Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3103
Views
0
Helpful
2
Replies

Radius authentication failed on Cisco 6509

yoosaflulu
Level 1
Level 1

‎01-30-2012 02:56 AM - edited ‎03-10-2019 06:46 PM

Hi All,

I have configured Radius authentication on Windows 2008 server (NPS) 

The following configuration is working perfectly on Cisco Switch 3560.

aaa new-model

aaa session-id common

aaa authentication login default group radius local

radius-server host 10.40.34.8 auth-port 1645 acct-port 1646 key XXX

But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)

Your help would be very much appreciated.

Regards,

Yoosaf Lulu

Labels:
0 Helpful
2 Replies 2

camejia
Level 3
Level 3

‎01-30-2012 05:05 PM

Hello,

Which specific event is the NPS generating for the 6509 authentication attempt?

Also, if you enable "debug aaa authentication" and "debug radius" would be able to share the outputs after recreating the authenticaation failure?

Regards.

0 Helpful

yoosaflulu
Level 1
Level 1
In response to camejia

‎05-01-2012 03:32 AM

Dear Carlos,

I have rectified the issue.

Pls find the bug details associated with the existing running image in the Cisco 6509

1.   Bug id:-CSCsv14886 

            Cause: - Failure to send RADIUS state attribute

            Symptom:-Switch using RADIUS for dot1x authentication is not sending RADIUS state attribute to ACS server.

                           The ACS server discards these packets and the switch marks the server as down.

            Conditions: Cat6500 running 12.2(33)SXH2a using RADIUS for dot1x authentication

            Workaround: None

            1st Fixed in Version: - 12.2(33)SXH5

2.   Bud id :- CSCir00551

Cause: - Misleading radius debug message

Symptom:- The "%RADIUS-4-RADIUS_ALIVE: RADIUS server 172.27.66.89:2295,2296 has returned."

                  is a little misleading. It is not saying that the server has returned, in the

                 Sense of being heard from. It is only saying that RADIUS has marked the server

                 as being alive because the deadtime timer has expired, and RADIUS is willing to

                 re-send messages to this server again.

Conditions: - None

Workaround: None

12.2(33)SXH4 is included in the affected version

The above 2 bugs associated with the radius issue in the existing image may be the cause of Radius not working with the cores witch, As we tested TACACS+ works correctly without any issues, would recommend you to configure TACACS+ for both the core switches and also for other devices, as TACACS+ is more secure than Radius .You can Use TACACS+ with Cisco ACS.

0 Helpful
Customers Also Viewed These Support Documents