SSH on Cisco 3560 authentication via Microsoft IAS radius server

praveenk098 · ‎02-16-2013

Hi all,

I need to configure ssh on my 3560 switch integrating with Microsoft IAS and when user try to access switch they need to use their domain credential for that, But i am getting following error message,

"011192: Feb 16 20:30:01: %SSH-5-SSH_SESSION: SSH Session request from 172.30.3.71 (tty = 0) using crypto cipher '3DES' Succeeded

011193: Feb 16 20:30:15: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.16.1.10:1645,1646 is not responding.

011194: Feb 16 20:30:15: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.16.1.10:1645,1646 is being marked alive.

011195: Feb 16 20:30:34: %SSH-5-SSH_USERAUTH: User 'praveeny' authentication for SSH Session from 172.30.3.71 (tty = 0) using crypto cipher '3DES' Failed"

I am sure my shared sceret key is all right.

And following is my configuration on 3560 switch;

aaa new-model

aaa authentication login SSH group radius local

ip ssh logging events

ip ssh version 1

radius-server host 172.16.1.10 auth-port 1645 acct-port 1646 key 7 00270A0401491F030C291517

line vty 0 4

access-class 23 in

exec-timeout 0 0

password 7 akjshds098978

login authentication SSH

transport input telnet ssh

line vty 5 15

password 7 ldmcdc3049043

login authentication SSH

transport input telnet ssh

Regards,

Praveen Kumar

Richard Burts · ‎02-16-2013

Praveen Kumar

The parts of the configuration that you have shown look appropriate. But the authentication is not working. So I have several questions:

- is there IP connectivity between the switch and the Radius server? (can each one ping the other)

- is it possible that the Radius traffic is being filtered out by some device along the path between the switch and the Radius server?

- since the client knows about the Radius server then does the Radius server recognize the switch as a valid client?

When you test this would you look on the logs of the server and verify whether it saw the authentication request, and if it did how did it respond?

HTH

Rick

HTH

Rick

praveenk098 · ‎02-17-2013

Hi Richard,

- I have checked the ip connectivity between 3560 switch and Radius server its reachable.

- No, There is no device between 3560 and Radius server path.

- Yes, Server knows about the client, i have configured the same steps on IAS as i have done for my Other devices and they are wrking fine.

- when i test from the 3560 switch with command "test aaa radius username and password" i get user rejected message,

I know this message comes when there is credential mismatch.

Do i need to generate crypto key again, if this could be a problem ?

Do you need any other log messages from 3560 for troubleshoot as this is really important, we have timeline on this.

Regards,

Praveen

Jatin Katyal · ‎02-17-2013

I suspect either the radius-request is not matching the right remote-access policy or if its matching then under the remote-access policy properties > authentication tab > PAP as an authentication method is not selected.

Please review the config on the radius server again.

If the above comments do not work for you then get the even viewer logs from the IAS server.

Regards,

Jatin Katyal

- Do rate helpful posts -

~Jatin

praveenk098 · ‎02-18-2013

Hi jkatyal,

The PAP is already checked, I have reviewed all my config again.

From event log viewer which logg exactly i need to check.

There are following options

- Application

- Security

- system

- Directory service

- DNS Server

- File Replication Service

- Internet Explorer

Regards,

Praveen

Jatin Katyal · ‎02-18-2013

You should either check the security or application logs. The log message should have a category IAS. Looking at the logs we can tell whether the request is hitting the right policy or not.

Jatin Katyal

- Do rate helpful posts -

~Jatin

praveenk098 · ‎02-18-2013

HI Jkatyal,

I dont see any logs in event viwer. i have checked in security and application with category IAS.

Regards,
Praveen

minkumar · ‎02-20-2013

Hi Praveen,

Does your windows IAS server has two NIC? If yes, then disable one nic and then try?

Regards

Minakshi

(Do rate helpful posts)

praveenk098 · ‎02-20-2013

HI minkumar,

No, its only one. I have done same configuration on 2960, every thing is working fine.i dont understand what is the issue with 3560.

Regards,

Praveen

shekharmore003 · ‎02-22-2013

Hi Praveen,

If you are not seeing any logs in event viewer for IAS category then I think there is no Radius communication going on between Switch and IAS server.

praveenk098 · ‎02-25-2013

HI shekhar,

I can ping from switch 3560 to IAS server.

Regards,

Praveen

Jatin Katyal · ‎02-25-2013

IAS authentication events are recorded in the system event log on the basis of event

logging settings.

Go to start>> All Programs>> event viewer>> system logs>> look

for IAS logs.

Jatin Katyal

- Do rate helpful posts -

~Jatin

jellojock · ‎02-26-2013

I had the same issue.

I changed the default Auth-Port Acct-Port from 1645 and 1646 to 1812 and 1813, and now it works......