Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3632
Views
5
Helpful
9
Replies

Radius 9300

S.mooney12
Level 1
Level 1

‎06-27-2018 01:41 AM - edited ‎02-21-2020 10:59 AM

Hi Guys

 

Ran into a small issue when deploying 9300 switches using radius for authentication, my issue is when trying to authenticate the debug show me that the switch cant contact the radius server, which is strange because I have deployed 5 2960x switches using the same commands and radius server. the only difference I see is that I'm using a dedicated management VLAN on these devices.  

 

Any thoughts ??

1 person had this problem
Labels:
0 Helpful
9 Replies 9

Ben Walters
Level 3
Level 3

‎06-27-2018 07:51 AM

Are you able to ping the radius server from the switch at all? What is the source address/interface for the radius traffic coming from that switch?

 

It could be related to the radius source interface where the switch is trying to contact the radius server from the wrong interface.

0 Helpful

S.mooney12
Level 1
Level 1
In response to Ben Walters

‎06-27-2018 09:02 AM

We can ping the radius server, I have pinged from the source vlan which we are using as our management vlan
0 Helpful

Rob Ingram
VIP
VIP
In response to S.mooney12

‎06-27-2018 03:03 PM

Hi, Has the correct IP address been specified on the RADIUS server for this switch?

Double check the shared secret

On the switch when you attempt authentication is the aaa server up or down? Use the command "show aaa server" and post the output if relevant. Also run the command "debug radius" and post the output

0 Helpful

S.mooney12
Level 1
Level 1
In response to Rob Ingram

‎06-28-2018 01:24 AM

RADIUS: id 2, priority 1, host 10.x.x.x, auth-port 1812, acct-port 1813
State: current UP, duration 353s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 353s, previous duration 0s
SMD Platform Dead: total time 0s, count 0
Platform State from WNCD: current UP, duration 0s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No
Authen: request 4, timeouts 4, failover 0, retransmission 3
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 1
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 5m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 5 minutes ago: 4
low - 0 hours, 6 minutes ago: 0
average: 0

 

*Jun 28 08:24:34.169: AAA/BIND(0000002C): Bind i/f
*Jun 28 08:24:34.169: AAA/AUTHEN/LOGIN (0000002C): Pick method list 'default'
*Jun 28 08:24:34.169: RADIUS/ENCODE(0000002C): ask "Password: "
*Jun 28 08:24:34.169: RADIUS/ENCODE(0000002C): send packet; GET_PASSWORD
*Jun 28 08:24:38.176: RADIUS/ENCODE(0000002C):Orig. component type = Exec
*Jun 28 08:24:38.177: RADIUS/ENCODE(0000002C): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 28 08:24:38.177: RADIUS(0000002C): Config NAS IP: 0.0.0.0
*Jun 28 08:24:38.177: RADIUS(0000002C): Config NAS IPv6: ::
*Jun 28 08:24:38.177: RADIUS/ENCODE(0000002C): acct_session_id: 4023
*Jun 28 08:24:38.177: RADIUS(0000002C): sending
*Jun 28 08:24:38.177: RADIUS/ENCODE: Best Local IP-Address 10.50.1.1 for Radius-Server 10.50.1.17
*Jun 28 08:24:38.177: RADIUS(0000002C): Send Access-Request to 10.50.1.17:1812 id 1645/26, len 75
RADIUS: authenticator AB 70 13 B1 33 50 89 E3 - C4 87 81 E3 7C B7 D2 93
*Jun 28 08:24:38.177: RADIUS: User-Name [1] 13 "*********"
*Jun 28 08:24:38.177: RADIUS: User-Password [2] 18 *
*Jun 28 08:24:38.177: RADIUS: NAS-Port [5] 6 2
*Jun 28 08:24:38.177: RADIUS: NAS-Port-Id [87] 6 "tty2"
*Jun 28 08:24:38.177: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 28 08:24:38.177: RADIUS: NAS-IP-Address [4] 6 *******
*Jun 28 08:24:38.177: RADIUS(0000002C): Sending a IPv4 Radius Packet
*Jun 28 08:24:38.177: RADIUS(0000002C): Started 5 sec timeout
*Jun 28 08:24:43.215: RADIUS(0000002C): Request timed out!
*Jun 28 08:24:43.215: RADIUS: Retransmit to (10.50.1.17:1812,1813) for id 1645/26
*Jun 28 08:24:43.215: RADIUS(0000002C): Started 5 sec timeout
*Jun 28 08:24:48.246: RADIUS(0000002C): Request timed out!
*Jun 28 08:24:48.246: RADIUS: Retransmit to (10.50.1.17:1812,1813) for id 1645/26
*Jun 28 08:24:48.247: RADIUS(0000002C): Started 5 sec timeout
*Jun 28 08:24:53.310: RADIUS(0000002C): Request timed out!
*Jun 28 08:24:53.310: RADIUS: Retransmit to (10.50.1.17:1812,1813) for id 1645/26
*Jun 28 08:24:53.310: RADIUS(0000002C): Started 5 sec timeout
*Jun 28 08:24:58.346: RADIUS(0000002C): Request timed out!
*Jun 28 08:24:58.346: RADIUS: No response from (10.50.1.17:1812,1813) for id 1645/26
*Jun 28 08:24:58.346: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Jun 28 08:24:58.346: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*Jun 28 08:25:00.363: AAA/AUTHEN/LOGIN (0000002C): Pick method list 'default'
*Jun 28 08:25:00.363: RADIUS/ENCODE(0000002C): ask "Password: "
*Jun 28 08:25:00.363: RADIUS/ENCODE(0000002C): send packet; GET_PASSWORD

0 Helpful

Rob Ingram
VIP
VIP
In response to S.mooney12

‎06-28-2018 02:36 AM - edited ‎06-28-2018 02:37 AM

So did you check the NAD IP address is correctly defined on the RADIUS server? And the shared secret?

How about taking a packet capture on the radius server end, post the output if you still require help.

0 Helpful

S.mooney12
Level 1
Level 1
In response to Rob Ingram

‎06-28-2018 02:48 AM

so the radius server is 10.50.1.17 and the switch is 10.50.8.1, I can't see anything except the following

 

Best Local IP-Address 10.50.1.1 for Radius-Server 10.50.1.17

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to S.mooney12

‎06-28-2018 02:53 AM

I don't understand the information you've provided there.

On the RADIUS server (I assume ISE), have you defined a Network Device with the IP address of the switch (10.50.8.1)? With the correct pre shared key? Have you confirmed the key is correct on both ends (switch and radius server).

Can you provide screenshots from the radius server of the configuration and any errors etc.
0 Helpful

S.mooney12
Level 1
Level 1
In response to Rob Ingram

‎06-28-2018 03:23 AM

Sorry, the radius server is a window box, yes I have defined IP address of the switch 10.50.8.1 and the secret key is the same on both ends. all the other switches I have configured have worked with no issues, but these devices are layer 2 rather than layer 3.

0 Helpful

mooney1111
Level 1
Level 1
In response to S.mooney12

‎06-28-2018 03:32 PM

Resolved this issue by applying the ip radius source-interface vlan command globally.

 

Thnaks 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents