Radius Wrong Interface

hs08 · ‎04-27-2025

Hello,

I setup Network Policy Server as Radius server to authenticate all my cisco ssh login.

I found one issue with my C9300 where i already set command 'ip radius source-interface Loopback0' and my loopback ip is 10.107.107.1

But when this request come to the NPS, the source come from different ip address. The NPS detect request come from ip 10.4.3.254 where this ip belong to interface vlan1. Anyone know why?

MHM Cisco World · ‎04-27-2025

Hi friend,

You assigned source under radius group are you use this group in authc/authz

Also why this group don't have and server host?

MHM

hs08 · ‎04-27-2025

Hi @MHM Cisco World

Here my radius config

aaa new-model
!
!
aaa group server radius ADRADIUS
server-private 10.103.248.31 key 7 xxxxx
!
aaa authentication login ADRADIUS local group ADRADIUS
aaa authorization exec ADRADIUS local group ADRADIUS

!
ip radius source-interface Loopback0

line vty 0 4
authorization exec ADRADIUS
login authentication ADRADIUS
transport input ssh
line vty 5 15
authorization exec ADRADIUS
login authentication ADRADIUS
transport input ssh

and here debug message

M02@rt37 · ‎04-27-2025

Hello @hs08

Do you try to ping radius server with lo0 as source ip address ?

ping 10.103.248.31 source Loopback0

If it fails, that’s 100% why your radius is sourced from vlan1 instead of your loopback0.

Regarding your log:

The C9300 send the packet multiple times (retransmissions) but receive no reply: Request timed out!
No response from (10.103.248.31:1645)

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hs08 · ‎04-27-2025

Hi M02@rt37

ping is succeeded

M02@rt37 · ‎04-27-2025

Mmm OK

This log, NAS-IP-Address [4] 6 10.107.107.1, shows that the switch is sending the RADIUS Access-Request with loopback0 as the source ip...

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-nas-ip-cfg.html

What is you IOS-xe version please ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hs08 · ‎04-28-2025

my version is 16.12.4

MHM Cisco World · ‎04-27-2025

Do debug ip packet <list>

In list specify the udp port you use for radius and IP.

Let see if device send from correct IP or there is something else drop traffic.

MHM

Jens Albrecht · ‎04-28-2025

Hi @hs08,

you need to configure the radius source-interface under the server-group you created:

aaa group server radius ADRADIUS
ip radius source-interface Loopback0
server-private 10.103.248.31 key 7 xxxxx

You configured this command in global config mode so that it would be used by the default server-group "radius".
However, you created your own server group ADRADIUS so that this command must be issued in config-sg-radius mode because each server group uses its own radius source-interface.

As you noticed a ping can only test the IP reachability of the radius server.
However, in order to test the reachability of the radius service you can use the following command:

test aaa group ADRADIUS <username> <password> [new-code|legacy]

Whether you need to use new-code or legacy depends on your radius server and in some cases both options might work.

HTH!