06-28-2013 07:25 AM - edited 03-10-2019 08:35 PM
Hi,
I have TekRadius server running, when i try to login to my cisco 2960 switch through consol it's working fine but when i try to login through telnet/ssh it doest not let me in.
any help will be much appriciated.
Kind regards,
06-28-2013 07:28 AM
Can you post the running config from the 2960? Also, check if you're getting any error message on the radius server.
Jatin Katyal
- Do rate helpful posts -
06-28-2013 07:33 AM
Hi Jatin,
username test privilege 15 secret 5 $1$HwE9$.kxhsf7I5gIuBnw3xT67A1
aaa new-model
aaa authentication login default group radius
aaa authentication login VTY group radius local
aaa authentication login localauth local
aaa authentication login ssh group radius
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization exec VTY group radius local
aaa authorization network default group radius local
aaa accounting exec default start-stop group radius
!
aaa session-id common
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
system mtu routing 1500
ip subnet-zero
!
no ip domain-lookup
ip ssh version 2
ip rcmd rcp-enable
ip rcmd remote-username RMEUser
line con 0
password 7 107A0C0A111E1C0C
line vty 0 3
access-class 1 in
authorization exec VTY
login authentication VTY
line vty 4
access-class 1 in
authorization exec VTY
login authentication ssh
transport input telnet ssh
line vty 5 15
access-class 1 in
authorization exec VTY
login authentication VTY
!
end
Many thanks.
06-28-2013 07:48 AM
I think telnet/ssh is not enabled under line vty 0 3. Please add the below listed command there.
line vty 0 3
transport input telnet ssh
Jatin Katyal
- Do rate helpful posts -
06-28-2013 08:30 AM
Hi jatin,
no luck same issue.
regards,
kamran.
06-28-2013 08:39 AM
can you run the following debugs:
debug aaa authen
debug radius
debug aaa autho
Jatin Katyal
- Do rate helpful posts -
06-28-2013 08:54 AM
Hi Jatin,
Username:
1d06h: AAA/AUTHEN/ABORT: (840134049) because Login timed out.
1d06h: AAA/MEMORY: free_user_quiet (0x1C74914) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=1 servic e=1 priv=1
1d06h: AAA: parse name=tty0 idb type=-1 tty=-1
1d06h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
1d06h: AAA/MEMORY: create_user (0x1BB5588) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
1d06h: AAA/AUTHEN/START (195888831): port='tty0' list='' action=LOGIN service=LOGIN
1d06h: AAA/AUTHEN/START (195888831): using "default" list
1d06h: AAA/AUTHEN/START (195888831): Method=radius (radius)
1d06h: AAA/AUTHEN (195888831): status = GETUSER
% Username: timeout expired!
% Authentication failed.
1d06h: RADIUS: Pick NAS IP for u=0x1C74914 tableid=0 cfg_addr=0.0.0.0
1d06h: RADIUS: ustruct sharecount=2
1d06h: Radius: radius_port_info() success=1 radius_nas_port=1
1d06h: RADIUS: added cisco VSA 2 len 4 "tty0"
1d06h: RADIUS: added cisco VSA 1 len 19 "disc-cause-ext=1020"
1d06h: RADIUS: added cisco VSA 1 len 20 "connect-progress=101"
1d06h: RADIUS: added cisco VSA 1 len 14 "nas-rx-speed=0"
1d06h: RADIUS: added cisco VSA 1 len 14 "nas-tx-speed=0"
1d06h: RADIUS: No secret to encode request (rctx
User Access Verification
Username: :0x1BB50B4)
1d06h: RADIUS: Unable to encrypt (rctx:0x1BB50B4)
1d06h: RADIUS(00000000): Send Accounting-Request to 128.1.15.92:1813 id 1646/92, len 201
1d06h: RADIUS: authenticator 99 4E FD 5D C5 26 71 C8 - BA D0 5D 45 C5 72 27 30
1d06h: RADIUS: NAS-IP-Address [4] 6 128.1.17.214
1d06h: RADIUS: NAS-Port [5] 6 0
1d06h: RADIUS: Vendor, Cisco [26] 12
1d06h: RADIUS: cisco-nas-port [2] 6 "tty0"
1d06h: RADIUS: NAS-Port-Type [61] 6 Async [0]
1d06h: RADIUS: User-Name [1] 6 "test"
1d06h: RADIUS: Acct-Status-Type [40] 6 Stop [2]
1d06h: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
1d06h: RADIUS: Service-Type [6] 6 NAS Prompt [7]
1d06h: RADIUS: Acct-Session-Id [44] 10 "0000002E"
1d06h: RADIUS: Acct-Terminate-Cause[49] 6 user-request [1]
1d06h: RADIUS: Acct-Session-Time [46] 6 42
1d06h: RADIUS: Vendor, Cisco [26] 27
1d06h: RADIUS: Cisco AVpair [1] 21 "disc-cause-ext=1020"
1d06h: RADIUS: Vendor, Cisco [26] 28
1d06h: RADIUS: Cisco AVpair [1] 22 "connect-progress=101"
1d06h: RADIUS: Vendor, Cisco [26] 22
1d06h: RADIUS: Cisco AVpair [1] 16 "nas-rx-speed=0"
1d06h: RADIUS: Vendor, Cisco [26] 22
1d06h: RADIUS: Cisco AVpair [1] 16 "nas-tx-speed=0"
1d06h: RADIUS: Acct-Delay-Time [41] 6 0
1d06h: RADIUS: Received from id 1646/92 128.1.15.92:1813, Accounting-response, len 20
1d06h: RADIUS: authenticator 24 C3 FD 3B F1 F3 A6 76 - 0D B7 99 E8 55 52 4C 68
1d06h: AAA/MEMORY: free_user (0x1BAF6EC) user='1d06h: AAA/MEMORY: free_user (0x1BB8770) user='aa' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
1d06h: AAA: parse name=tty0 idb type=-1 tty=-1
1d06h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
1d06h: AAA/MEMORY: create_user (0x1BAF3A4) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Many thanks
06-28-2013 09:05 AM
could you please increase the radius-server timeout to some where 10 seconds and try again.
Jatin Katyal
- Do rate helpful posts -
06-28-2013 09:37 AM
Hi Jatin
where i can change the time ?
regards.
06-29-2013 07:00 AM
Looking again at the debugs, I come across
1d06h: RADIUS: No secret to encode request (rctx
User Access Verification
Username: :0x1BB50B4)
1d06h: RADIUS: Unable to encrypt (rctx:0x1BB50B4)
The above debugs shows that there is no shared secret configured on the 2960 to encrypt or encode the radius-request. This is how you can configure the key on the 2960. The same key should be defined on the radius server as well.
radius-server host 1.1.1.1 key
Jatin Katyal
- Do rate helpful posts -
07-01-2013 01:13 AM
Hi Jatin,
Hope you had a good weekend !!
I had it configured, but i have done it again though... but i dont understand why it puts 7 after the word key ?
many thanks.
07-01-2013 05:54 AM
http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/sec-cr-r1.html#wp7224581170
encryption-key | Specifies the encryption key. Valid values for encryption-key are:
|
~BR
Jatin Katyal
**Do rate helpful posts**
07-01-2013 06:00 AM
Hi Jatin,
I have done it again but no luck....
any other sugestions ?
many thanks.
07-01-2013 06:02 AM
can you post the debugs again.
~BR
Jatin Katyal
**Do rate helpful posts**
07-01-2013 06:13 AM
Hi Jatin,
following are the debug lines from aaa autho:
2d02h: AAA: parse name=tty0 idb type=-1 tty=-1
2d02h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel= 0
2d02h: AAA/MEMORY: create_user (0x1ABAD30) user='NULL' ruser='NULL' ds0=0 port=' tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0 ', vrf= (id=0)eem
Password:
2d02h: AAA/MEMORY: free_user (0x1BA2F74) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15
many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide