01-16-2012 03:32 AM - edited 03-10-2019 06:43 PM
Hi All,
Weird issue with radius.
We have quite a few of these switches around the campus all in stacks. We had 4 switches in one stack which we had to split into two seperate stacks. Since then the new stack which we created won't allow us to login using radius.
This is the configuration which mirrors all our other switches:
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
ip radius source-interface (LoopbackInterface)
radius-server host RADIUSSERVER auth-port 1812 acct-port 1813 key password
The switches in the stack are running IOS Version 12.2(53)SE2.
Any help would be appreciated as i've remove radius and added it again with no joy.
Ohh also in the logs i get
*Jan 16 22:52:25.537: %RADIUS-4-RADIUS_DEAD: RADIUS server IP:1812,1813 is not responding.
*Jan 16 22:52:25.537: %RADIUS-4-RADIUS_ALIVE: RADIUS server IP:1812,1813 is being marked alive.
Which according to Cisco is purely cosmetic, but not sure if it is relevant here.
Thanks for your time.
01-16-2012 11:26 AM
Hello Steve,
The DEAD/ALIVE errors might be considered cosmetic as both include the same time: Jan 16 22:52:25.537
Are you getting any attempts being logged on the server side for the failure? Also, are you using ACS, MS IAS, MS NPS? Which specific RADIUS server are you using?
Along with the server logs can you enable "debug aaa authentication", "debug aaa authorization" and "debug radius" and test the authentication again?
Please share the outputs of the server and the IOS device.
Regards.
01-16-2012 11:38 AM
Steve
Can you verify that the Radius server has a correct and accurate configuration for the client coming from the loopback address of the new stack? And can you verify that the address of the loopback in the new stack is what you expected it to be?
HTH
Rick
01-16-2012 11:42 AM
Hello Steve,
Richard is thinking on the scenario where moving the switch from stack made the loopback address to change. In that case, the RADIUS server will report an "Unknown RADIUS Client" sending the request and it will deny the access. In that case you need to check that the IP address of the loopback switch stack is properly configured on the RADIUS server as a valid RADIUS client.
Regards.
01-17-2012 01:07 AM
Hi All,
I really appreciate you taking time to look at this,
One thing i will add is we had another stack which we had to split due to problems at the same time and two switches out of that stack also can't authenticate against with radius.
We are using Microsoft Network Policy Server. There is policy already in place and i have just added the new clients onto the server.
I know the secrets are the same as i have just copied the installation from another.
All the ip addresses are correct for the loopback addresses.
here are the logs:
Jan 17 08:53:55.689: AAA/BIND(0000010A): Bind i/f
Jan 17 08:53:55.689: AAA/AUTHEN/LOGIN (0000010A): Pick method list 'default'
Jan 17 08:53:55.694: RADIUS/ENCODE(0000010A): ask "Username: "
Jan 17 08:53:57.860: RADIUS/ENCODE(0000010A): ask "Password: "
Jan 17 08:54:00.596: RADIUS/ENCODE(0000010A):Orig. component type = EXEC
Jan 17 08:54:00.596: RADIUS: AAA Unsupported Attr: interface [171] 4
Jan 17 08:54:00.596: RADIUS: 74 74 [ tt]
Jan 17 08:54:00.596: RADIUS/ENCODE(0000010A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Jan 17 08:54:00.596: RADIUS(0000010A): Config NAS IP: (LoopbackIP)
Jan 17 08:54:00.596: RADIUS/ENCODE(0000010A): acct_session_id: 263
Jan 17 08:54:00.596: RADIUS(0000010A): sending
Jan 17 08:54:00.596: RADIUS(0000010A): Send Access-Request to (RadiusServerIP):1812 id 1645/33, len 88
Jan 17 08:54:00.596: RADIUS: authenticator CA C4 C7 F3 CD 5E AB 88 - F1 FD 2B 0E 4F E1 81 DB
Jan 17 08:54:00.596: RADIUS: User-Name [1] 12 "ciscoadmin"
Jan 17 08:54:00.596: RADIUS: User-Password [2] 18 *
Jan 17 08:54:00.596: RADIUS: NAS-Port [5] 6 1
Jan 17 08:54:00.596: RADIUS: NAS-Port-Id [87] 6 "tty1"
Jan 17 08:54:00.596: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jan 17 08:54:00.596: RADIUS: Calling-Station-Id [31] 14 "(AdminMachineIP)"
Jan 17 08:54:00.596: RADIUS: NAS-IP-Address [4] 6 (LoopbackIP)
Jan 17 08:54:00.596: RADIUS(0000010A): Started 5 sec timeout
Jan 17 08:54:05.420: RADIUS(0000010A): Request timed out
Jan 17 08:54:05.420: RADIUS: Retransmit to ((RadiusServerIP):1812,1813) for id 1645/33
Jan 17 08:54:05.420: RADIUS(0000010A): Started 5 sec timeout
Jan 17 08:54:11.066: RADIUS(0000010A): Request timed out
Jan 17 08:54:11.066: RADIUS: Retransmit to ((RadiusServerIP):1812,1813) for id 1645/33
Jan 17 08:54:11.066: RADIUS(0000010A): Started 5 sec timeout
Jan 17 08:54:16.346: RADIUS(0000010A): Request timed out
Jan 17 08:54:16.346: %RADIUS-4-RADIUS_DEAD: RADIUS server (RadiusServerIP):1812,1813 is not responding.
Jan 17 08:54:16.346: %RADIUS-4-RADIUS_ALIVE: RADIUS server (RadiusServerIP):1812,1813 is being marked alive.
Jan 17 08:54:16.346: RADIUS: Retransmit to ((RadiusServerIP):1812,1813) for id 1645/33
Jan 17 08:54:16.346: RADIUS(0000010A): Started 5 sec timeout
Jan 17 08:54:21.584: RADIUS(0000010A): Request timed out
Jan 17 08:54:21.584: RADIUS: No response from ((RadiusServerIP):1812,1813) for id 1645/33
Jan 17 08:54:21.584: RADIUS/DECODE: parse response no app start; FAIL
Jan 17 08:54:21.584: RADIUS/DECODE: parse response; FAIL
Jan 17 08:54:23.586: AAA/AUTHEN/LOGIN (0000010A): Pick method list 'default'
Jan 17 08:54:23.586: RADIUS/ENCODE(0000010A): ask "Username: "
Here is the logs from the NPS.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: ciscoadmin
Account Domain: JA
Fully Qualified Account Name: JA\ciscoadmin
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: (myIP)
NAS:
NAS IPv4 Address: (loopback)
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 1
RADIUS Client:
Client Friendly Name: jb-agg-0201-002
Client IP Address: (loopback)
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: JA-SRV-SC01-NPS.JA.INTERNAL
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Not sure why it says this because the password/account has been setup from the beginning and works on all other switches besides these two stacks.
Thanks again
01-17-2012 01:36 AM
Sorry... scrap that about the radius server.
I changed the secret template for that particular client (i'd forgot... troubleshooting)
I've now changed it back and here is the correct log... seems strange because its granted access.
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: JA\ciscoadmin
Account Name: ciscoadmin
Account Domain: JA
Fully Qualified Account Name: JA.INTERNAL/JCB Academy/JCBA Users/JCBA SysAdmin Accounts/Cisco Admin
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: (myIP)
NAS:
NAS IPv4 Address: (loopbackIP)
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 1
RADIUS Client:
Client Friendly Name: jb-agg-0201-002
Client IP Address: (loopbackIP)
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Cisco Admin
Authentication Provider: Windows
Authentication Server: JA-SRV-SC01-NPS.JA.INTERNAL
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -
01-17-2012 07:18 AM
Hello Steve,
Actually, from the IOS debugs the request is timing out:
Jan 17 08:54:21.584: RADIUS(0000010A): Request timed out
Can you try increasing the RADIUS Timeout from the default value to 15 or 20 seconds? If the Authentication still fails change it back to the default setting of 5 seconds.
Command:
radius-server timeout 20
Please share the results.
NOTE: If the above does not work, a capture on the NPS server when authenticating with the faulty units might be needed. However, with the capture you might need to share the Secret Key in order to decrypt the packets.
Regards.
01-17-2012 08:00 AM
Hi,
That didn't work do want the logs from the switch? as its the same just says timeout 20.
Attached it a capture from the NPS server at time of authentication
Is this ok?
01-17-2012 08:18 AM
Steve,
The capture is just showing Access-Request from the switch to the NPS but no response (Access-Accept or Access-Reject) from the NPS to the switch. Were there any RADIUS packets going from the NPS to the switch?
Regards.
01-18-2012 12:58 AM
Sorry Carlos.. it would probably help if i included that wouldn't it.
Can you see from this?
01-18-2012 01:35 AM
Fixed it!!!
Having seen the TTL exceeded messages on the capture it appealed to me that the router had no way back to the switch..
so i added a route back to the switch and it worked straight away.
Thanks so much for your help..
01-18-2012 08:47 AM
Hello Steve,
Thanks for the update. Will keep it in mind next time I get TTL Excedeed on a capture from a NPS server.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide