01-30-2012 02:56 AM - edited 03-10-2019 06:46 PM
Hi All,
I have configured Radius authentication on Windows 2008 server (NPS)
The following configuration is working perfectly on Cisco Switch 3560.
aaa new-model
aaa session-id common
aaa authentication login default group radius local
radius-server host 10.40.34.8 auth-port 1645 acct-port 1646 key XXX
But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
Your help would be very much appreciated.
Regards,
Yoosaf Lulu
01-30-2012 05:05 PM
Hello,
Which specific event is the NPS generating for the 6509 authentication attempt?
Also, if you enable "debug aaa authentication" and "debug radius" would be able to share the outputs after recreating the authenticaation failure?
Regards.
05-01-2012 03:32 AM
Dear Carlos,
I have rectified the issue.
Pls find the bug details associated with the existing running image in the Cisco 6509
1. Bug id:-CSCsv14886
Cause: - Failure to send RADIUS state attribute
Symptom:-Switch using RADIUS for dot1x authentication is not sending RADIUS state attribute to ACS server.
The ACS server discards these packets and the switch marks the server as down.
Conditions: Cat6500 running 12.2(33)SXH2a using RADIUS for dot1x authentication
Workaround: None
1st Fixed in Version: - 12.2(33)SXH5
2. Bud id :- CSCir00551
Cause: - Misleading radius debug message
Symptom:- The "%RADIUS-4-RADIUS_ALIVE: RADIUS server 172.27.66.89:2295,2296 has returned."
is a little misleading. It is not saying that the server has returned, in the
Sense of being heard from. It is only saying that RADIUS has marked the server
as being alive because the deadtime timer has expired, and RADIUS is willing to
re-send messages to this server again.
Conditions: - None
Workaround: None
12.2(33)SXH4 is included in the affected version
The above 2 bugs associated with the radius issue in the existing image may be the cause of Radius not working with the cores witch, As we tested TACACS+ works correctly without any issues, would recommend you to configure TACACS+ for both the core switches and also for other devices, as TACACS+ is more secure than Radius .You can Use TACACS+ with Cisco ACS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide