Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3163
Views
5
Helpful
1
Replies

C2960X error Radius through SSH

Go to solution
Steveosh72
Level 1
Level 1

‎08-22-2019 04:32 PM

Hi there

 

I have a new C2960X that we are replacing a couple old ones with.

I can not get RADIUS working  .  yes the switch can ping the radius server .. i took out the key but it is there

 

HELP

 

I have it programmed like this

aaa new-model
!
!
aaa group server radius RADIUS_AUTH
!
aaa authentication login networkaccess group RADIUS_AUTH local enable
aaa authorization exec default group RADIUS_AUTH local if-authenticated


!
radius server RADIUS_AUTH
address ipv4 172.20.253.222 auth-port 1812 acct-port 1813
key 7 0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXD


line con 0
exec-timeout 0 0
line vty 0 4
access-class 99 in
exec-timeout 0 0
password 7 09584B051A0403
login authentication networkaccess
length 0
transport input ssh
line vty 5 15
access-class 99 in
exec-timeout 0 0
password 7 09584B051A0403
login authentication networkaccess
transport input ssh


crypto key gener rsa

 

 

 

what i get is 

 

login as: xxxxxxx
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎08-25-2019 08:37 PM

Hi @Steveosh72 

 

You need to share your ISE config as well since that would tell us whether your RADIUS Policy Set is correct :-)

 

I have pasted the ISE 2.3/2.4/2.6 Style RADIUS Policy Set below for Cisco IOS and WLC devices

 

It shows what RADIUS attributes are expected during a device authentication via RADIUS at the Top Level of the Policy Set:

 

RADIUS.PNG

 

The point is this: you need to allow PAP only, and then depending on the Conditions shown above, create an Authentication and Authorization Policy accordingly - the top level conditions shown above are required to match on the RADIUS traffic that results from a device admin AAA event.

 

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎08-25-2019 08:37 PM

Hi @Steveosh72 

 

You need to share your ISE config as well since that would tell us whether your RADIUS Policy Set is correct :-)

 

I have pasted the ISE 2.3/2.4/2.6 Style RADIUS Policy Set below for Cisco IOS and WLC devices

 

It shows what RADIUS attributes are expected during a device authentication via RADIUS at the Top Level of the Policy Set:

 

RADIUS.PNG

 

The point is this: you need to allow PAP only, and then depending on the Conditions shown above, create an Authentication and Authorization Policy accordingly - the top level conditions shown above are required to match on the RADIUS traffic that results from a device admin AAA event.

 

Customers Also Viewed These Support Documents