTP/08194C30 
*Apr 18 02:47:26.293: AAA/ACCT/HC(0000000E): no HC HTTP/08194C30 
*Apr 18 02:47:26.293: AAA/ACCT/EVENT/(0000000E): CALL START
*Apr 18 02:47:26.293: Getting session id for NET(0000000E) : db=5767FE0
*Apr 18 02:47:26.293: AAA/ACCT(00000000): add node, session 4
*Apr 18 02:47:26.293: AAA/ACCT/NET(0000000E): add, count 1
*Apr 18 02:47:26.294: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'default' 
*Apr 18 02:47:26.294: RADIUS/ENCODE(0000000E):Orig. component type = HTTP
*Apr 18 02:47:26.294: RADIUS/ENCODE(0000000E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:26.294: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Apr 18 02:47:26.294: RADIUS(0000000E): Config NAS IPv6: ::
*Apr 18 02:47:26.294: Getting session id for EXEC(0000000E) : db=5767FE0
*Apr 18 02:47:26.294: RADIUS/ENCODE(0000000E): acct_session_id: 4
*Apr 18 02:47:26.294: RADIUS(0000000E): sending
*Apr 18 02:47:26.295: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:26.295: RADIUS(0000000E): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/3, len 57
*Apr 18 02:47:26.295: RADIUS:  authenticator 0D 58 56 EE E7 11 39 0C - 21 DE 4C A0 AA 49 07 BA
*Apr 18 02:47:26.295: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:26.295: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:26.295: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:26.295: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:26.295: RADIUS(0000000E): Sending a IPv4 Radius Packet
*Apr 18 02:47:26.295: RADIUS(0000000E): Started 5 sec timeout
*Apr 18 02:47:27.559: AAA/BIND(0000000F): Bind i/f  
*Apr 18 02:47:27.559: AAA/ACCT/HC(0000000F): Register HTTP/081B4A90 64 bit counter support not configured
*Apr 18 02:47:27.559: AAA/ACCT/HC(0000000F): Update HTTP/081B4A90 
*Apr 18 02:47:27.559: AAA/ACCT/HC(0000000F): no HC HTTP/081B4A90 
*Apr 18 02:47:27.559: AAA/ACCT/EVENT/(0000000F): CALL START
*Apr 18 02:47:27.559: Getting session id for NET(0000000F) : db=81C6780
*Apr 18 02:47:27.559: AAA/ACCT(00000000): add node, session 5
*Apr 18 02:47:27.559: AAA/ACCT/NET(0000000F): add, count 1
*Apr 18 02:47:27.559: AAA/AUTHEN/LOGIN (0000000F): Pick method list 'default' 
*Apr 18 02:47:27.562: AAA/BIND(00000010): Bind i/f  
*Apr 18 02:47:27.562: AAA/ACCT/HC(00000010): Register HTTP/07CF50D0 64 bit counter support not configured
*Apr 18 02:47:27.562: AAA/ACCT/HC(00000010): Update HTTP/07CF50D0 
*Apr 18 02:47:27.562: AAA/ACCT/HC(00000010): no HC HTTP/07CF50D0 
*Apr 18 02:47:27.562: AAA/ACCT/EVENT/(00000010): CALL START
*Apr 18 02:47:27.562: Getting session id for NET(00000010) : db=81EBB10
*Apr 18 02:47:27.563: AAA/ACCT(00000000): add node, session 6
*Apr 18 02:47:27.563: AAA/ACCT/NET(00000010): add, count 1
*Apr 18 02:47:27.563: AAA/AUTHEN/LOGIN (00000010): Pick method list 'default' 
*Apr 18 02:47:27.576: RADIUS/ENCODE(0000000F):Orig. component type = HTTP
*Apr 18 02:47:27.576: RADIUS/ENCODE(0000000F): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:27.576: RADIUS(0000000F): Config NAS IP: 0.0.0.0
*Apr 18 02:47:27.576: RADIUS(0000000F): Config NAS IPv6: ::
*Apr 18 02:47:27.576: Getting session id for EXEC(0000000F) : db=81C6780
*Apr 18 02:47:27.576: RADIUS/ENCODE(0000000F): acct_session_id: 5
*Apr 18 02:47:27.576: RADIUS(0000000F): sending
*Apr 18 02:47:27.577: RADIUS/ENCODE(00000010):Orig. component type = HTTP
*Apr 18 02:47:27.577: RADIUS/ENCODE(00000010): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:27.577: RADIUS(00000010): Config NAS IP: 0.0.0.0
*Apr 18 02:47:27.577: RADIUS(00000010): Config NAS IPv6: ::
*Apr 18 02:47:27.577: Getting session id for EXEC(00000010) : db=81EBB10
*Apr 18 02:47:27.577: RADIUS/ENCODE(00000010): acct_session_id: 6
*Apr 18 02:47:27.577: RADIUS(00000010): sending
*Apr 18 02:47:27.578: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:27.578: RADIUS(0000000F): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/4, len 57
*Apr 18 02:47:27.578: RADIUS:  authenticator F5 6A 0A 9A 3E CB E2 0A - 04 B9 6D 6F 98 20 32 FD
*Apr 18 02:47:27.579: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:27.579: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:27.579: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:27.579: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:27.579: RADIUS(0000000F): Sending a IPv4 Radius Packet
*Apr 18 02:47:27.579: RADIUS(0000000F): Started 5 sec timeout
*Apr 18 02:47:27.579: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:27.579: RADIUS(00000010): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/5, len 57
*Apr 18 02:47:27.580: RADIUS:  authenticator 6C 3D 66 4A 29 FD 36 9F - A1 88 EF B8 5E C9 95 4F
*Apr 18 02:47:27.580: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:27.580: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:27.580: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:27.580: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:27.580: RADIUS(00000010): Sending a IPv4 Radius Packet
*Apr 18 02:47:27.580: RADIUS(00000010): Started 5 sec timeout
*Apr 18 02:47:27.583: AAA/BIND(00000011): Bind i/f  
*Apr 18 02:47:27.583: AAA/ACCT/HC(00000011): Register HTTP/081B56B0 64 bit counter support not configured
*Apr 18 02:47:27.583: AAA/ACCT/HC(00000011): Update HTTP/081B56B0 
*Apr 18 02:47:27.583: AAA/ACCT/HC(00000011): no HC HTTP/081B56B0 
*Apr 18 02:47:27.583: AAA/ACCT/EVENT/(00000011): CALL START
*Apr 18 02:47:27.583: Getting session id for NET(00000011) : db=81D8BC0
*Apr 18 02:47:27.583: AAA/ACCT(00000000): add node, session 7
*Apr 18 02:47:27.583: AAA/ACCT/NET(00000011): add, count 1
*Apr 18 02:47:27.583: AAA/AUTHEN/LOGIN (00000011): Pick method list 'default' 
*Apr 18 02:47:27.586: AAA/BIND(00000012): Bind i/f  
*Apr 18 02:47:27.586: AAA/ACCT/HC(00000012): Register HTTP/081C86A0 64 bit counter support not configured
*Apr 18 02:47:27.586: AAA/ACCT/HC(00000012): Update HTTP/081C86A0 
*Apr 18 02:47:27.586: AAA/ACCT/HC(00000012): no HC HTTP/081C86A0 
*Apr 18 02:47:27.586: AAA/ACCT/EVENT/(00000012): CALL START
*Apr 18 02:47:27.586: Getting session id for NET(00000012) : db=81D9740
*Apr 18 02:47:27.586: AAA/ACCT(00000000): add node, session 8
*Apr 18 02:47:27.586: AAA/ACCT/NET(00000012): add, count 1
*Apr 18 02:47:27.587: AAA/AUTHEN/LOGIN (00000012): Pick method list 'default' 
*Apr 18 02:47:27.587: RADIUS/ENCODE(00000011):Orig. component type = HTTP
*Apr 18 02:47:27.587: RADIUS/ENCODE(00000011): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:27.588: RADIUS(00000011): Config NAS IP: 0.0.0.0
*Apr 18 02:47:27.588: RADIUS(00000011): Config NAS IPv6: ::
*Apr 18 02:47:27.588: Getting session id for EXEC(00000011) : db=81D8BC0
*Apr 18 02:47:27.588: RADIUS/ENCODE(00000011): acct_session_id: 7
*Apr 18 02:47:27.588: RADIUS(00000011): sending
*Apr 18 02:47:27.588: RADIUS/ENCODE(00000012):Orig. component type = HTTP
*Apr 18 02:47:27.588: RADIUS/ENCODE(00000012): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:27.588: RADIUS(00000012): Config NAS IP: 0.0.0.0
*Apr 18 02:47:27.588: RADIUS(00000012): Config NAS IPv6: ::
*Apr 18 02:47:27.588: Getting session id for EXEC(00000012) : db=81D9740
*Apr 18 02:47:27.588: RADIUS/ENCODE(00000012): acct_session_id: 8
*Apr 18 02:47:27.588: RADIUS(00000012): sending
*Apr 18 02:47:27.591: AAA/BIND(00000013): Bind i/f  
*Apr 18 02:47:27.591: AAA/ACCT/HC(00000013): Register HTTP/081DB990 64 bit counter support not configured
*Apr 18 02:47:27.591: AAA/ACCT/HC(00000013): Update HTTP/081DB990 
*Apr 18 02:47:27.591: AAA/ACCT/HC(00000013): no HC HTTP/081DB990 
*Apr 18 02:47:27.591: AAA/ACCT/EVENT/(00000013): CALL START
*Apr 18 02:47:27.591: Getting session id for NET(00000013) : db=82451D0
*Apr 18 02:47:27.591: AAA/ACCT(00000000): add node, session 9
*Apr 18 02:47:27.591: AAA/ACCT/NET(00000013): add, count 1
*Apr 18 02:47:27.591: AAA/AUTHEN/LOGIN (00000013): Pick method list 'default' 
*Apr 18 02:47:27.592: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:27.592: RADIUS(00000011): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/6, len 57
*Apr 18 02:47:27.592: RADIUS:  authenticator AD 60 46 76 5B BE EE 6B - 9E 4E EF 43 8D D9 F8 E3
*Apr 18 02:47:27.592: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:27.592: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:27.592: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:27.592: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:27.592: RADIUS(00000011): Sending a IPv4 Radius Packet
*Apr 18 02:47:27.592: RADIUS(00000011): Started 5 sec timeout
*Apr 18 02:47:27.593: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:27.593: RADIUS(00000012): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/7, len 57
*Apr 18 02:47:27.593: RADIUS:  authenticator 0B 36 1B 1B 86 24 AC 6A - 0E E8 C6 0F FE 17 FE 94
*Apr 18 02:47:27.593: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:27.593: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:27.593: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:27.593: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:27.593: RADIUS(00000012): Sending a IPv4 Radius Packet
*Apr 18 02:47:27.593: RADIUS(00000012): Started 5 sec timeout
*Apr 18 02:47:27.594: RADIUS/ENCODE(00000013):Orig. component type = HTTP
*Apr 18 02:47:27.594: RADIUS/ENCODE(00000013): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:27.594: RADIUS(00000013): Config NAS IP: 0.0.0.0
*Apr 18 02:47:27.594: RADIUS(00000013): Config NAS IPv6: ::
*Apr 18 02:47:27.594: Getting session id for EXEC(00000013) : db=82451D0
*Apr 18 02:47:27.594: RADIUS/ENCODE(00000013): acct_session_id: 9
*Apr 18 02:47:27.594: RADIUS(00000013): sending
*Apr 18 02:47:27.594: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:27.595: RADIUS(00000013): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/8, len 57
*Apr 18 02:47:27.595: RADIUS:  authenticator 73 CB 4B 4C 32 D9 1F B9 - 1C 99 1C A7 23 D8 BD C9
*Apr 18 02:47:27.595: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:27.595: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:27.595: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:27.595: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:27.595: RADIUS(00000013): Sending a IPv4 Radius Packet
*Apr 18 02:47:27.596: RADIUS(00000013): Started 5 sec timeout
*Apr 18 02:47:31.341: RADIUS(0000000E): Request timed out! 
*Apr 18 02:47:31.341: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/3
*Apr 18 02:47:31.342: RADIUS(0000000E): Started 5 sec timeout
*Apr 18 02:47:32.629: RADIUS(0000000F): Request timed out! 
*Apr 18 02:47:32.629: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/4
*Apr 18 02:47:32.629: RADIUS(0000000F): Started 5 sec timeout
*Apr 18 02:47:32.629: RADIUS(00000010): Request timed out! 
*Apr 18 02:47:32.629: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/5
*Apr 18 02:47:32.630: RADIUS(00000010): Started 5 sec timeout
*Apr 18 02:47:32.630: RADIUS(00000011): Request timed out! 
*Apr 18 02:47:32.630: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/6
*Apr 18 02:47:32.630: RADIUS(00000011): Started 5 sec timeout
*Apr 18 02:47:32.630: RADIUS(00000012): Request timed out! 
*Apr 18 02:47:32.630: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/7
*Apr 18 02:47:32.631: RADIUS(00000012): Started 5 sec timeout
*Apr 18 02:47:32.631: RADIUS(00000013): Request timed out! 
*Apr 18 02:47:32.631: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/8
*Apr 18 02:47:32.631: RADIUS(00000013): Started 5 sec timeout
*Apr 18 02:47:36.365: RADIUS(0000000E): Request timed out! 
*Apr 18 02:47:36.365: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/3
*Apr 18 02:47:36.365: RADIUS(0000000E): Started 5 sec timeout
*Apr 18 02:47:37.662: RADIUS(0000000F): Request timed out! 
*Apr 18 02:47:37.662: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/4
*Apr 18 02:47:37.662: RADIUS(0000000F): Started 5 sec timeout
*Apr 18 02:47:37.662: RADIUS(00000010): Request timed out! 
*Apr 18 02:47:37.662: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/5
*Apr 18 02:47:37.663: RADIUS(00000010): Started 5 sec timeout
*Apr 18 02:47:37.663: RADIUS(00000011): Request timed out! 
*Apr 18 02:47:37.663: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/6
*Apr 18 02:47:37.663: RADIUS(00000011): Started 5 sec timeout
*Apr 18 02:47:37.663: RADIUS(00000012): Request timed out! 
*Apr 18 02:47:37.663: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/7
*Apr 18 02:47:37.664: RADIUS(00000012): Started 5 sec timeout
*Apr 18 02:47:37.664: RADIUS(00000013): Request timed out! 
*Apr 18 02:47:37.664: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/8
*Apr 18 02:47:37.664: RADIUS(00000013): Started 5 sec timeout
*Apr 18 02:47:41.383: RADIUS(0000000E): Request timed out! 
*Apr 18 02:47:41.383: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/3
*Apr 18 02:47:41.384: RADIUS(0000000E): Started 5 sec timeout
*Apr 18 02:47:42.681: RADIUS(0000000F): Request timed out! 
*Apr 18 02:47:42.681: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/4
*Apr 18 02:47:42.681: RADIUS(0000000F): Started 5 sec timeout
*Apr 18 02:47:42.681: RADIUS(00000010): Request timed out! 
*Apr 18 02:47:42.681: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/5
*Apr 18 02:47:42.682: RADIUS(00000010): Started 5 sec timeout
*Apr 18 02:47:42.682: RADIUS(00000011): Request timed out! 
*Apr 18 02:47:42.682: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/6
*Apr 18 02:47:42.682: RADIUS(00000011): Started 5 sec timeout
*Apr 18 02:47:42.682: RADIUS(00000012): Request timed out! 
*Apr 18 02:47:42.682: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/7
*Apr 18 02:47:42.683: RADIUS(00000012): Started 5 sec timeout
*Apr 18 02:47:42.683: RADIUS(00000013): Request timed out! 
*Apr 18 02:47:42.683: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/8
*Apr 18 02:47:42.683: RADIUS(00000013): Started 5 sec timeout
*Apr 18 02:47:46.409: RADIUS(0000000E): Request timed out! 
10 REPLIES 10
balaji.bandi
VIP Guru

Try a local account, see if that works ? before you try radius user authentication ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I used local authentication before I setup aaa and radius and it was working. 

 

even with local auth as a backup to radius, local auth still doesn't work

ip http authentication aaa login-authentication NPS-Servers
ip http authentication aaa exec-authorization NPS-Servers

just try only this what is the outcome?

 

also some references:

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/63910-aaa-control-ios-http.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

This didn't work because that config stanza is asking for an authentication list name. The name is default based on the config. NPS-Servers is the group of Radius Servers

 

Cat1kconfig)#ip http authentication aaa login-authentication NPS-Servers
Warning: Authentication list "NPS-Servers" is not defined for LOGIN.

Cat1k(config)#ip http authentication aaa exec-authorization NPS-Servers
Warning: Authorization list "NPS-Servers" is not defined for EXEC.

I would remove both commands and try a simple test first

 

ip http authentication aaa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World
Advisor

Cisco work in two version of HTTP one is V1 and other is V1.1
HTTP V1 the http work under the VTY

this switch is V1.1 for HTTP

 

Cat1k#show subsys name http
Name                               Class       Version   
http                               Protocol    1.001.002 
drwolcot
Beginner

just wanted to bump this topic as this still isn't working

ip http authentication aaa <- add this command

ip http server<-add this command

adminko
Beginner

Hi

I have exactly the same problem. I'm working with Clearpass. I can see the Radius Request but they are completly empty with out any attributes. Therefor I have no chance to filter these requests.

I also configured:

ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default

Are there any additional attributes to use?

Best regards,

Andy

 

Create
Recognize Your Peers
Content for Community-Ad