Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
0
Helpful
7
Replies

Having trouble configuring RADIUS on a 3750X switch.

Mogwai
Level 1
Level 1

‎07-08-2024 09:17 AM

Been at this for the better part of a morning & keep running into issues, I believe it's a small issue (or two), but not 100% sure. 

I'm attempting to configure RADIUS authentication on a few new 3750X switches that I installed earlier in the year. Have plans to do the router later in the year also. We have two NPS servers as our AAA servers 10.8.60.200 & 201. & I've already setup the NPS client settings on the mirrored NPS/AAA servers for this new switch. 

 I currently have the switch using local creds. When I set up the switch I go through the following process. 

conf t

(config)aaa new-model

(config)aaa group server radius TEST

(config-sg-radius)server RAD01 [Tests OK]

(config-sg-radius)server RAD02 [Tests OK]

This is where I think I'm having the issue, as when I "?" at this level I see the following options:

CEN-IDF6-3750X(config-sg-radius)#?
RADIUS Server-group commands:
accounting -- Specify a RADIUS attribute filter for accounting
attribute -- Customize selected radius attributes
authorization -- Specify a RADIUS attribute filter for authorization
backoff -- Retry backoff pattern (Default is retransmits with constant delay)
cache -- cached DB profile configuration
deadtime -- Specify time in minutes to ignore an unresponsive server
default -- Set a command to its defaults
exit -- Exit from RADIUS server-group confguration mode
ip -- Internet Protocol config commands
load-balance -- Server group load-balancing options.
no -- Negate a command or set its defaults
server -- Specify a RADIUS server
server-private -- Define a private RADIUS server (per group)
 

All the info I see online at this point references setting up the secret key, or "address ipv4 x.x.x.x. auth-port acct-port."  I'm not sure if I'm just doing something out of order or at the incorrect level, but I can't get the rest to work. 

 

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎07-08-2024 10:59 AM

@Mogwai you don't configure the IP address or shared secret under the radius server group. You must define the AAA server object(s) separately and then reference those objects in the RADIUS server group. Example:

radius server AAA-1
 address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
 automate-tester username switch-probe ignore-acct-port probe-on
 key XXXXXXXX
!
radius server AAA-2
 address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
 automate-tester username switch-probe ignore-acct-port probe-on
 key XXXXXXXX
!
aaa group server radius ISE-RADIUS
 server name AAA-1
 server name AAA-2  

 HTH

0 Helpful

Mogwai
Level 1
Level 1
In response to Rob Ingram

‎07-08-2024 12:01 PM

@Rob Ingram Gotcha, so I think I see what you're saying, but when I tried this I ran into another hiccup, but I think I see the way around it...

radius server AAA-1
 address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
 automate-tester username switch-probe ignore-acct-port probe-on
 key XXXXXXXX

Just to make sure this is under the 'conf t' level?

0 Helpful

Rob Ingram
VIP
VIP
In response to Mogwai

‎07-08-2024 12:05 PM

@Mogwai correct, you must configure those commands under "conf t"

FYI, the automate-tester commands are optional to confirm the RADIUS server is alive and not mandatory.

0 Helpful

Mogwai
Level 1
Level 1
In response to Rob Ingram

‎07-09-2024 04:50 AM

@Rob Ingram So, another question if you don't mind. As when I go under 'conf t' to setup the radius servers, I run the 1st command 'radius-server host RAD01', it translates & sees the server fine, but then the switch level doesn't change? It still stays at the config level?  From my understanding shouldn't I now be moved to different level in order to configure the IP/ports/key for the server? 

If I just run 'address ipv4 10.8.60.216 auth-port 1645 acct-port 1646' it takes the command, how can I confirm that it applied those to the correct RAD server?

0 Helpful

Rob Ingram
VIP
VIP
In response to Mogwai

‎07-09-2024 05:01 AM

@Mogwai you appear to be using a different command than provided previously. The command example previously provided is the newer command syntax, it could be your 3750-X is so old it does not support that command. On older IOS versions you define the RADIUS host and key in one command, the commands are not nested, this method is depreciated on newer versions.

CURRENT SYNTAX

3560(config)#radius server AAA-1
3560(config-radius-server)#address ipv4 192.168.10.12 auth-port 1812 acct-port 1813
3560(config-radius-server)#key Cisco1234

OLD SYNTAX

3560(config)#radius-server host 192.168.10.12 key Cisco1234
Warning: The CLI will be deprecated soon
'radius-server host 192.168.10.12 key Cisco1234'
Please move to 'radius server <name>' CLI.

 Use which ever method your software image supports, the result is the same.

0 Helpful

Mogwai
Level 1
Level 1
In response to Rob Ingram

‎07-09-2024 05:29 AM

Awesome & thanks for the clarification, I'll take a look at upgrading them & then another crack at the radius!

0 Helpful

MHM Cisco World
VIP
VIP

‎07-08-2024 11:09 AM

Dont confuse, I will explain what you see

IP under Server group is used mainly for config source of radius not use for server IP

Key under server group is override what ypu config under server. 

What  Is config server with IP and key and  optional port

Then use this server under server group. 

I. E. 

radius server radius-1
 address ipv4 x.x.x.x
 key XXXXXXXX

 

aaa group server radius Radius-group
 server name radius-1

MHM 

0 Helpful
Customers Also Viewed These Support Documents