Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
3
Replies

AAA Default Group

dtom
Level 1
Level 1

‎04-15-2013 02:31 PM - edited ‎03-10-2019 08:18 PM

I am testing AAA on a switch.  When I try to login to a switch, the Failed Attempts report shows - Unknown NAS.  So,I created a group to test AAA on a switch.  After the test I deleted the group and client and applied the changes.  Now the Failed Attempt report shows - Authentication Failed - Default Group (not Unknown NAS).  How do I remove this "test" client?  Where do I find the default group?

Labels:
0 Helpful
3 Replies 3

Amjad Abdullah
VIP Alumni
VIP Alumni

‎04-15-2013 10:27 PM

What do you mean by a group? Device group or user group?

I suppose you use ACS 4.x version. right? or some other radius?

Unknown NAS means your device is not added to the ACS. Once you add the device to the ACS as a AAA client and you have the shared secret configured correctly in both ACS and switch then you'll not get the unknown NAS.

Now, the user you authenticate with belongs to a specific group on the ACS, right? Just make sure the group (or the user itself) is not configured to restrict access to specific devices or device groups or it has any other restrctions (date-time restrictoin for example).

Another question: does your test user belong to a specific group? If you did not assign it to any gorup it will be by default a member of the default-group (group 0).

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

dtom
Level 1
Level 1
In response to Amjad Abdullah

‎04-16-2013 12:50 PM

Sorry, here is some more information to clarify things:

1) Tried to login to a switch.  The Failed Attempts Report shows - Messag-Type - Unknown NAS

2) Created a test Network Device Group - Test

3) Created a test client - Test_Switch in the Test Network Device Group with the switch's IP address (that I am testing)

4) Attempted to login to the switch, success

5) Deleted the Test_Switch client

6) Deleted the Test Network Device Group

7) Attempted to login to the switch, failed

8) The Failed Attempt Report shows the following:

     Message-Type - Authen failed

     Group-Name - Default Group

     Authen Failure Code - Key Mismatch

So, my question is where is this Default Group (from report - Group-Name) and is there something I need to do to remove entries from it (test_switch)?

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to dtom

‎04-16-2013 10:16 PM

- Make sure the switch is available on ACS.

- Make sure the switch has the correct key configured (try re-cofnigure the key on both ACS and the switch).

What the error you see means is that the key on both devices is not the same.

Chagne the key from switch and ACS (under the switch entry) and let us know the results.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Customers Also Viewed These Support Documents