08-22-2019 04:32 PM
Hi there
I have a new C2960X that we are replacing a couple old ones with.
I can not get RADIUS working . yes the switch can ping the radius server .. i took out the key but it is there
HELP
I have it programmed like this
aaa new-model
!
!
aaa group server radius RADIUS_AUTH
!
aaa authentication login networkaccess group RADIUS_AUTH local enable
aaa authorization exec default group RADIUS_AUTH local if-authenticated
!
radius server RADIUS_AUTH
address ipv4 172.20.253.222 auth-port 1812 acct-port 1813
key 7 0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXD
line con 0
exec-timeout 0 0
line vty 0 4
access-class 99 in
exec-timeout 0 0
password 7 09584B051A0403
login authentication networkaccess
length 0
transport input ssh
line vty 5 15
access-class 99 in
exec-timeout 0 0
password 7 09584B051A0403
login authentication networkaccess
transport input ssh
crypto key gener rsa
what i get is
login as: xxxxxxx
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:
Solved! Go to Solution.
08-25-2019 08:37 PM
Hi @Steveosh72
You need to share your ISE config as well since that would tell us whether your RADIUS Policy Set is correct :-)
I have pasted the ISE 2.3/2.4/2.6 Style RADIUS Policy Set below for Cisco IOS and WLC devices
It shows what RADIUS attributes are expected during a device authentication via RADIUS at the Top Level of the Policy Set:
The point is this: you need to allow PAP only, and then depending on the Conditions shown above, create an Authentication and Authorization Policy accordingly - the top level conditions shown above are required to match on the RADIUS traffic that results from a device admin AAA event.
08-25-2019 08:37 PM
Hi @Steveosh72
You need to share your ISE config as well since that would tell us whether your RADIUS Policy Set is correct :-)
I have pasted the ISE 2.3/2.4/2.6 Style RADIUS Policy Set below for Cisco IOS and WLC devices
It shows what RADIUS attributes are expected during a device authentication via RADIUS at the Top Level of the Policy Set:
The point is this: you need to allow PAP only, and then depending on the Conditions shown above, create an Authentication and Authorization Policy accordingly - the top level conditions shown above are required to match on the RADIUS traffic that results from a device admin AAA event.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide