Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2124
Views
0
Helpful
1
Replies

Setting up AAA Radius authentication on 3850

Christine_Lane
Level 1
Level 1

‎10-24-2016 03:41 PM - edited ‎03-11-2019 12:10 AM

I am attempting to set up AAA authentication to two Radius servers.

When I run a test aaa group command I succeed in authenticating.  However when I attempt to login using SSH I cannot authenticate.

I am attaching the pertinent config statements below:

aaa new-model
aaa group server radius FOO
 server name RADIUS2
 server name RADIUS
!
aaa authentication login RAD local group radius
aaa authentication enable default enable
aaa authorization exec default local
aaa accounting exec default
 action-type start-stop
 group radius
aaa session-id common
ip radius source-interface Vlan11
radius server RADIUS
 address ipv4 10.100.10.12 auth-port 1645 acct-port 1646
 timeout 5
 retransmit 2
 automate-tester username ADM-NET-CHL
 key 7 04681F551D721F5A5C495515
!
radius server RADIUS2
 address ipv4 10.100.80.12 auth-port 1645 acct-port 1646
 timeout 5
 retransmit 2
 automate-tester username ADM-NET-CHL
 key 7 04681F551D721F5A5C495515
line vty 0 4
 exec-timeout 0 0
 login authentication local
 transport input ssh
 transport output ssh
line vty 5 15
 exec-timeout 0 0
 login authentication RAD
 transport input ssh
 transport output ssh

Under debug, when I run test I receive the following:

*Oct 24 15:35:14.405: AAA: parse name=<no string> idb type=-1 tty=-1
*Oct 24 15:35:14.405: AAA/MEMORY: create_user (0x3B9027A0) user='ADM-NET-CHL' ruser='NULL' ds0=0 port=''rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Oct 24 15:35:14.410: AAA/MEMORY: free_user (0x3B9027A0) user='ADM-NET-CHL' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

When I attempt to connect via SSH debug gives:

*Oct 24 15:36:12.280: AAA/BIND(00000028): Bind i/f
*Oct 24 15:36:12.280: AAA/AUTHEN/LOGIN (00000028): Pick method list 'RAD'
*Oct 24 15:36:19.144: AAA/AUTHEN/LOGIN (00000028): Pick method list 'RAD'

Can you tell me where I am going wrong?

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

poongarg
Cisco Employee
Cisco Employee

‎10-24-2016 06:55 PM

Hi Christine,

The method list (RAD) that you are defining is using local authentication as first preference, so the request are not going to RADIUS server. By default, you will get priv level 1, once you get into enable mode and give local enable password, you will get full privilege.

0 Helpful
Customers Also Viewed These Support Documents