Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
5
Replies

Issues getting radius authentication working on switch with vrf

Go to solution
Gallain
Level 1
Level 1

‎11-21-2023 02:44 PM

Hello,

I've been on a project to point all our cisco network switches to our new NPS servers, so that multi factor authentication is done when someone logs in. I've been able to do all the switches except 2 which happen to have a vrf configuration on it.

From my troubleshooting (looking at a firewall between the switch and the nps), it doesn't look like it even attempts to send a radius packet out of the switch. It's like it's looking at it's local AAA instead. 

I just get a failed authentication error when trying to ssh in.

I've tested icmp connectivity between the switch and the NPS server, that's working fine.

I've attached the switch configuration

Labels:
Preview file
14 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Gallain

‎11-21-2023 08:34 PM

I check config again 

Under vty

You dont specify the aaa auth method VTY so it use defualt.

Add 

Login authentication VTY 

Under vty 0 4 and check access again.

MHM

View solution in original post

0 Helpful
5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎11-21-2023 02:55 PM

Use 

Server-private instead of server name

If tge server reachable via mgmt vrf rib

0 Helpful

Go to solution
Gallain
Level 1
Level 1

‎11-21-2023 08:11 PM

i added your command so the group server radius config looks like this:

aaa group server radius RadiusServerGroup
server-private 10.4.85.31
ip vrf forwarding Mgmt-vrf
ip radius source-interface GigabitEthernet0/0

Here are pings showing the accessibility:

ord-hl2s-1#ping vrf Mgmt-vrf 10.4.85.31 sourc gigabitEthernet 0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.85.31, timeout is 2 seconds:
Packet sent with a source address of 10.1.130.132
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

However, it still looks like no radius attempt is made. I still get a Access denied when putting in my normal credentials.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Gallain

‎11-21-2023 08:34 PM

I check config again 

Under vty

You dont specify the aaa auth method VTY so it use defualt.

Add 

Login authentication VTY 

Under vty 0 4 and check access again.

MHM

0 Helpful

Go to solution
Gallain
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2023 02:36 PM

Thank you so much. This worked!

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎11-22-2023 02:20 PM

Yep - your aaa authentication login contains the method list name "VTY" - therefore you must match that to the relevant vty lines as MHM said. Same goes for authorization. If you had left this as keyword "default" in your aaa statements, then the vty lines would have worked by default. It's generally a good idea to use method lists, but they can cause for extra confusion

Buty in general, you can also send RADIUS test authentication requests using this IOS command

test aaa group RadiusServerGroup somename somepassword new-code

 

0 Helpful
Customers Also Viewed These Support Documents