Radius Auth Works for SSH but not HTTP - Cat1k

drwolcot · ‎04-18-2022

I have aaa authentication with radius to a Windows NPS server along with the Azure MFA dll extension.

This is working and I am able to login via SSH but it isn't working for HTTPs/Web GUI. It will continuously prompt for user/pw on the web.

I have enabled debug for aaa and radius and it appears to accept the response from the NPS server with "Access-Accept"

I have included the config statements and output of debug below

Config

aaa new-model
!
!
aaa group server radius NPS-Servers
 server-private 10.x.y.158 auth-port 1812 acct-port 1813 key ########################
 server-private 10.x.y.159 auth-port 1812 acct-port 1813 key ########################
!
aaa authentication login default group NPS-Servers local
aaa authorization console
aaa authorization exec default group NPS-Servers local if-authenticated
!
aaa session-id common
!
no ip http server
ip http banner
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server
ip http secure-trustpoint domain-ca
ip http session-idle-timeout 30

Debug

*Apr 18 02:47:21.888: AAA/BIND(0000000C): Bind i/f  
*Apr 18 02:47:21.888: AAA/ACCT/HC(0000000C): Register HTTP/08194C30 64 bit counter support not configured
*Apr 18 02:47:21.888: AAA/ACCT/HC(0000000C): Update HTTP/08194C30 
*Apr 18 02:47:21.888: AAA/ACCT/HC(0000000C): no HC HTTP/08194C30 
*Apr 18 02:47:21.888: AAA/ACCT/EVENT/(0000000C): CALL START
*Apr 18 02:47:21.889: Getting session id for NET(0000000C) : db=5767FE0
*Apr 18 02:47:21.889: AAA/ACCT(00000000): add node, session 2
*Apr 18 02:47:21.889: AAA/ACCT/NET(0000000C): add, count 1
*Apr 18 02:47:21.889: AAA/AUTHEN/LOGIN (0000000C): Pick method list 'default' 
*Apr 18 02:47:21.889: RADIUS/ENCODE(0000000C):Orig. component type = HTTP
*Apr 18 02:47:21.889: RADIUS/ENCODE(0000000C): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:21.889: RADIUS(0000000C): Config NAS IP: 0.0.0.0
*Apr 18 02:47:21.889: RADIUS(0000000C): Config NAS IPv6: ::
*Apr 18 02:47:21.889: Getting session id for EXEC(0000000C) : db=5767FE0
*Apr 18 02:47:21.889: RADIUS/ENCODE(0000000C): acct_session_id: 2
*Apr 18 02:47:21.889: RADIUS(0000000C): sending
*Apr 18 02:47:21.890: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:21.890: RADIUS(0000000C): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/2, len 57
*Apr 18 02:47:21.890: RADIUS:  authenticator 20 A6 AE 08 54 06 AE 61 - 91 82 C9 5F 8B 96 A0 D9
*Apr 18 02:47:21.890: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:21.890: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:21.890: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:21.890: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:21.890: RADIUS(0000000C): Sending a IPv4 Radius Packet
*Apr 18 02:47:21.891: RADIUS(0000000C): Started 5 sec timeout
*Apr 18 02:47:26.124: RADIUS: Received from id 1645/2 10.x.y.158:1812, Access-Accept, len 97
*Apr 18 02:47:26.124: RADIUS:  authenticator 01 3C E9 CC 92 6A 12 D4 - 1F 47 95 F3 82 6E 61 8F
*Apr 18 02:47:26.124: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Apr 18 02:47:26.124: RADIUS:  Class               [25]  46  
*Apr 18 02:47:26.125: RADIUS:   8B 2C 07 E3 00 00 01 37 00 01 02 00 0A FE FF 9E 00 00 00 00 00 00 00 00 00 00 00 00 01 D8 31 8C DC C2 86 5E 00 00 00 00 00 00 1E CC              [ ,71^]
*Apr 18 02:47:26.125: RADIUS:  Vendor, Cisco       [26]  25  
*Apr 18 02:47:26.125: RADIUS:   Cisco AVpair       [1]   19  "shell:priv-lvl=15"
*Apr 18 02:47:26.125: RADIUS(0000000C): Received from id 1645/2
*Apr 18 02:47:26.126: AAA/ACCT/HC(0000000C): Update HTTP/08194C30 
*Apr 18 02:47:26.126: AAA/ACCT/HC(0000000C): no HC HTTP/08194C30 
*Apr 18 02:47:26.127: AAA/ACCT/EVENT/(0000000C): CALL STOP
*Apr 18 02:47:26.127: AAA/ACCT/CALL STOP(0000000C): Sending stop requests
*Apr 18 02:47:26.127: AAA/ACCT(0000000C): Send all stops
*Apr 18 02:47:26.127: AAA/ACCT/NET(0000000C): STOP
*Apr 18 02:47:26.127: AAA/ACCT/NET(0000000C): Method list not found
*Apr 18 02:47:26.128: AAA/ACCT(0000000C): del node, session 2
*Apr 18 02:47:26.128: AAA/ACCT/NET(0000000C): free_rec, count 0
*Apr 18 02:47:26.128: /AAA/ACCTNET(0000000C) reccnt 0, csr TRUE, osr 0
*Apr 18 02:47:26.128: AAA/ACCT/NET(0000000C): Last rec in db, intf not enqueued
*Apr 18 02:47:26.128: AAA/BIND(0000000D): Bind i/f  
*Apr 18 02:47:26.128: AAA/ACCT/EVENT/(0000000D): CALL START
*Apr 18 02:47:26.128: Getting session id for NET(0000000D) : db=8195B20
*Apr 18 02:47:26.128: AAA/ACCT(00000000): add node, session 3
*Apr 18 02:47:26.128: AAA/ACCT/NET(0000000D): add, count 1
*Apr 18 02:47:26.152: AAA/ACCT/EVENT/(0000000D): CALL STOP
*Apr 18 02:47:26.152: AAA/ACCT/CALL STOP(0000000D): Sending stop requests
*Apr 18 02:47:26.152: AAA/ACCT(0000000D): Send all stops
*Apr 18 02:47:26.152: AAA/ACCT/NET(0000000D): STOP
*Apr 18 02:47:26.152: AAA/ACCT/NET(0000000D): Method list not found
*Apr 18 02:47:26.152: AAA/ACCT(0000000D): del node, session 3
*Apr 18 02:47:26.152: AAA/ACCT/NET(0000000D): free_rec, count 0
*Apr 18 02:47:26.152: /AAA/ACCTNET(0000000D) reccnt 0, csr TRUE, osr 0
*Apr 18 02:47:26.152: AAA/ACCT/NET(0000000D): Last rec in db, intf not enqueued
*Apr 18 02:47:26.293: AAA/BIND(0000000E): Bind i/f  
*Apr 18 02:47:26.293: AAA/ACCT/HC(0000000E): Register HTTP/08194C30 64 bit counter support not configured
*Apr 18 02:47:26.293: AAA/ACCT/HC(0000000E): Update HTTP/08194C30 
*Apr 18 02:47:26.293: AAA/ACCT/HC(0000000E): no HC HTTP/08194C30 
*Apr 18 02:47:26.293: AAA/ACCT/EVENT/(0000000E): CALL START
*Apr 18 02:47:26.293: Getting session id for NET(0000000E) : db=5767FE0
*Apr 18 02:47:26.293: AAA/ACCT(00000000): add node, session 4
*Apr 18 02:47:26.293: AAA/ACCT/NET(0000000E): add, count 1
*Apr 18 02:47:26.294: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'default' 
*Apr 18 02:47:26.294: RADIUS/ENCODE(0000000E):Orig. component type = HTTP
*Apr 18 02:47:26.294: RADIUS/ENCODE(0000000E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:26.294: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Apr 18 02:47:26.294: RADIUS(0000000E): Config NAS IPv6: ::
*Apr 18 02:47:26.294: Getting session id for EXEC(0000000E) : db=5767FE0
*Apr 18 02:47:26.294: RADIUS/ENCODE(0000000E): acct_session_id: 4
*Apr 18 02:47:26.294: RADIUS(0000000E): sending
*Apr 18 02:47:26.295: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:26.295: RADIUS(0000000E): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/3, len 57
*Apr 18 02:47:26.295: RADIUS:  authenticator 0D 58 56 EE E7 11 39 0C - 21 DE 4C A0 AA 49 07 BA
*Apr 18 02:47:26.295: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:26.295: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:26.295: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:26.295: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:26.295: RADIUS(0000000E): Sending a IPv4 Radius Packet
*Apr 18 02:47:26.295: RADIUS(0000000E): Started 5 sec timeout
*Apr 18 02:47:27.559: AAA/BIND(0000000F): Bind i/f  
*Apr 18 02:47:27.559: AAA/ACCT/HC(0000000F): Register HTTP/081B4A90 64 bit counter support not configured
*Apr 18 02:47:27.559: AAA/ACCT/HC(0000000F): Update HTTP/081B4A90 
*Apr 18 02:47:27.559: AAA/ACCT/HC(0000000F): no HC HTTP/081B4A90 
*Apr 18 02:47:27.559: AAA/ACCT/EVENT/(0000000F): CALL START
*Apr 18 02:47:27.559: Getting session id for NET(0000000F) : db=81C6780
*Apr 18 02:47:27.559: AAA/ACCT(00000000): add node, session 5
*Apr 18 02:47:27.559: AAA/ACCT/NET(0000000F): add, count 1
*Apr 18 02:47:27.559: AAA/AUTHEN/LOGIN (0000000F): Pick method list 'default' 
*Apr 18 02:47:27.562: AAA/BIND(00000010): Bind i/f  
*Apr 18 02:47:27.562: AAA/ACCT/HC(00000010): Register HTTP/07CF50D0 64 bit counter support not configured
*Apr 18 02:47:27.562: AAA/ACCT/HC(00000010): Update HTTP/07CF50D0 
*Apr 18 02:47:27.562: AAA/ACCT/HC(00000010): no HC HTTP/07CF50D0 
*Apr 18 02:47:27.562: AAA/ACCT/EVENT/(00000010): CALL START
*Apr 18 02:47:27.562: Getting session id for NET(00000010) : db=81EBB10
*Apr 18 02:47:27.563: AAA/ACCT(00000000): add node, session 6
*Apr 18 02:47:27.563: AAA/ACCT/NET(00000010): add, count 1
*Apr 18 02:47:27.563: AAA/AUTHEN/LOGIN (00000010): Pick method list 'default' 
*Apr 18 02:47:27.576: RADIUS/ENCODE(0000000F):Orig. component type = HTTP
*Apr 18 02:47:27.576: RADIUS/ENCODE(0000000F): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:27.576: RADIUS(0000000F): Config NAS IP: 0.0.0.0
*Apr 18 02:47:27.576: RADIUS(0000000F): Config NAS IPv6: ::
*Apr 18 02:47:27.576: Getting session id for EXEC(0000000F) : db=81C6780
*Apr 18 02:47:27.576: RADIUS/ENCODE(0000000F): acct_session_id: 5
*Apr 18 02:47:27.576: RADIUS(0000000F): sending
*Apr 18 02:47:27.577: RADIUS/ENCODE(00000010):Orig. component type = HTTP
*Apr 18 02:47:27.577: RADIUS/ENCODE(00000010): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:27.577: RADIUS(00000010): Config NAS IP: 0.0.0.0
*Apr 18 02:47:27.577: RADIUS(00000010): Config NAS IPv6: ::
*Apr 18 02:47:27.577: Getting session id for EXEC(00000010) : db=81EBB10
*Apr 18 02:47:27.577: RADIUS/ENCODE(00000010): acct_session_id: 6
*Apr 18 02:47:27.577: RADIUS(00000010): sending
*Apr 18 02:47:27.578: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:27.578: RADIUS(0000000F): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/4, len 57
*Apr 18 02:47:27.578: RADIUS:  authenticator F5 6A 0A 9A 3E CB E2 0A - 04 B9 6D 6F 98 20 32 FD
*Apr 18 02:47:27.579: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:27.579: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:27.579: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:27.579: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:27.579: RADIUS(0000000F): Sending a IPv4 Radius Packet
*Apr 18 02:47:27.579: RADIUS(0000000F): Started 5 sec timeout
*Apr 18 02:47:27.579: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:27.579: RADIUS(00000010): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/5, len 57
*Apr 18 02:47:27.580: RADIUS:  authenticator 6C 3D 66 4A 29 FD 36 9F - A1 88 EF B8 5E C9 95 4F
*Apr 18 02:47:27.580: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:27.580: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:27.580: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:27.580: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:27.580: RADIUS(00000010): Sending a IPv4 Radius Packet
*Apr 18 02:47:27.580: RADIUS(00000010): Started 5 sec timeout
*Apr 18 02:47:27.583: AAA/BIND(00000011): Bind i/f  
*Apr 18 02:47:27.583: AAA/ACCT/HC(00000011): Register HTTP/081B56B0 64 bit counter support not configured
*Apr 18 02:47:27.583: AAA/ACCT/HC(00000011): Update HTTP/081B56B0 
*Apr 18 02:47:27.583: AAA/ACCT/HC(00000011): no HC HTTP/081B56B0 
*Apr 18 02:47:27.583: AAA/ACCT/EVENT/(00000011): CALL START
*Apr 18 02:47:27.583: Getting session id for NET(00000011) : db=81D8BC0
*Apr 18 02:47:27.583: AAA/ACCT(00000000): add node, session 7
*Apr 18 02:47:27.583: AAA/ACCT/NET(00000011): add, count 1
*Apr 18 02:47:27.583: AAA/AUTHEN/LOGIN (00000011): Pick method list 'default' 
*Apr 18 02:47:27.586: AAA/BIND(00000012): Bind i/f  
*Apr 18 02:47:27.586: AAA/ACCT/HC(00000012): Register HTTP/081C86A0 64 bit counter support not configured
*Apr 18 02:47:27.586: AAA/ACCT/HC(00000012): Update HTTP/081C86A0 
*Apr 18 02:47:27.586: AAA/ACCT/HC(00000012): no HC HTTP/081C86A0 
*Apr 18 02:47:27.586: AAA/ACCT/EVENT/(00000012): CALL START
*Apr 18 02:47:27.586: Getting session id for NET(00000012) : db=81D9740
*Apr 18 02:47:27.586: AAA/ACCT(00000000): add node, session 8
*Apr 18 02:47:27.586: AAA/ACCT/NET(00000012): add, count 1
*Apr 18 02:47:27.587: AAA/AUTHEN/LOGIN (00000012): Pick method list 'default' 
*Apr 18 02:47:27.587: RADIUS/ENCODE(00000011):Orig. component type = HTTP
*Apr 18 02:47:27.587: RADIUS/ENCODE(00000011): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:27.588: RADIUS(00000011): Config NAS IP: 0.0.0.0
*Apr 18 02:47:27.588: RADIUS(00000011): Config NAS IPv6: ::
*Apr 18 02:47:27.588: Getting session id for EXEC(00000011) : db=81D8BC0
*Apr 18 02:47:27.588: RADIUS/ENCODE(00000011): acct_session_id: 7
*Apr 18 02:47:27.588: RADIUS(00000011): sending
*Apr 18 02:47:27.588: RADIUS/ENCODE(00000012):Orig. component type = HTTP
*Apr 18 02:47:27.588: RADIUS/ENCODE(00000012): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:27.588: RADIUS(00000012): Config NAS IP: 0.0.0.0
*Apr 18 02:47:27.588: RADIUS(00000012): Config NAS IPv6: ::
*Apr 18 02:47:27.588: Getting session id for EXEC(00000012) : db=81D9740
*Apr 18 02:47:27.588: RADIUS/ENCODE(00000012): acct_session_id: 8
*Apr 18 02:47:27.588: RADIUS(00000012): sending
*Apr 18 02:47:27.591: AAA/BIND(00000013): Bind i/f  
*Apr 18 02:47:27.591: AAA/ACCT/HC(00000013): Register HTTP/081DB990 64 bit counter support not configured
*Apr 18 02:47:27.591: AAA/ACCT/HC(00000013): Update HTTP/081DB990 
*Apr 18 02:47:27.591: AAA/ACCT/HC(00000013): no HC HTTP/081DB990 
*Apr 18 02:47:27.591: AAA/ACCT/EVENT/(00000013): CALL START
*Apr 18 02:47:27.591: Getting session id for NET(00000013) : db=82451D0
*Apr 18 02:47:27.591: AAA/ACCT(00000000): add node, session 9
*Apr 18 02:47:27.591: AAA/ACCT/NET(00000013): add, count 1
*Apr 18 02:47:27.591: AAA/AUTHEN/LOGIN (00000013): Pick method list 'default' 
*Apr 18 02:47:27.592: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:27.592: RADIUS(00000011): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/6, len 57
*Apr 18 02:47:27.592: RADIUS:  authenticator AD 60 46 76 5B BE EE 6B - 9E 4E EF 43 8D D9 F8 E3
*Apr 18 02:47:27.592: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:27.592: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:27.592: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:27.592: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:27.592: RADIUS(00000011): Sending a IPv4 Radius Packet
*Apr 18 02:47:27.592: RADIUS(00000011): Started 5 sec timeout
*Apr 18 02:47:27.593: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:27.593: RADIUS(00000012): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/7, len 57
*Apr 18 02:47:27.593: RADIUS:  authenticator 0B 36 1B 1B 86 24 AC 6A - 0E E8 C6 0F FE 17 FE 94
*Apr 18 02:47:27.593: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:27.593: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:27.593: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:27.593: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:27.593: RADIUS(00000012): Sending a IPv4 Radius Packet
*Apr 18 02:47:27.593: RADIUS(00000012): Started 5 sec timeout
*Apr 18 02:47:27.594: RADIUS/ENCODE(00000013):Orig. component type = HTTP
*Apr 18 02:47:27.594: RADIUS/ENCODE(00000013): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 18 02:47:27.594: RADIUS(00000013): Config NAS IP: 0.0.0.0
*Apr 18 02:47:27.594: RADIUS(00000013): Config NAS IPv6: ::
*Apr 18 02:47:27.594: Getting session id for EXEC(00000013) : db=82451D0
*Apr 18 02:47:27.594: RADIUS/ENCODE(00000013): acct_session_id: 9
*Apr 18 02:47:27.594: RADIUS(00000013): sending
*Apr 18 02:47:27.594: RADIUS/ENCODE: Best Local IP-Address 10.a.b.13 for Radius-Server 10.x.y.158
*Apr 18 02:47:27.595: RADIUS(00000013): Send Access-Request to 10.x.y.158:1812 onvrf(0) id 1645/8, len 57
*Apr 18 02:47:27.595: RADIUS:  authenticator 73 CB 4B 4C 32 D9 1F B9 - 1C 99 1C A7 23 D8 BD C9
*Apr 18 02:47:27.595: RADIUS:  User-Name           [1]   7   "test-user"
*Apr 18 02:47:27.595: RADIUS:  User-Password       [2]   18  *
*Apr 18 02:47:27.595: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Apr 18 02:47:27.595: RADIUS:  NAS-IP-Address      [4]   6   10.a.b.13                
*Apr 18 02:47:27.595: RADIUS(00000013): Sending a IPv4 Radius Packet
*Apr 18 02:47:27.596: RADIUS(00000013): Started 5 sec timeout
*Apr 18 02:47:31.341: RADIUS(0000000E): Request timed out! 
*Apr 18 02:47:31.341: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/3
*Apr 18 02:47:31.342: RADIUS(0000000E): Started 5 sec timeout
*Apr 18 02:47:32.629: RADIUS(0000000F): Request timed out! 
*Apr 18 02:47:32.629: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/4
*Apr 18 02:47:32.629: RADIUS(0000000F): Started 5 sec timeout
*Apr 18 02:47:32.629: RADIUS(00000010): Request timed out! 
*Apr 18 02:47:32.629: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/5
*Apr 18 02:47:32.630: RADIUS(00000010): Started 5 sec timeout
*Apr 18 02:47:32.630: RADIUS(00000011): Request timed out! 
*Apr 18 02:47:32.630: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/6
*Apr 18 02:47:32.630: RADIUS(00000011): Started 5 sec timeout
*Apr 18 02:47:32.630: RADIUS(00000012): Request timed out! 
*Apr 18 02:47:32.630: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/7
*Apr 18 02:47:32.631: RADIUS(00000012): Started 5 sec timeout
*Apr 18 02:47:32.631: RADIUS(00000013): Request timed out! 
*Apr 18 02:47:32.631: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/8
*Apr 18 02:47:32.631: RADIUS(00000013): Started 5 sec timeout
*Apr 18 02:47:36.365: RADIUS(0000000E): Request timed out! 
*Apr 18 02:47:36.365: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/3
*Apr 18 02:47:36.365: RADIUS(0000000E): Started 5 sec timeout
*Apr 18 02:47:37.662: RADIUS(0000000F): Request timed out! 
*Apr 18 02:47:37.662: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/4
*Apr 18 02:47:37.662: RADIUS(0000000F): Started 5 sec timeout
*Apr 18 02:47:37.662: RADIUS(00000010): Request timed out! 
*Apr 18 02:47:37.662: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/5
*Apr 18 02:47:37.663: RADIUS(00000010): Started 5 sec timeout
*Apr 18 02:47:37.663: RADIUS(00000011): Request timed out! 
*Apr 18 02:47:37.663: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/6
*Apr 18 02:47:37.663: RADIUS(00000011): Started 5 sec timeout
*Apr 18 02:47:37.663: RADIUS(00000012): Request timed out! 
*Apr 18 02:47:37.663: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/7
*Apr 18 02:47:37.664: RADIUS(00000012): Started 5 sec timeout
*Apr 18 02:47:37.664: RADIUS(00000013): Request timed out! 
*Apr 18 02:47:37.664: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/8
*Apr 18 02:47:37.664: RADIUS(00000013): Started 5 sec timeout
*Apr 18 02:47:41.383: RADIUS(0000000E): Request timed out! 
*Apr 18 02:47:41.383: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/3
*Apr 18 02:47:41.384: RADIUS(0000000E): Started 5 sec timeout
*Apr 18 02:47:42.681: RADIUS(0000000F): Request timed out! 
*Apr 18 02:47:42.681: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/4
*Apr 18 02:47:42.681: RADIUS(0000000F): Started 5 sec timeout
*Apr 18 02:47:42.681: RADIUS(00000010): Request timed out! 
*Apr 18 02:47:42.681: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/5
*Apr 18 02:47:42.682: RADIUS(00000010): Started 5 sec timeout
*Apr 18 02:47:42.682: RADIUS(00000011): Request timed out! 
*Apr 18 02:47:42.682: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/6
*Apr 18 02:47:42.682: RADIUS(00000011): Started 5 sec timeout
*Apr 18 02:47:42.682: RADIUS(00000012): Request timed out! 
*Apr 18 02:47:42.682: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/7
*Apr 18 02:47:42.683: RADIUS(00000012): Started 5 sec timeout
*Apr 18 02:47:42.683: RADIUS(00000013): Request timed out! 
*Apr 18 02:47:42.683: RADIUS: Retransmit to (10.x.y.158:1812,1813) for id 1645/8
*Apr 18 02:47:42.683: RADIUS(00000013): Started 5 sec timeout
*Apr 18 02:47:46.409: RADIUS(0000000E): Request timed out!

balaji.bandi · ‎04-18-2022

Try a local account, see if that works ? before you try radius user authentication ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

drwolcot · ‎04-18-2022

I used local authentication before I setup aaa and radius and it was working.

even with local auth as a backup to radius, local auth still doesn't work

balaji.bandi · ‎04-18-2022

ip http authentication aaa login-authentication NPS-Servers
ip http authentication aaa exec-authorization NPS-Servers

just try only this what is the outcome?

also some references:

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/63910-aaa-control-ios-http.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

drwolcot · ‎04-18-2022

This didn't work because that config stanza is asking for an authentication list name. The name is default based on the config. NPS-Servers is the group of Radius Servers

Cat1kconfig)#ip http authentication aaa login-authentication NPS-Servers
Warning: Authentication list "NPS-Servers" is not defined for LOGIN.

Cat1k(config)#ip http authentication aaa exec-authorization NPS-Servers
Warning: Authorization list "NPS-Servers" is not defined for EXEC.

balaji.bandi · ‎04-20-2022

I would remove both commands and try a simple test first

ip http authentication aaa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎04-18-2022

Cisco work in two version of HTTP one is V1 and other is V1.1
HTTP V1 the http work under the VTY

drwolcot · ‎04-18-2022

this switch is V1.1 for HTTP

Cat1k#show subsys name http
Name                               Class       Version   
http                               Protocol    1.001.002

drwolcot · ‎04-20-2022

just wanted to bump this topic as this still isn't working

MHM Cisco World · ‎04-20-2022

ip http authentication aaa <- add this command

ip http server<-add this command

adminko · ‎06-03-2022

Hi

I have exactly the same problem. I'm working with Clearpass. I can see the Radius Request but they are completly empty with out any attributes. Therefor I have no chance to filter these requests.

I also configured:

ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default

Are there any additional attributes to use?

Best regards,

Andy