Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
6
Replies

Radius not working

Go to solution
hs08
VIP
VIP

‎12-11-2024 06:23 PM

Hello,

I configure my C3850 authentication to Active Directory Radius (NPS), and seem this C3850 is not send any radius traffic to the NPS.

Trying with enable 'debug radius authentication' and i can see there is no debug message in the log. Someone know how to troubleshot this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎12-11-2024 08:11 PM

Oh right - you're doing AAA (device admin).  Share your output for 

show run | section line

Perhaps you have some method list or weird config there.  

You should run a test command also

test aaa group ADRADIUS username password new-code

And then check the output of "show aaa servers"  - did the authentication counters increment?

I would also swap around the "local group ADRADIUS" to be "group ADRADIUS local" instead. I have never seen it done with local first, and I would expect that if the user account is not found locally, then go to the group instead. But it's not good security practice - you want to make local access the method of last resort.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎12-11-2024 06:53 PM - edited ‎12-11-2024 06:55 PM

Before running debugs, check the following:

Check your config. If your 3850 is sending RADIUS In a VRF, then ensure that the source interface and vrf details are correct

 

show run | section radius

 

Check the status of the aaa servers (the servers should not be "DEAD"

 

show aaa servers

 

And I assume of course that the 3850 can ping the NPS?  And that you have added the 3850 into NPS as a RADIUS client, and then configured it accordingly.

You can send test commands to the aaa RADIUS group - the username password below can be arbitrary - the IOS will make a PAP request to the RADIUS server - if RADIUS server doesn't handle PAP, then you are likely to get an Access-Reject. But a Reject is also a sign of RADIUS communication. It does not prove the RADIUS shared secret is correct though - it just proves that the UDP traffic is getting answered 

test aaa group <radius_group_name> username password new-code

 

If you are using IOS-XE from a certain vintage, then the legacy "debug" commands no longer work. I think they are still there, but they don't do anything. IOS-XE replaced all this with the session manager daemon, running on Linux. Try this

 

Set the debugs

===================

set platform software trace smd switch active R0 dot1x-all debug

set platform software trace smd switch active R0 radius-authen debug

set platform software trace smd switch active R0 aaa-authen debug

set platform software trace smd switch active R0 eap-all debug

set platform software trace smd switch active R0 auth-mgr-all debug

 

 

View the trace levels

=========================

show platform software trace level smd switch active R0

 

View the logs with

==============================

show platform software trace message smd switch active R0

 

 

After test complete, reset the debugs to normal again!!!

===========  

set platform software trace smd switch active R0 dot1x-all notice

set platform software trace smd switch active R0 radius-authen notice

set platform software trace smd switch active R0 aaa-authen notice

set platform software trace smd switch active R0 eap-all notice

set platform software trace smd switch active R0 auth-mgr-all notice

 

0 Helpful

Go to solution
hs08
VIP
VIP
In response to Arne Bier

‎12-11-2024 07:03 PM

Hi @Arne Bier 

Here my radius config

hs08_0-1733972173976.png

show aaa servers

hs08_1-1733972222811.png

ping to the NPS server is success

hs08_3-1733972535443.png

Based on show version i can see we use CAT3K ios

hs08_4-1733972567827.png

All other devices is working normally to the NPS with same configuration.

 

 

 

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to hs08

‎12-11-2024 08:00 PM

The server is UP

But your authc is first try local then try radius.

And Since it sucess with local it never try radius 

MHM

0 Helpful

Go to solution
hs08
VIP
VIP
In response to MHM Cisco World

‎12-11-2024 08:03 PM

Yes, but i try login using my radius user and since the credentials didn't work so i use local user. Trying to get some debug log by enabling the 'debug radius authentication', try login using radius user and there is no any debug messages.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎12-11-2024 08:11 PM

Oh right - you're doing AAA (device admin).  Share your output for 

show run | section line

Perhaps you have some method list or weird config there.  

You should run a test command also

test aaa group ADRADIUS username password new-code

And then check the output of "show aaa servers"  - did the authentication counters increment?

I would also swap around the "local group ADRADIUS" to be "group ADRADIUS local" instead. I have never seen it done with local first, and I would expect that if the user account is not found locally, then go to the group instead. But it's not good security practice - you want to make local access the method of last resort.

0 Helpful

Go to solution
hs08
VIP
VIP
In response to Arne Bier

‎12-11-2024 08:14 PM

yeah that work, i'm forgot to add this command in the line vty

authorization exec ADRADIUS
login authentication ADRADIUS

0 Helpful
Customers Also Viewed These Support Documents