cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
502
Views
0
Helpful
2
Replies

AAA on 4503

rdamaso
Level 1
Level 1

Hi,

I have a curious problem about radius authentication. I have a 4503 with radius enabled authenticating on ACS 4.0. For while I don?t enabled dot1x. I?m testing authentication throught telnet. I have a ACS 3.3 and a 4.0 and the problem happens with both.

My config is:

aaa new-model

aaa authentication login default group radius local

aaa authentication dot1x default group radius local

aaa authorization network default group radius local

aaa accounting exec default start-stop group radius

radius-server host 192.168.1.13 auth-port 1812 acct-port 1813 key 7 141F1E0C2C052938

I configured ACS correctly as the follow url: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d11a4.shtml

I tried change the radius ports to 1645 and 1646 and the problem remained.

When I put the 3550 with the same config, it works fine with the two ACS servers.

The conectivity between ACSs and 4503 is perfect, they are and the same network.

Look the results of debug radius and debug aaa authentication on the file attached.

Thanks a lot.

2 Replies 2

hemendoz
Cisco Employee
Cisco Employee

Hello,

Based on the debug output, it sounds like connectivity problem to 192.168.1.13. Can the 4506s ping 192.168.1.13? Do you see failed attempts on the ACSs logs coming from the 4503s(if not that means that the access-request packet is not getting to ACS)?

Hope this helps! If so, please rate.

Thanks

*Jul 12 14:52:16: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/78

*Jul 12 14:52:16: RADIUS: acct-delay-time for 17B1C9CC (at 17B1CA33) now 10

HT4503#

*Jul 12 14:52:19: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/79

HT4503#

*Jul 12 14:52:21: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/78

*Jul 12 14:52:21: RADIUS: acct-delay-time for 17B1C9CC (at 17B1CA33) now 15

HT4503#

*Jul 12 14:52:25: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/79

HT4503#

*Jul 12 14:52:27: RADIUS: Tried all servers.

*Jul 12 14:52:27: RADIUS: No valid server found. Trying any viable server

*Jul 12 14:52:27: RADIUS: Tried all servers.

*Jul 12 14:52:27: RADIUS: No response from (192.168.1.13:1812,1813) for id 21645/78

*Jul 12 14:52:27: AAA/MEMORY: free_user (0x175ABDD8) user='halogica' ruser='NULL' port='tty2' rem_addr='192.168.1.194' authen_type=ASCII service=LOGIN priv=1

HT4503#

*Jul 12 14:52:31: RADIUS: Retransmit to (192.168.1.13:1812,1813) for id 21645/79

HT4503#

*Jul 12 14:52:36: RADIUS: Tried all servers.

*Jul 12 14:52:36: RADIUS: No valid server found. Trying any viable server

*Jul 12 14:52:36: RADIUS: Tried all servers.

*Jul 12 14:52:36: RADIUS: No response from (192.168.1.13:1812,1813) for id 21645/79

*Jul 12 14:52:36: RADIUS: No response from server

Hector, I forgot to say that when I configured TACACS, the authentication worked fine.

I got solution. Tomorrow at night I did the IOS upgrade of switch. I changed the version cat4000-i9s-mz.122-25.EWA4.bin per version cat4000-i9s-mz.122-25.EWA6.bin and RADIUS authentication worked.

Thanks for your response.