Solved: Isse while authenticating to a switch via RADIUS

Mad Max · ‎04-21-2020

Hello Everyone

I have at home for learning purpose an ISE installation together + a Cisco Catalyst 2960-x.

I did not work on these devices for the past few days... so I didnt changed anything.

Today I started the LAB again, and when I wanted to connect through SSH to my switch I get an access denied message.

ISE

The Access-Request for the requested RADIUS is missing

On the switch I see

login as: alice
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:

The RADIUS debug shows a time out to my ISE Node

Jan  5 21:57:44.979: RADIUS/ENCODE(0000000E): ask "Password: "
Jan  5 21:57:44.979: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD
Jan  5 21:57:47.416: RADIUS/ENCODE(0000000E):Orig. component type = Exec
Jan  5 21:57:47.416: RADIUS/ENCODE(0000000E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Jan  5 21:57:47.416: RADIUS(0000000E): Config NAS IP: 0.0.0.0
Jan  5 21:57:47.416: RADIUS(0000000E): Config NAS IPv6: ::
Jan  5 21:57:47.416: RADIUS/ENCODE(0000000E): acct_session_id: 4
Jan  5 21:57:47.416: RADIUS(0000000E): sending
Jan  5 21:57:47.416: RADIUS/ENCODE: Best Local IP-Address 192.168.1.2 for Radius-Server 192.168.1.207
Jan  5 21:57:47.416: RADIUS(0000000E): Send Access-Request to 192.168.1.207:1812 onvrf(0) id 1645/2, len 69
Jan  5 21:57:47.416: RADIUS:  authenticator EF EE 82 6B 18 96 85 33 - 36 A0 83 3A B6 43 08 81
Jan  5 21:57:47.416: RADIUS:  User-Name           [1]   7   "alice"
Jan  5 21:57:47.416: RADIUS:  User-Password       [2]   18  *
Jan  5 21:57:47.416: RADIUS:  NAS-Port            [5]   6   1
Jan  5 21:57:47.416: RADIUS:  NAS-Port-Id         [87]  6   "tty1"
Jan  5 21:57:47.416: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jan  5 21:57:47.416: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.2
Jan  5 21:57:47.416: RADIUS(0000000E): Sending a IPv4 Radius Packet
Jan  5 21:57:47.419: RADIUS(0000000E): Started 5 sec timeout
Jan  5 21:57:52.459: RADIUS(0000000E): Request timed out!
Jan  5 21:57:52.459: RADIUS: Retransmit to (192.168.1.207:1812,1813) for id 1645/2
Jan  5 21:57:52.459: RADIUS(0000000E): Started 5 sec timeout
Jan  5 21:57:57.492: RADIUS(0000000E): Request timed out!
Jan  5 21:57:57.492: RADIUS: Retransmit to (192.168.1.207:1812,1813) for id 1645/2
Jan  5 21:57:57.492: RADIUS(0000000E): Started 5 sec timeout
Jan  5 21:58:02.526: RADIUS(0000000E): Request timed out!
Jan  5 21:58:02.526: RADIUS: Retransmit to (192.168.1.207:1812,1813) for id 1645/2
Jan  5 21:58:02.526: RADIUS(0000000E): Started 5 sec timeout
Jan  5 21:58:07.555: RADIUS(0000000E): Request timed out!
Jan  5 21:58:07.555: RADIUS: No response from (192.168.1.207:1812,1813) for id 1645/2
Jan  5 21:58:07.555: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Jan  5 21:58:07.555: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Jan  5 21:58:09.558: RADIUS/ENCODE(0000000E): ask "Password: "
Jan  5 21:58:09.558: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD

Ping is working fine.

I dont know if normally port 18212, 1813, 1645 and 1646 will be open if I connect through telnet

Switch#ping 192.168.1.207
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.207, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Switch#
Switch#telnet 192.168.1.207 1812
Trying 192.168.1.207, 1812 ...
% Connection timed out; remote host not responding

Switch#
Switch#
Switch#telnet 192.168.1.207 1813
Trying 192.168.1.207, 1813 ...
% Connection timed out; remote host not responding

Switch#telnet 192.168.1.207 1645
Trying 192.168.1.207, 1645 ...
% Connection timed out; remote host not responding

Switch#telnet 192.168.1.207 1646
Trying 192.168.1.207, 1646 ...

The only thing I can see on the ISE is the error/warning message attached.

Ive already reload the switch and the ISE it self. no changes.

Does anyone has an IDEA why this is happen?

Thanks in advance for your help,

Regards,
Max

Mad Max · ‎04-23-2020

Hello Howon

Thanks for replying. I forgot to mention it. While executing test aaa command, the answer was always no response from server.

Live logs didnt see any request.

Both IPs are in the same subnet. Therefore there is no Firewall in between.

After 2 days of troubleshooting ive decided to re-install the server. Ive backuped my configuration and restored it.

now it works perfectly again. (with the same configuration)

Regards,
Max

View solution in original post

howon · ‎04-21-2020

RADIUS is UDP so you will not get any response with telnet on the ports. I suggest using 'test aaa ...' command to validate RADIUS configuration. Also suggest sharing aaa configuration and ISE live log details.

Mad Max · ‎04-23-2020

Hello Howon

Thanks for replying. I forgot to mention it. While executing test aaa command, the answer was always no response from server.

Live logs didnt see any request.

Both IPs are in the same subnet. Therefore there is no Firewall in between.

After 2 days of troubleshooting ive decided to re-install the server. Ive backuped my configuration and restored it.

now it works perfectly again. (with the same configuration)

Regards,
Max