Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5589
Views
0
Helpful
4
Replies

Microsoft NPS Authentication failed - C2950

martinez.david2
Level 4
Level 4

‎11-10-2010 04:25 AM - edited ‎03-10-2019 05:33 PM

Hi Cisco Team,

I would like to authenticate my old Cisco switch, C2950, Version 12.1(22)EA4 with radius server NPS (W2008R2).

This configuration is ok for all other equipment (C6500/C3750/C3560/C3550/C2970).

Configuration AAA on switch C2950:

_________________________________________________________________

conf t

username admin privilege 15 secret xxxxxxxxxxxxxxxxxxxxxx

aaa new-model

aaa group server radius Sxxx

server 193.x.x.x auth-port 1645 acct-port 1646

aaa authentication login method_Sxxx group Sxxx local

aaa authorization exec method_Sxxx group Sxxx local

aaa session-id common

radius-server host 193.x.x.x auth-port 1645 acct-port 1646 key xxxx

radius-server source-ports 1645-1646

radius-server retransmit 2

radius-server timeout 2

ip radius source-interface Vlan1

line con 0

stopbits 1

line vty 0 4

exec-timeout 70 0

authorization exec method_Sxxx

login authentication method_Sxxx

length 0

line vty 5 15

exec-timeout 70 0

authorization exec method_Sxxx

login authentication method_Sxxx

length 0

_________________________________________________________________

Message error on C2950:

_________________________________________________________________

000237: Nov 10 10:15:16.542: RADIUS: Received from id 6 193.50.24.20:1645, Access-Reject, len 20
000238: Nov 10 10:15:16.542: RADIUS: Response (6) failed decrypt
000239: Nov 10 10:16:33.726: RADIUS: ustruct sharecount=1
000240: Nov 10 10:16:33.730: RADIUS: Initial Transmit tty3 id 7 193.50.24.20:1645, Access-Request, len 81
000241: Nov 10 10:16:33.730:         Attribute 4 6 C0865011
000242: Nov 10 10:16:33.730:         Attribute 5 6 00000003
000243: Nov 10 10:16:33.730:         Attribute 61 6 00000005
000244: Nov 10 10:16:33.730:         Attribute 1 10 69303031
000245: Nov 10 10:16:33.730:         Attribute 31 15 3137322E
000246: Nov 10 10:16:33.730:         Attribute 2 18 79FC4F4E
000247: Nov 10 10:16:33.842: RADIUS: Received from id 7 193.50.24.20:1645, Access-Reject, len 20
000248: Nov 10 10:16:33.842: RADIUS: Response (7) failed decrypt

_________________________________________________________________

Message error on Windows 2008 Server R2, NPS Enterprise (new IAS):

_________________________________________________________________

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          10/11/2010 11:21:43

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      **********************

Description:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

      Security ID:                 NULL SID

      Account Name:                e*****

      Account Domain:              ******

      Fully Qualified Account Name: *****\e******

Client Machine:

      Security ID:                 NULL SID

      Account Name:                -

      Fully Qualified Account Name: -

      OS-Version:             -

      Called Station Identifier:         -

      Calling Station Identifier:        172.x.x.x

NAS:

      NAS IPv4 Address:      192.x.x.x

      NAS IPv6 Address:       -

      NAS Identifier:              -

      NAS Port-Type:               Virtual

      NAS Port:               2

RADIUS Client:

      Client Friendly Name:        SwitchCisco

      Client IP Address:                 192.x.x.x

Authentication Details:

      Connection Request Policy Name:    Use Windows authentication for all users

      Network Policy Name:         -

      Authentication Provider:           Windows

      Authentication Server:       xxxxxxxxxxxxx

      Authentication Type:         PAP

      EAP Type:               -

      Account Session Identifier:        -

      Logging Results:             Accounting information was written to the local log file.

      Reason Code:                 16

      Reason:                      Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Thks a lot,

by

David

Labels:
0 Helpful
4 Replies 4

Tiago Antunes
Cisco Employee
Cisco Employee

‎11-11-2010 01:44 AM

Hi,

Well, it looks the reason code is pretty self explanatory:

"Authentication  failed due to a user credentials mismatch. Either the user name  provided does not map to an existing user account or the password was  incorrect."

Does the user exist on the users DB the NPS is using to authneticate?

Was the password enterd correctly?

Have you tried with the same user on another switch? Does it work there?

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

martinez.david2
Level 4
Level 4
In response to Tiago Antunes

‎11-11-2010 11:32 PM

Hi,

Does the user exist on the users DB the NPS is using to authneticate? Yes

Was the password enterd correctly? Yes

Have you tried with the same user on another switch? Yes Does it work there? Yes

Thks

David

0 Helpful

Chris Bischoff
Level 1
Level 1
In response to Tiago Antunes

‎09-02-2011 01:25 PM

David, did you get this fixed?? I'm having the exact same problem right now and haven't found a solution.

0 Helpful

martinez.david2
Level 4
Level 4
In response to Chris Bischoff

‎09-05-2011 01:03 AM

Hi Chris!! No solution. TO CHANGE was the solution. Good luck!!!

0 Helpful
Customers Also Viewed These Support Documents