C93180 Radius issue

Surfking55 · ‎08-12-2025

This one has me stumped.

We stood up radius servers in our new building, we'll call it building 2. It's pretty similar to our old building, we'll call that building 1.

- Both buildings are running Windows server 2019 VMs.

- Everything works in building 1. We have Junipers, nexus 93180s and 9336 in building 1.

- We only have 2 C93180s in building 2. The rest are Junipers and Catalyst 9500 in building 2.

- In building 2, we can putty using AD creds into everything except the C93180s. The 93180s are running 10.4(2). We are using putty v.83. I can ssh into the C93180s using local accounts. When I run "test aaa group rad-group username password, I get "User authenticated". But when I ssh using putty (or ssh from another device like a switch, firewall, or redhat box), it prompts me for a username and password. But it dies and asks me for the password again. I'll do the password 2 more times and it kills the connection. I can do that all day and my user in AD will not lock out. When I look at event viewer on the radius server, I see all of my login attempts. I have the C93180s and radius servers configured exactly like building 1. The radius debug that is created when a login attempt is made isn't clear what the issue is. I am seeing a weird error in the radius server event log: "An Access-Request message was received from RADIUS client... without a Message-Authenticator attribute when a Message-Authenticator attribute is required." Again, the configuration in the radius server and the switches are exactly the same in the two buildings.

Any thoughts?

Mark Elsen · ‎08-12-2025

- @Surfking55 Add radius-server attribute 80 in the running configuration of the switch.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Surfking55 · ‎08-13-2025

@Mark Elsen Thanks for the suggestion. Unfortunately, that command isn't an option. For radius-server in global config my only options are:

deadtime

directed-request

host

key

retransmit

secure

test timeout

I also played around with "use-vrf" and changed it between default and management, but that didn't work either.

MHM Cisco World · ‎08-13-2025

aaa attribute-map MAP
radius attribute 80 include

MHM

Surfking55 · ‎08-13-2025

@MHM Cisco World Looking into your suggestion, there is no command for just "radius". The only option I have is "radius-server". As for the aaa command, I don't have an option for "aaa attribute. The only options for aaa are:

accounting

authentication

authorization

bypass-user

group

server

user

Again, I'm running 10.4(2) on a C93180.

Mark Elsen · ‎08-13-2025

- @Surfking55 The command is available starting from 9.3(x)

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Surfking55 · ‎08-14-2025

@Mark Elsen From everything I've read (and seen on my switch), that command specifically applies to Cisco IOS devices and not Nexus switches.

MHM Cisco World · ‎08-15-2025

ethanalyzer local interface mgmt capture-filter "udp port 1812 or udp port 1813" limit-captured-frames 0 <<- share this let check if Nexus send message-auth or not
also what radius plat you use ?

MHM