Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
3
Replies

L3 4506 RADIUS Authentication Failure

daniel.goodsel
Level 1
Level 1

‎11-20-2013 07:14 AM - edited ‎03-10-2019 09:07 PM

I have going through implementing a windows based RADIUS Server for ciso device logins. I am having difficulty getting our 4506 to authenticate using the RADIUS server.

Config:

aaa new-model

radius-server host 192.168.0.3 auth-port 1812 acct-port 1813

radius-server key 7 xxxxxxxxxxxxxxxxxxxxxxxx

aaa authentication login default group radius local

IOS: cat4500e.entservicesk9-mz.151-2.sg.bin

I have tried changing the auth-port and acct-port to the default 1645 and 1646 with no luck. I have been successful with all other L2 switches within our network but have been unable to get the 4506 to authorize and authenticate using the RADIUS server. Any suggestions?

I also have 2 IMB BladeCenter CB31X0 switches which are cisco switches that are not authenticating through the RADIUS server. It also has the same config as the 4506.

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎11-20-2013 08:14 AM

I have a couple of questions/suggestions and hope that some might be helpful in identifying the issue.

- have you checked IP connectivity between the switch and the Radius server?

- is it possible that there is a firewall or some other device filtering traffic that is not allowing the request to get through to the server - or the response to get back to the switch?

- are there logs on the Radius server that indicate that the server saw the authentication request? And if so what do the logs say the server did about the request?

- is it possible that the Radius server is not correctly configured to recognize this switch as a valid client for authentication?

- is it possible that there is more than one path from the switch to the server and that the switch is not using the IP address as source of the request that you expected? (which would make it appear to be an invalid client to the server)

HTH

Rick

HTH

Rick
0 Helpful

daniel.goodsel
Level 1
Level 1
In response to Richard Burts

‎11-20-2013 08:32 AM

Rick,

Thanks for the reply. The RADIUS server is directly connected to the 4506 and I am able to ping the server. There is no firewall or any other device filtering traffic. The logfile on the server is not showing any request from the 4506. I have configured the server the same way for each of the switches within the network and the 4506 is the only one having issues access the RADIUS server. Since the server is directly connected to the 4506 there is only one path to the server.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to daniel.goodsel

‎11-20-2013 08:50 AM

Thanks for the additional information. You have pretty well addressed the questions/suggestions that I raised. So I would suggest that now might be the time to turn on debugging for aaa authentication and for radius.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents