02-16-2013 07:22 AM - edited 03-10-2019 08:05 PM
Hi all,
I need to configure ssh on my 3560 switch integrating with Microsoft IAS and when user try to access switch they need to use their domain credential for that, But i am getting following error message,
"011192: Feb 16 20:30:01: %SSH-5-SSH_SESSION: SSH Session request from 172.30.3.71 (tty = 0) using crypto cipher '3DES' Succeeded
011193: Feb 16 20:30:15: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.16.1.10:1645,1646 is not responding.
011194: Feb 16 20:30:15: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.16.1.10:1645,1646 is being marked alive.
011195: Feb 16 20:30:34: %SSH-5-SSH_USERAUTH: User 'praveeny' authentication for SSH Session from 172.30.3.71 (tty = 0) using crypto cipher '3DES' Failed"
I am sure my shared sceret key is all right.
And following is my configuration on 3560 switch;
aaa new-model
aaa authentication login SSH group radius local
ip ssh logging events
ip ssh version 1
radius-server host 172.16.1.10 auth-port 1645 acct-port 1646 key 7 00270A0401491F030C291517
line vty 0 4
access-class 23 in
exec-timeout 0 0
password 7 akjshds098978
login authentication SSH
transport input telnet ssh
line vty 5 15
password 7 ldmcdc3049043
login authentication SSH
transport input telnet ssh
Regards,
Praveen Kumar
02-16-2013 10:53 AM
Praveen Kumar
The parts of the configuration that you have shown look appropriate. But the authentication is not working. So I have several questions:
- is there IP connectivity between the switch and the Radius server? (can each one ping the other)
- is it possible that the Radius traffic is being filtered out by some device along the path between the switch and the Radius server?
- since the client knows about the Radius server then does the Radius server recognize the switch as a valid client?
When you test this would you look on the logs of the server and verify whether it saw the authentication request, and if it did how did it respond?
HTH
Rick
02-17-2013 12:16 AM
Hi Richard,
- I have checked the ip connectivity between 3560 switch and Radius server its reachable.
- No, There is no device between 3560 and Radius server path.
- Yes, Server knows about the client, i have configured the same steps on IAS as i have done for my Other devices and they are wrking fine.
- when i test from the 3560 switch with command "test aaa radius username and password" i get user rejected message,
I know this message comes when there is credential mismatch.
Do i need to generate crypto key again, if this could be a problem ?
Do you need any other log messages from 3560 for troubleshoot as this is really important, we have timeline on this.
Regards,
Praveen
02-17-2013 01:56 AM
I suspect either the radius-request is not matching the right remote-access policy or if its matching then under the remote-access policy properties > authentication tab > PAP as an authentication method is not selected.
Please review the config on the radius server again.
If the above comments do not work for you then get the even viewer logs from the IAS server.
Regards,
Jatin Katyal
- Do rate helpful posts -
02-18-2013 02:36 PM
Hi jkatyal,
The PAP is already checked, I have reviewed all my config again.
From event log viewer which logg exactly i need to check.
There are following options
- Application
- Security
- system
- Directory service
- DNS Server
- File Replication Service
- Internet Explorer
Regards,
Praveen
02-18-2013 02:59 PM
You should either check the security or application logs. The log message should have a category IAS. Looking at the logs we can tell whether the request is hitting the right policy or not.
Jatin Katyal
- Do rate helpful posts -
02-18-2013 05:44 PM
HI Jkatyal,
I dont see any logs in event viwer. i have checked in security and application with category IAS.
Regards,
Praveen
02-20-2013 09:55 AM
Hi Praveen,
Does your windows IAS server has two NIC? If yes, then disable one nic and then try?
Regards
Minakshi
(Do rate helpful posts)
02-20-2013 02:48 PM
HI minkumar,
No, its only one. I have done same configuration on 2960, every thing is working fine.i dont understand what is the issue with 3560.
Regards,
Praveen
02-22-2013 12:24 PM
Hi Praveen,
If you are not seeing any logs in event viewer for IAS category then I think there is no Radius communication going on between Switch and IAS server.
02-25-2013 02:20 PM
HI shekhar,
I can ping from switch 3560 to IAS server.
Regards,
Praveen
02-25-2013 04:03 PM
IAS authentication events are recorded in the system event log on the basis of event
logging settings.
Go to start>> All Programs>> event viewer>> system logs>> look
for IAS logs.
Jatin Katyal
- Do rate helpful posts -
02-26-2013 01:37 PM
I had the same issue.
I changed the default Auth-Port Acct-Port from 1645 and 1646 to 1812 and 1813, and now it works......
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide