Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2617
Views
5
Helpful
5
Replies

AAA not working on cisco 3560 Switch ,Their is no communications between the Swicth and NAP server

salmanearn
Level 1
Level 1

‎04-07-2015 12:02 AM - edited ‎03-10-2019 10:37 PM

Dear All,

I am trying to apply AAA configuration on Cisco C3560E switch.The same setting is working on other 16 networks switches. 

The following configuration is applied on the switch 

(config)#service password-encryption                           
(config)#aaa new-model
(config)#aaa authorization network default group radius
(config)#username NORAD priv 15 secret dasdsadaa
(config)#aaa group server radius NPS-RADIUS-SERVERS
sw1(config-sg-radius)#server-private 192.168.1.11 auth-port 1812 acct-port 1812 key secret
sw1(config-sg-radius)#exit
sw1(config)#aaa authentication login default group NPS-RADIUS-SERVERS local
sw1(config)#aaa authorization exec default group NPS-RADIUS-SERVERS local if-authenticated
sw1(config)#aaa authorization console

Plus This switch is added as a radius client in the radius server
The Switch can ping the radius server visevarsa 
Tried different auth-port 1645 acct-port 1646 and others still to luck

NO LOG present in NPS server for comunication between the switch and NPS server.It is apprent that swicth is not talking to NPS(AAA) can not figure out the reason     

1 person had this problem
Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎04-08-2015 02:14 PM

What interface are you using to source your Radius packets from? Make sure that:

- You can ping the Radius server while sourcing the packets from that interface

- Make sure the IP address of that interface is the IP address configured on the Radius server

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

salmanearn
Level 1
Level 1
In response to nspasov

‎04-08-2015 11:37 PM

The radius server can ping the switch and the switch can ping radius server.

There are approx 40 plus other switches, this configuration is working on them perfectly. However all the 3560 switches the same thing is happening. 

The switches are not talking to radius server no logs. But the local authentication is working on all of them. But not the AAA.

Is it possible some setting in the switch is giving precedence to local authentication rather then going for AAA.

Please suggest 

 

 

 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to salmanearn

‎04-09-2015 09:50 AM

It is strange that you are not seeing any logs...this would usually suggest that the communication is blocked by Firewall/access-list. I know that you said that ping is working but perhaps something else is blocking the Radius ports. Have you tried to do a packet capture and see if you are seeing the Radius packets. 

Also, on the switch, you can issue the show aaa servers command and see the status.

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

onnigsaya
Level 1
Level 1

‎08-22-2016 11:22 AM

Was this issue ever resolved?  I have the same problem.  Configuration seems appropriate but no packets reaching out to configured radius server.  Telnet over authorization and authentication ports 1646 and 1645 works, data passes and logged by firewall, but when I try to ssh to the box with radius configuration, nothing.

0 Helpful

onnigsaya
Level 1
Level 1
In response to onnigsaya

‎08-22-2016 11:54 AM

of course after hours of trying/testing I figure it out after I post the question here.  The problem was that I was missing the radius server addresses after the aaa command:

aaa group server radius RADIUSSERVERGROUPNAME
server 1.1.1.1 auth-port 1645 acct-port 1646
server 2.2.2.2 auth-port 1645 acct-port 1646

0 Helpful
Customers Also Viewed These Support Documents