06-27-2018 01:41 AM - edited 02-21-2020 10:59 AM
Hi Guys
Ran into a small issue when deploying 9300 switches using radius for authentication, my issue is when trying to authenticate the debug show me that the switch cant contact the radius server, which is strange because I have deployed 5 2960x switches using the same commands and radius server. the only difference I see is that I'm using a dedicated management VLAN on these devices.
Any thoughts ??
06-27-2018 07:51 AM
Are you able to ping the radius server from the switch at all? What is the source address/interface for the radius traffic coming from that switch?
It could be related to the radius source interface where the switch is trying to contact the radius server from the wrong interface.
06-27-2018 09:02 AM
06-27-2018 03:03 PM
06-28-2018 01:24 AM
RADIUS: id 2, priority 1, host 10.x.x.x, auth-port 1812, acct-port 1813
State: current UP, duration 353s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 353s, previous duration 0s
SMD Platform Dead: total time 0s, count 0
Platform State from WNCD: current UP, duration 0s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No
Authen: request 4, timeouts 4, failover 0, retransmission 3
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 1
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 5m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 5 minutes ago: 4
low - 0 hours, 6 minutes ago: 0
average: 0
*Jun 28 08:24:34.169: AAA/BIND(0000002C): Bind i/f
*Jun 28 08:24:34.169: AAA/AUTHEN/LOGIN (0000002C): Pick method list 'default'
*Jun 28 08:24:34.169: RADIUS/ENCODE(0000002C): ask "Password: "
*Jun 28 08:24:34.169: RADIUS/ENCODE(0000002C): send packet; GET_PASSWORD
*Jun 28 08:24:38.176: RADIUS/ENCODE(0000002C):Orig. component type = Exec
*Jun 28 08:24:38.177: RADIUS/ENCODE(0000002C): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 28 08:24:38.177: RADIUS(0000002C): Config NAS IP: 0.0.0.0
*Jun 28 08:24:38.177: RADIUS(0000002C): Config NAS IPv6: ::
*Jun 28 08:24:38.177: RADIUS/ENCODE(0000002C): acct_session_id: 4023
*Jun 28 08:24:38.177: RADIUS(0000002C): sending
*Jun 28 08:24:38.177: RADIUS/ENCODE: Best Local IP-Address 10.50.1.1 for Radius-Server 10.50.1.17
*Jun 28 08:24:38.177: RADIUS(0000002C): Send Access-Request to 10.50.1.17:1812 id 1645/26, len 75
RADIUS: authenticator AB 70 13 B1 33 50 89 E3 - C4 87 81 E3 7C B7 D2 93
*Jun 28 08:24:38.177: RADIUS: User-Name [1] 13 "*********"
*Jun 28 08:24:38.177: RADIUS: User-Password [2] 18 *
*Jun 28 08:24:38.177: RADIUS: NAS-Port [5] 6 2
*Jun 28 08:24:38.177: RADIUS: NAS-Port-Id [87] 6 "tty2"
*Jun 28 08:24:38.177: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 28 08:24:38.177: RADIUS: NAS-IP-Address [4] 6 *******
*Jun 28 08:24:38.177: RADIUS(0000002C): Sending a IPv4 Radius Packet
*Jun 28 08:24:38.177: RADIUS(0000002C): Started 5 sec timeout
*Jun 28 08:24:43.215: RADIUS(0000002C): Request timed out!
*Jun 28 08:24:43.215: RADIUS: Retransmit to (10.50.1.17:1812,1813) for id 1645/26
*Jun 28 08:24:43.215: RADIUS(0000002C): Started 5 sec timeout
*Jun 28 08:24:48.246: RADIUS(0000002C): Request timed out!
*Jun 28 08:24:48.246: RADIUS: Retransmit to (10.50.1.17:1812,1813) for id 1645/26
*Jun 28 08:24:48.247: RADIUS(0000002C): Started 5 sec timeout
*Jun 28 08:24:53.310: RADIUS(0000002C): Request timed out!
*Jun 28 08:24:53.310: RADIUS: Retransmit to (10.50.1.17:1812,1813) for id 1645/26
*Jun 28 08:24:53.310: RADIUS(0000002C): Started 5 sec timeout
*Jun 28 08:24:58.346: RADIUS(0000002C): Request timed out!
*Jun 28 08:24:58.346: RADIUS: No response from (10.50.1.17:1812,1813) for id 1645/26
*Jun 28 08:24:58.346: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Jun 28 08:24:58.346: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
*Jun 28 08:25:00.363: AAA/AUTHEN/LOGIN (0000002C): Pick method list 'default'
*Jun 28 08:25:00.363: RADIUS/ENCODE(0000002C): ask "Password: "
*Jun 28 08:25:00.363: RADIUS/ENCODE(0000002C): send packet; GET_PASSWORD
06-28-2018 02:36 AM - edited 06-28-2018 02:37 AM
So did you check the NAD IP address is correctly defined on the RADIUS server? And the shared secret?
How about taking a packet capture on the radius server end, post the output if you still require help.
06-28-2018 02:48 AM
so the radius server is 10.50.1.17 and the switch is 10.50.8.1, I can't see anything except the following
Best Local IP-Address 10.50.1.1 for Radius-Server 10.50.1.17
06-28-2018 02:53 AM
06-28-2018 03:23 AM
Sorry, the radius server is a window box, yes I have defined IP address of the switch 10.50.8.1 and the secret key is the same on both ends. all the other switches I have configured have worked with no issues, but these devices are layer 2 rather than layer 3.
06-28-2018 03:32 PM
Resolved this issue by applying the ip radius source-interface vlan command globally.
Thnaks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: