cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1357
Views
0
Helpful
2
Replies
Mad Max
Beginner

Isse while authenticating to a switch via RADIUS

Hello Everyone

 

I have at home for learning purpose an ISE installation together + a Cisco Catalyst 2960-x.

 

I did not work on these devices for the past few days... so I didnt changed anything.

 

Today I started the LAB again, and when I wanted to connect through SSH to my switch I get an access denied message.

 

ISE

The Access-Request for the requested RADIUS is missing

 

On the switch I see

 

login as: alice
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:

The RADIUS debug shows a time out to my ISE Node

 

Jan  5 21:57:44.979: RADIUS/ENCODE(0000000E): ask "Password: "
Jan  5 21:57:44.979: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD
Jan  5 21:57:47.416: RADIUS/ENCODE(0000000E):Orig. component type = Exec
Jan  5 21:57:47.416: RADIUS/ENCODE(0000000E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Jan  5 21:57:47.416: RADIUS(0000000E): Config NAS IP: 0.0.0.0
Jan  5 21:57:47.416: RADIUS(0000000E): Config NAS IPv6: ::
Jan  5 21:57:47.416: RADIUS/ENCODE(0000000E): acct_session_id: 4
Jan  5 21:57:47.416: RADIUS(0000000E): sending
Jan  5 21:57:47.416: RADIUS/ENCODE: Best Local IP-Address 192.168.1.2 for Radius-Server 192.168.1.207
Jan  5 21:57:47.416: RADIUS(0000000E): Send Access-Request to 192.168.1.207:1812 onvrf(0) id 1645/2, len 69
Jan  5 21:57:47.416: RADIUS:  authenticator EF EE 82 6B 18 96 85 33 - 36 A0 83 3A B6 43 08 81
Jan  5 21:57:47.416: RADIUS:  User-Name           [1]   7   "alice"
Jan  5 21:57:47.416: RADIUS:  User-Password       [2]   18  *
Jan  5 21:57:47.416: RADIUS:  NAS-Port            [5]   6   1
Jan  5 21:57:47.416: RADIUS:  NAS-Port-Id         [87]  6   "tty1"
Jan  5 21:57:47.416: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jan  5 21:57:47.416: RADIUS:  NAS-IP-Address      [4]   6   192.168.1.2
Jan  5 21:57:47.416: RADIUS(0000000E): Sending a IPv4 Radius Packet
Jan  5 21:57:47.419: RADIUS(0000000E): Started 5 sec timeout
Jan  5 21:57:52.459: RADIUS(0000000E): Request timed out!
Jan  5 21:57:52.459: RADIUS: Retransmit to (192.168.1.207:1812,1813) for id 1645/2
Jan  5 21:57:52.459: RADIUS(0000000E): Started 5 sec timeout
Jan  5 21:57:57.492: RADIUS(0000000E): Request timed out!
Jan  5 21:57:57.492: RADIUS: Retransmit to (192.168.1.207:1812,1813) for id 1645/2
Jan  5 21:57:57.492: RADIUS(0000000E): Started 5 sec timeout
Jan  5 21:58:02.526: RADIUS(0000000E): Request timed out!
Jan  5 21:58:02.526: RADIUS: Retransmit to (192.168.1.207:1812,1813) for id 1645/2
Jan  5 21:58:02.526: RADIUS(0000000E): Started 5 sec timeout
Jan  5 21:58:07.555: RADIUS(0000000E): Request timed out!
Jan  5 21:58:07.555: RADIUS: No response from (192.168.1.207:1812,1813) for id 1645/2
Jan  5 21:58:07.555: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Jan  5 21:58:07.555: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Jan  5 21:58:09.558: RADIUS/ENCODE(0000000E): ask "Password: "
Jan  5 21:58:09.558: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD

Ping is working fine.

I dont know if normally port 18212, 1813, 1645 and 1646 will be open if I connect through telnet

 

Switch#ping 192.168.1.207
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.207, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Switch#
Switch#telnet 192.168.1.207 1812
Trying 192.168.1.207, 1812 ...
% Connection timed out; remote host not responding

Switch#
Switch#
Switch#telnet 192.168.1.207 1813
Trying 192.168.1.207, 1813 ...
% Connection timed out; remote host not responding

Switch#telnet 192.168.1.207 1645
Trying 192.168.1.207, 1645 ...
% Connection timed out; remote host not responding

Switch#telnet 192.168.1.207 1646
Trying 192.168.1.207, 1646 ...

 

The only thing I can see on the ISE is the error/warning message attached.

 

 

Ive already reload the switch and the ISE it self. no changes.

 

 

Does anyone has an IDEA why this is happen? 

 

Thanks in advance for your help,

Regards,
Max

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hello Howon

Thanks for replying. I forgot to mention it. While executing test aaa command, the answer was always no response from server.

Live logs didnt see any request.

Both IPs are in the same subnet. Therefore there is no Firewall in between.

After 2 days of troubleshooting ive decided to re-install the server. Ive backuped my configuration and restored it.

now it works perfectly again. (with the same configuration)

Regards,
Max

View solution in original post

2 REPLIES 2
howon
Cisco Employee

RADIUS is UDP so you will not get any response with telnet on the ports. I suggest using 'test aaa ...' command to validate RADIUS configuration. Also suggest sharing aaa configuration and ISE live log details.

Hello Howon

Thanks for replying. I forgot to mention it. While executing test aaa command, the answer was always no response from server.

Live logs didnt see any request.

Both IPs are in the same subnet. Therefore there is no Firewall in between.

After 2 days of troubleshooting ive decided to re-install the server. Ive backuped my configuration and restored it.

now it works perfectly again. (with the same configuration)

Regards,
Max

View solution in original post

Content for Community-Ad