cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

678
Views
0
Helpful
7
Replies
martlee2
Cisco Employee

%backup authentication error , can not login with telnet after set window server 2008 R2 radius server

following from

http://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/

 

network policy i set user group as Domain Computers

 

when run 3550

1. can not use command "crypto key generate rsa"

2. can not use command "ip ssh version 2"

 

a. when using aaa, is it needed to use ssh?

b. how to login successfully with aaa?

c. is radius-server key to use window server 2008 administrator's password, if not, what is its password

 

conf t
aaa new-model
username radiusclient secret cisco
line vty 0 4
transport input telnet
exit
line vty 5 15
transport input telnet
exit
ip domain-name radius1.local
radius-server host 192.168.38.213
radius-server key IsItWindowServer2008Password?
aaa group server radius NPSSERVER
server 192.168.38.213
exit
aaa authentication login default group NPSSERVER local
aaa authorization exec default group NPSSERVER local
exit

7 REPLIES 7
Kanwaljeet Singh
Cisco Employee

Hi,

You would need to configure the command under line vty : "login authentication default "and your request for telnet would be authenticated against the radius server.

line vty 0 4
 login authentication default
 transport input telnet

 

Please have a look at the link below for details about the configuration:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swauthen.html#wp1044243

 

Regards,

Kanwal

Note: Please mark answers if they are helpful.

let me try again tonight

 

Hi,

Can we see what is the reason for access denied on the RADIUS server logs? That should give us a reason for the rejection.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

https://drive.google.com/file/d/0B2PgRKgeBo5ZVGZNT1pVblRJY0U/view?usp=sharing

 

here is the log

 

router1#debug aaa accounting
AAA Accounting debugging is on
router1#
*Mar  6 23:26:10.563: AAA/ACCT/EVENT/(00000006): CALL START
*Mar  6 23:26:10.563: Getting session id for NET(00000006) : db=66D14C78
*Mar  6 23:26:10.563: AAA/ACCT(00000000): add node, session 4
*Mar  6 23:26:10.567: AAA/ACCT/NET(00000006): add, count 1
*Mar  6 23:26:10.567: Getting session id for NONE(00000006) : db=66D14C78
router1#
*Mar  6 23:26:18.627: Getting session id for EXEC(00000006) : db=66D14C78

 


router1#debug aaa authentication
AAA Authentication debugging is on
router1#
*Mar  6 23:53:04.123: Getting session id for EXEC(0000000B) : db=66BB7588
router1#
*Mar  6 23:53:06.151: AAA/ACCT/EVENT/(0000000B): EXEC DOWN
router1#
*Mar  6 23:53:08.159: AAA/ACCT/EVENT/(0000000B): CALL STOP
*Mar  6 23:53:08.159: AAA/ACCT/CALL STOP(0000000B): Sending stop requests
*Mar  6 23:53:08.159: AAA/ACCT(0000000B): Send all stops
*Mar  6 23:53:08.159: AAA/ACCT/NET(0000000B): STOP
*Mar  6 23:53:08.163: AAA/ACCT/NET(0000000B): Method list not found
*Mar  6 23:53:08.163: AAA/ACCT(0000000B): del node, session 9
*Mar  6 23:53:08.163: AAA/ACCT/NET(0000000B): free_rec, count 0
*Mar  6 23:53:08.163: AAA/ACCT/NET(0000000B) reccnt 0, csr TRUE, osr 0
*Mar  6 23:53:08.167: AAA/ACCT/NET(0000000B): Last rec in db, intf not enqueued
router1#

 

6273 event id in security log

Network Policy Server denied access to a user.
 
Contact the Network Policy Server administrator for more information.
 
User:
Security ID: NULL SID
Account Name: rra
Account Domain: RADIUS1
Fully Qualified Account Name: RADIUS1\rra
 
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 192.168.2.5
 
NAS:
NAS IPv4 Address: 192.168.2.1
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual 
NAS Port: 2
 
RADIUS Client:
Client Friendly Name: rra
Client IP Address: 192.168.2.1
 
Authentication Details:
Proxy Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows 
Authentication Server: WIN-928S1R8NPBE.radius1.local
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 16
Reason: Authentication was not successful because an unknown user name or incorrect password was used. 

 

in real environment using 3550 to login

no log in security log

but has log in system

A RADIUS message was received from RADIUS client 192.168.3.111 with an invalid authenticator. This is typically caused by mismatched shared secrets. Verify the configuration of the shared secret for the RADIUS client in the Network Policy Server snap-in and the configuration of the network access server.

then i try again

still is backup authentication error

whole security log is empty in window server 2008 R2 in virtual machine in production environment, not GNS3

Kanwaljeet Singh
Cisco Employee

Hi,

Actually i tried here in my lab and i am able to authenticate successfully without that command as well. What is the failure reason you are getting on radius?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Kanwaljeet Singh
Cisco Employee

Hi,

To answer your question-

No aaa is not just for SSH.

Radius-key should be same on router as well as on your radius server while you create the device in there.  It has nothing to do with windows admin password.

The above configuration looks fine. We need to see why your request is being denied by Radius.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Content for Community-Ad