12-21-2005 02:48 AM - edited 03-10-2019 02:24 PM
Hi there,
I am trying to test 802.1x to work for my network using a Catalyst 3550 and Microsoft IAS on a Windows 2000 server. Computers authenticating on the network work just fine. However, I am unable to get RADIUS authentication to work when accessing the VTY. Here's the AAA and RADIUS configuration of my switch:
aaa new-model
aaa authentication login default group radius local-case
aaa authentication login if_needed local-case
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
radius-server host 10.17.224.1 auth-port 1812 acct-port 1813 key obviously_not_this_key
radius-server retransmit 3
!
line con 0
login authentication if_needed
line vty 0 4
exec-timeout 0 0
I also can't find any failed authentication requests in the log files of the IAS server. I have verified the switch is sending out requests, so that's not the problem. The problem is the IAS server not being bothered to do anything with those requests and I don't know why.
I would be very grateful if anyone can help me with this.
12-21-2005 05:21 AM
You need to use TACACS+ to access the switch via VTY, otherwise use a local username and password.
12-23-2005 06:04 AM
Is there some reason that you think that Radius would not work to authenticate access to the VTY of the switch? I believe that either Radius or TACACS is able to do this.
I wonder if the issue is communication between the switch and the Radius server or is something in the setup of the Radius server. I assume from the original post that Simon is testing with telnet to the VTY (not via console), that he has verified that the switch is actually sending the Radius authentication request. But the request is not being processed by the server. If that is not true then please clarify.
I would suggest that the first step is to verify that the address configured on the switch is the correct address for the Radius server. Assuming that it is, then I suggest demonstrating IP connectivity (probably ping is the easy way to demonstrate this). Assuming that IP connectivity is not the issue then I suggest that the next thing is to check some things on the server. Can you verify that the server is running the Radius daemon and that it is lintening for Radius requests on port 1812? (When I set up IOS devices to authenticate with Radius they are using port 1645.)
If the Radius daemon is running and is listening for port 1812 then perhaps the other possibility to check for is the possibility that there is a filter or access list somewhere that is not permitting either the request or the response to go through.
HTH
Rick
12-24-2005 05:32 AM
Hello Simon,
Based on what you are saying that 802.1x is working fine, but not the login, and also switch is forrwarding the request, but no response from the IAS server. If thats the right assumption, then I think the problem is with the IAS. If you can share the following debug output we can comment on this:
debug radius
debug aaa authen
As the radius takes care of authen/author in the same packet, my suggestion would be to remove the following line from the config:
aaa authorization exec default group radius if-authenticated
Also please check to see what dictionary did you use for the 802.1x for the switch as AAA client.
Thanks,
Mynul Hoda
CISSP, CCIE # 9159
Author: Cisco Network Security Troubleshooting -http://www.ciscopress.com/title/1587051893
12-28-2005 05:14 AM
Hello all,
Thank you for your reactions. Mynul is correct, 802.1x for authenticating computers works, but using it for authenticating login access fails. I have checked the switch is forwarding the RADIUS requests, so that's not the problem. Here's the output from the debug commands
*Mar 6 23:12:50: AAA: parse name=tty3 idb type=-1 tty=-1
*Mar 6 23:12:50: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
*Mar 6 23:12:50: AAA/MEMORY: create_user (0x15929B8) user='NULL' ruser='NULL' ds0=0 port='tty3' rem_addr='10.16.222.13' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Mar 6 23:12:50: AAA/AUTHEN/START (1954730523): port='tty3' list='' action=LOGIN service=LOGIN
*Mar 6 23:12:50: AAA/AUTHEN/START (1954730523): using "default" list
*Mar 6 23:12:50: AAA/AUTHEN/START (1954730523): Method=radius (radius)
*Mar 6 23:12:50: AAA/AUTHEN (1954730523): status = GETUSER
*Mar 6 23:12:53: AAA/AUTHEN/CONT (1954730523): continue_login (user='(undef)')
*Mar 6 23:12:53: AAA/AUTHEN (1954730523): status = GETUSER
*Mar 6 23:12:53: AAA/AUTHEN (1954730523): Method=radius (radius)
*Mar 6 23:12:53: AAA/AUTHEN (1954730523): status = GETPASS
*Mar 6 23:12:55: AAA/AUTHEN/CONT (1954730523): continue_login (user='xxxxxx')
*Mar 6 23:12:55: AAA/AUTHEN (1954730523): status = GETPASS
*Mar 6 23:12:55: AAA/AUTHEN (1954730523): Method=radius (radius)
*Mar 6 23:12:55: RADIUS: Pick NAS IP for u=0x15929B8 tableid=0 cfg_addr=0.0.0.0
*Mar 6 23:12:55: RADIUS: ustruct sharecount=1
*Mar 6 23:12:55: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 6 23:12:55: RADIUS(00000000): Send Access-Request to 10.17.224.1:1812 id 1645/220, len 75
*Mar 6 23:12:55: RADIUS: authenticator 42 B6 BB 25 2E 45 38 56 - FB D5 3E B4 D7 AA 6F B0
*Mar 6 23:12:55: RADIUS: NAS-IP-Address [4] 6 10.16.240.203
*Mar 6 23:12:55: RADIUS: NAS-Port [5] 6 3
*Mar 6 23:12:55: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 6 23:12:55: RADIUS: User-Name [1] 5 "xxxxx"
*Mar 6 23:12:55: RADIUS: Calling-Station-Id [31] 14 "10.16.222.13"
*Mar 6 23:12:55: RADIUS: User-Password [2] 18 *
*Mar 6 23:13:01: RADIUS: Retransmit to (10.17.224.1:1812,1813) for id 1645/220
*Mar 6 23:13:07: RADIUS: Retransmit to (10.17.224.1:1812,1813) for id 1645/220
*Mar 6 23:13:12: RADIUS: Retransmit to (10.17.224.1:1812,1813) for id 1645/220
*Mar 6 23:13:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.17.224.1:1812,1813 is not responding.
*Mar 6 23:13:18: RADIUS: Tried all servers.
*Mar 6 23:13:18: RADIUS: No valid server found. Trying any viable server
*Mar 6 23:13:18: RADIUS: Tried all servers.
*Mar 6 23:13:18: RADIUS: No response from (10.17.224.1:1812,1813) for id 1645/220
*Mar 6 23:13:18: RADIUS: No response from server
*Mar 6 23:13:18: AAA/AUTHEN (1954730523): status = ERROR
*Mar 6 23:13:18: AAA/AUTHEN/START (3454497188): port='tty3' list='' action=LOGIN service=LOGIN
*Mar 6 23:13:18: AAA/AUTHEN/START (3454497188): Restart
*Mar 6 23:13:18: AAA/AUTHEN/START (3454497188): Method=LOCALCASE
*Mar 6 23:13:18: AAA/AUTHEN (3454497188): status = GETPASS
*Mar 6 23:13:18: AAA/AUTHEN/CONT (3454497188): continue_login (user='xxxxx')
*Mar 6 23:13:18: AAA/AUTHEN (3454497188): status = GETPASS
*Mar 6 23:13:18: AAA/AUTHEN/CONT (3454497188): Method=LOCALCASE
*Mar 6 23:13:18: AAA/AUTHEN (3454497188): status = PASS
You can see the request just times out, then switches to local-case method (the back-up method).
If you mean what EAP type by 802.1x dictionary, I used the default. I assumed this is EAP-MD5 or PAP or something like that, but I couldn't verify this. It might be the problem, do you know witch EAP type switches use for this kind of thing?
Lots of thanks,
Simon Bijman
12-28-2005 07:06 AM
Hi
please I need the router must be configured to use TACACS+ for all users authentications,
Do you know how implementation ??
I define a new user on the server AAA Cisco Secure ACS ver 3.3
I define this command in the router but
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
tacacs-server host xxx.xxx.xxx.xxx key xxx
but when telnet the router I put the username and password and send me the error
access denied.
Why ?
12-28-2005 12:31 PM
I would suggest at least one change in the config that you posted instead of this line:
aaa authorization exec default group tacacs+ none
I would suggest that you configure this:
aaa authorization exec default group tacacs+ enable
but that change would not explain the problem that you are describing.
There are a few questions which will help find what the problem is. 1) are you sure that the tacacs-server host that is configured is correct? 2) are you sure that the key configured for the tacacs host is correct (in my experience this is frequently the problem)? 3) are you sure that the tacacs server is configured to process for this router (and is configured for the correct address that this router will be using)? 4) are you sure that the tacacs server has configured the user ID and password that you are using to attempt to login to the router? 5) are there entries in the tacacs server failed attempts report that show the attempts to login from this router? (if there are entries in the failed attempts report, they should indicate what the problem is)
If answering these questions does not solve the problem then I would suggest that you run debug tacacs authentication on the router, attempt to login again, and post the debug output.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide