Solved: AAA RADIUS 3750x

john_capobianco · ‎06-29-2013

Hello!

I am troubleshooting a new 3750x stack install - everything is wonderful save two issues, one being RADIUS. I have mirrored the config of another working stack identically but am having no love with my RADIUS. Debug radius auth showed this - any ideas?

I have tried a few things including specifying my management VLAN interface as the source for RADIUS but it did not have any effect.

I am running 15.0(2)SE on IPBASEK9-M

10:22:43: RADIUS: AAA Unsupported Attr: interface [221] 4

10:22:43: RADIUS: 74 74 [ tt]

Thanks for your help

kcnajaf · ‎07-02-2013

HI John,

Have a look at this.

aaa group server radius group1

server 10.10.220.130 auth-port 182 acct-port 1813

The Radius authehtication listen on port 1812. Try reconfiguring this as below.

aaa group server radius group1

server 10.10.220.130 auth-port 1812 acct-port 1813

Regards

Najaf

Please rate when applicable or helpful !!!

View solution in original post

kcnajaf · ‎06-29-2013

Hi John,

Which Radius server are you using? Have you added the new switch as aaa client on your radius server? Also you need to ensure that while copying the configuration from other devices the radius key which you are putting on the new configuration is the actual one and not the encrypted one.

Could you please provide the out of entire radius debug?

Regards

Najaf

Please rate when applicable or helpful !!!

john_capobianco · ‎07-02-2013

Hello - thank you for the replies and sorry for the delay

1 - Win 2k8R2 and the new client has been added to the server. I did not directly copy the config but build the new switch from scratch and just confirmed the settings match the other stack in prod.

Below is the relevant running config with some IPs scrubbed

version 15.0

no service pad

service timestamps debug uptime

service timestamps log datetime msec localtime

service password-encryption

!

hostname 3750

!

boot-start-marker

boot-end-marker

!

enable secret 4 AzOv8DBnWTvZk7TujZRsOLtF2TgDG0tElrIlbSOtolk

enable password 7 080F435C1D1C0947425C4D

!

username citjmf1 privilege 15 secret 4 5ou3p2/fFuAg1bx5ec2m4Okz4syLs3u2iDSkhU/Oe4.

username citjnc1 privilege 15 secret 4 LD86/rbfwBjQ5CiTYnoGnAH/v4ToI7qHtKnVuw31gUs

aaa new-model

!

aaa group server radius group1

server 10.10.220.130 auth-port 182 acct-port 1813

!

aaa authentication login default group group1 local

!

aaa session-id common

clock timezone EST -5 0

clock summer-time EDT recurring

switch 1 provision ws-c3750x-48

switch 2 provision ws-c3750x-48

system mtu routing 1500

!

ip domain-name

ip name-server

vtp domain

vtp mode transparent

udld aggressive

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree extend system-id

!

port-channel load-balance src-dst-ip

!

interface Vlan555

description Management

ip address x.x.x.x 255.255.255.0

!

ip default-gateway

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

logging history informational

!

radius-server host x.x.x.x auth-port 1812 acct-port 1813

radius-server key 7 13201A02021E010A7A767B

!

end

Below is the output of debug radius and debug aaa authen

I have confirmed the config is correct on the RADIUS server and I see no reason for this to not work.

Log Buffer (4096 bytes):

2d21h: AAA/BIND(0000008E): Bind i/f

2d21h: AAA/AUTHEN/LOGIN (0000008E): Pick method list 'default'

2d21h: RADIUS/ENCODE(0000008E): ask "Password: "

2d21h: RADIUS/ENCODE(0000008E): send packet; GET_PASSWORD

2d21h: RADIUS/ENCODE(0000008E):Orig. component type = Exec

2d21h: RADIUS: AAA Unsupported Attr: interface [221] 4

2d21h: RADIUS: 74 74 [ tt]

2d21h: RADIUS/ENCODE(0000008E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

2d21h: RADIUS(0000008E): Config NAS IP: 0.0.0.0

2d21h: RADIUS(0000008E): Config NAS IPv6: ::

2d21h: RADIUS/ENCODE(0000008E): acct_session_id: 132

2d21h: RADIUS(0000008E): sending

2d21h: RADIUS/DECODE: No response from radius-server; parse response; FAIL

2d21h: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

2d21h: AAA/AUTHEN/LOGIN (0000008E): Pick method list 'default'

2d21h: RADIUS/ENCODE(0000008E): ask "Password: "

2d21h: RADIUS/ENCODE(0000008E): send packet; GET_PASSWORD

2d21h: RADIUS/ENCODE(0000008E):Orig. component type = Exec

2d21h: RADIUS: AAA Unsupported Attr: interface [221] 4

2d21h: RADIUS: 74 74 [ tt]

2d21h: RADIUS/ENCODE(0000008E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

2d21h: RADIUS(0000008E): Config NAS IP: 0.0.0.0

2d21h: RADIUS(0000008E): Config NAS IPv6: ::

2d21h: RADIUS/ENCODE(0000008E): acct_session_id: 132

2d21h: RADIUS(0000008E): sending

2d21h: RADIUS/DECODE: No response from radius-server; parse response; FAIL

2d21h: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

2d21h: AAA: parse name=tty1 idb type=-1 tty=-1

2d21h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0

2d21h: AAA/MEMORY: create_user (0x3E3C4D0) user='citjnc1' ruser='NULL' ds0=0 port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

2d21h: AAA/AUTHEN/START (4180928019): port='tty1' list='' action=LOGIN service=ENABLE

2d21h: AAA/AUTHEN/START (4180928019): console enable - default to enable password (if any)

2d21h: AAA/AUTHEN/START (4180928019): Method=ENABLE

2d21h: AAA/AUTHEN (4180928019): status = GETPASS

2d21h: AAA/AUTHEN/CONT (4180928019): continue_login (user='(undef)')

2d21h: AAA/AUTHEN (4180928019): status = GETPASS

2d21h: AAA/AUTHEN/CONT (4180928019): Method=ENABLE

2d21h: AAA/AUTHEN(4180928019): password incorrect

2d21h: AAA/AUTHEN (4180928019): status = FAIL

2d21h: AAA/MEMORY: free_user (0x3E3C4D0) user='NULL' ruser='NULL' port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

2d21h: AAA: parse name=tty1 idb type=-1 tty=-1

2d21h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0

2d21h: AAA/MEMORY: create_user (0x7AF0A24) user='citjnc1' ruser='NULL' ds0=0 port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

2d21h: AAA/AUTHEN/START (3135930977): port='tty1' list='' action=LOGIN service=ENABLE

2d21h: AAA/AUTHEN/START (3135930977): console enable - default to enable password (if any)

2d21h: AAA/AUTHEN/START (3135930977): Method=ENABLE

2d21h: AAA/AUTHEN (3135930977): status = GETPASS

2d21h: AAA/AUTHEN/CONT (3135930977): continue_login (user='(undef)')

2d21h: AAA/AUTHEN (3135930977): status = GETPASS

2d21h: AAA/AUTHEN/CONT (3135930977): Method=ENABLE

2d21h: AAA/AUTHEN (3135930977): status = PASS

2d21h: AAA/MEMORY: free_user (0x7AF0A24) user='NULL' ruser='NULL' port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

I see I am not getting a response from my Radius server

Jatin Katyal · ‎07-02-2013

Are you able to ping the radius server? If yes, Do check if the shared secret is correct on the 3750 and radius server.

Also, what is the aaa client you've added on the radius server?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

john_capobianco · ‎07-02-2013

Wow - type error kills me again - great eyes and thanks so much for the quick response!

kcnajaf · ‎07-02-2013

HI John,

Have a look at this.

aaa group server radius group1

server 10.10.220.130 auth-port 182 acct-port 1813

The Radius authehtication listen on port 1812. Try reconfiguring this as below.

aaa group server radius group1

server 10.10.220.130 auth-port 1812 acct-port 1813

Regards

Najaf

Please rate when applicable or helpful !!!

Jatin Katyal · ‎06-30-2013

I'd like to see few things:

1.] show run from the switch

2.] Following debugs:

- debug aaa authen

- debug radius

3.] Are you seeing any hits on the radius server?

~BR

Jatin Katyal

**Do rate helpful posts**

~Jatin