06-29-2013 07:10 PM - edited 03-10-2019 08:36 PM
Hello!
I am troubleshooting a new 3750x stack install - everything is wonderful save two issues, one being RADIUS. I have mirrored the config of another working stack identically but am having no love with my RADIUS. Debug radius auth showed this - any ideas?
I have tried a few things including specifying my management VLAN interface as the source for RADIUS but it did not have any effect.
I am running 15.0(2)SE on IPBASEK9-M
10:22:43: RADIUS: AAA Unsupported Attr: interface [221] 4
10:22:43: RADIUS: 74 74 [ tt]
Thanks for your help
Solved! Go to Solution.
07-02-2013 06:08 AM
HI John,
Have a look at this.
aaa group server radius group1
server 10.10.220.130 auth-port 182 acct-port 1813
The Radius authehtication listen on port 1812. Try reconfiguring this as below.
aaa group server radius group1
server 10.10.220.130 auth-port 1812 acct-port 1813
Regards
Najaf
Please rate when applicable or helpful !!!
06-29-2013 10:40 PM
Hi John,
Which Radius server are you using? Have you added the new switch as aaa client on your radius server? Also you need to ensure that while copying the configuration from other devices the radius key which you are putting on the new configuration is the actual one and not the encrypted one.
Could you please provide the out of entire radius debug?
Regards
Najaf
Please rate when applicable or helpful !!!
07-02-2013 05:58 AM
Hello - thank you for the replies and sorry for the delay
1 - Win 2k8R2 and the new client has been added to the server. I did not directly copy the config but build the new switch from scratch and just confirmed the settings match the other stack in prod.
Below is the relevant running config with some IPs scrubbed
version 15.0
no service pad
service timestamps debug uptime
service timestamps log datetime msec localtime
service password-encryption
!
hostname 3750
!
boot-start-marker
boot-end-marker
!
enable secret 4 AzOv8DBnWTvZk7TujZRsOLtF2TgDG0tElrIlbSOtolk
enable password 7 080F435C1D1C0947425C4D
!
username citjmf1 privilege 15 secret 4 5ou3p2/fFuAg1bx5ec2m4Okz4syLs3u2iDSkhU/Oe4.
username citjnc1 privilege 15 secret 4 LD86/rbfwBjQ5CiTYnoGnAH/v4ToI7qHtKnVuw31gUs
aaa new-model
!
!
aaa group server radius group1
server 10.10.220.130 auth-port 182 acct-port 1813
!
aaa authentication login default group group1 local
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
switch 1 provision ws-c3750x-48
switch 2 provision ws-c3750x-48
system mtu routing 1500
!
!
ip domain-name
ip name-server
ip name-server
vtp domain
vtp mode transparent
udld aggressive
!
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
!
!
!
!
port-channel load-balance src-dst-ip
!
!
!
!
!
interface Vlan555
description Management
ip address x.x.x.x 255.255.255.0
!
ip default-gateway
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
logging history informational
!
radius-server host x.x.x.x auth-port 1812 acct-port 1813
radius-server key 7 13201A02021E010A7A767B
!
end
Below is the output of debug radius and debug aaa authen
I have confirmed the config is correct on the RADIUS server and I see no reason for this to not work.
Log Buffer (4096 bytes):
2d21h: AAA/BIND(0000008E): Bind i/f
2d21h: AAA/AUTHEN/LOGIN (0000008E): Pick method list 'default'
2d21h: RADIUS/ENCODE(0000008E): ask "Password: "
2d21h: RADIUS/ENCODE(0000008E): send packet; GET_PASSWORD
2d21h: RADIUS/ENCODE(0000008E):Orig. component type = Exec
2d21h: RADIUS: AAA Unsupported Attr: interface [221] 4
2d21h: RADIUS: 74 74 [ tt]
2d21h: RADIUS/ENCODE(0000008E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
2d21h: RADIUS(0000008E): Config NAS IP: 0.0.0.0
2d21h: RADIUS(0000008E): Config NAS IPv6: ::
2d21h: RADIUS/ENCODE(0000008E): acct_session_id: 132
2d21h: RADIUS(0000008E): sending
2d21h: RADIUS/DECODE: No response from radius-server; parse response; FAIL
2d21h: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
2d21h: AAA/AUTHEN/LOGIN (0000008E): Pick method list 'default'
2d21h: RADIUS/ENCODE(0000008E): ask "Password: "
2d21h: RADIUS/ENCODE(0000008E): send packet; GET_PASSWORD
2d21h: RADIUS/ENCODE(0000008E):Orig. component type = Exec
2d21h: RADIUS: AAA Unsupported Attr: interface [221] 4
2d21h: RADIUS: 74 74 [ tt]
2d21h: RADIUS/ENCODE(0000008E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
2d21h: RADIUS(0000008E): Config NAS IP: 0.0.0.0
2d21h: RADIUS(0000008E): Config NAS IPv6: ::
2d21h: RADIUS/ENCODE(0000008E): acct_session_id: 132
2d21h: RADIUS(0000008E): sending
2d21h: RADIUS/DECODE: No response from radius-server; parse response; FAIL
2d21h: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
2d21h: AAA: parse name=tty1 idb type=-1 tty=-1
2d21h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
2d21h: AAA/MEMORY: create_user (0x3E3C4D0) user='citjnc1' ruser='NULL' ds0=0 port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
2d21h: AAA/AUTHEN/START (4180928019): port='tty1' list='' action=LOGIN service=ENABLE
2d21h: AAA/AUTHEN/START (4180928019): console enable - default to enable password (if any)
2d21h: AAA/AUTHEN/START (4180928019): Method=ENABLE
2d21h: AAA/AUTHEN (4180928019): status = GETPASS
2d21h: AAA/AUTHEN/CONT (4180928019): continue_login (user='(undef)')
2d21h: AAA/AUTHEN (4180928019): status = GETPASS
2d21h: AAA/AUTHEN/CONT (4180928019): Method=ENABLE
2d21h: AAA/AUTHEN(4180928019): password incorrect
2d21h: AAA/AUTHEN (4180928019): status = FAIL
2d21h: AAA/MEMORY: free_user (0x3E3C4D0) user='NULL' ruser='NULL' port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
2d21h: AAA: parse name=tty1 idb type=-1 tty=-1
2d21h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
2d21h: AAA/MEMORY: create_user (0x7AF0A24) user='citjnc1' ruser='NULL' ds0=0 port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
2d21h: AAA/AUTHEN/START (3135930977): port='tty1' list='' action=LOGIN service=ENABLE
2d21h: AAA/AUTHEN/START (3135930977): console enable - default to enable password (if any)
2d21h: AAA/AUTHEN/START (3135930977): Method=ENABLE
2d21h: AAA/AUTHEN (3135930977): status = GETPASS
2d21h: AAA/AUTHEN/CONT (3135930977): continue_login (user='(undef)')
2d21h: AAA/AUTHEN (3135930977): status = GETPASS
2d21h: AAA/AUTHEN/CONT (3135930977): Method=ENABLE
2d21h: AAA/AUTHEN (3135930977): status = PASS
2d21h: AAA/MEMORY: free_user (0x7AF0A24) user='NULL' ruser='NULL' port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
I see I am not getting a response from my Radius server
07-02-2013 06:07 AM
Are you able to ping the radius server? If yes, Do check if the shared secret is correct on the 3750 and radius server.
Also, what is the aaa client you've added on the radius server?
~BR
Jatin Katyal
**Do rate helpful posts**
07-02-2013 06:19 AM
Wow - type error kills me again - great eyes and thanks so much for the quick response!
07-02-2013 06:08 AM
HI John,
Have a look at this.
aaa group server radius group1
server 10.10.220.130 auth-port 182 acct-port 1813
The Radius authehtication listen on port 1812. Try reconfiguring this as below.
aaa group server radius group1
server 10.10.220.130 auth-port 1812 acct-port 1813
Regards
Najaf
Please rate when applicable or helpful !!!
06-30-2013 02:23 AM
I'd like to see few things:
1.] show run from the switch
2.] Following debugs:
- debug aaa authen
- debug radius
3.] Are you seeing any hits on the radius server?
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide