Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
2
Replies

AAA on 4503

rdamaso
Level 1
Level 1

‎07-12-2006 01:59 PM - edited ‎03-10-2019 02:39 PM

Hi,

I have a curious problem about radius authentication. I have a 4503 with radius enabled authenticating on ACS 4.0. For while I don?t enabled dot1x. I?m testing authentication throught telnet. I have a ACS 3.3 and a 4.0 and the problem happens with both.

My config is:

aaa new-model

aaa authentication login default group radius local

aaa authentication dot1x default group radius local

aaa authorization network default group radius local

aaa accounting exec default start-stop group radius

radius-server host 192.168.1.13 auth-port 1812 acct-port 1813 key 7 141F1E0C2C052938

I configured ACS correctly as the follow url: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d11a4.shtml

I tried change the radius ports to 1645 and 1646 and the problem remained.

When I put the 3550 with the same config, it works fine with the two ACS servers.

The conectivity between ACSs and 4503 is perfect, they are and the same network.

Look the results of debug radius and debug aaa authentication on the file attached.

Thanks a lot.

Labels:
Preview file
6 KB
0 Helpful
2 Replies 2

hemendoz
Cisco Employee
Cisco Employee

‎07-12-2006 02:57 PM

Hello,

Based on the debug output, it sounds like connectivity problem to 192.168.1.13. Can the 4506s ping 192.168.1.13? Do you see failed attempts on the ACSs logs coming from the 4503s(if not that means that the access-request packet is not getting to ACS)?

Hope this helps! If so, please rate.

Thanks

*Jul 12 14:52:16: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/78

*Jul 12 14:52:16: RADIUS: acct-delay-time for 17B1C9CC (at 17B1CA33) now 10

HT4503#

*Jul 12 14:52:19: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/79

HT4503#

*Jul 12 14:52:21: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/78

*Jul 12 14:52:21: RADIUS: acct-delay-time for 17B1C9CC (at 17B1CA33) now 15

HT4503#

*Jul 12 14:52:25: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/79

HT4503#

*Jul 12 14:52:27: RADIUS: Tried all servers.

*Jul 12 14:52:27: RADIUS: No valid server found. Trying any viable server

*Jul 12 14:52:27: RADIUS: Tried all servers.

*Jul 12 14:52:27: RADIUS: No response from (192.168.1.13:1812,1813) for id 21645/78

*Jul 12 14:52:27: AAA/MEMORY: free_user (0x175ABDD8) user='halogica' ruser='NULL' port='tty2' rem_addr='192.168.1.194' authen_type=ASCII service=LOGIN priv=1

HT4503#

*Jul 12 14:52:31: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/79

HT4503#

*Jul 12 14:52:36: RADIUS: Tried all servers.

*Jul 12 14:52:36: RADIUS: No valid server found. Trying any viable server

*Jul 12 14:52:36: RADIUS: Tried all servers.

*Jul 12 14:52:36: RADIUS: No response from (192.168.1.13:1812,1813) for id 21645/79

*Jul 12 14:52:36: RADIUS: No response from server

0 Helpful

rdamaso
Level 1
Level 1
In response to hemendoz

‎07-13-2006 03:37 AM

Hector, I forgot to say that when I configured TACACS, the authentication worked fine.

I got solution. Tomorrow at night I did the IOS upgrade of switch. I changed the version cat4000-i9s-mz.122-25.EWA4.bin per version cat4000-i9s-mz.122-25.EWA6.bin and RADIUS authentication worked.

Thanks for your response.

0 Helpful
Customers Also Viewed These Support Documents