10-27-2021 09:58 AM - edited 10-27-2021 10:01 AM
Hey all,
My employer is not facilitating ISE and has asked I convert all our Cisco NAC to RADIUS.
I only know what I can find on the net for configuring RADIUS and Im already finding things that dont make sense.
The Cisco.com material says config thus:
radius-server host 10.45.1.2 radius-server key myRaDiUSpassWoRd
But my 4300 series routers dont have that command.
The standard command looks like:
aaa group server radius MS-NPS
server 10.x.x.89 auth-port 1812 acct-port 1813
server 10.x.x.89 auth-port 1812 acct-port 1813
but this offers no "key" option and this gives me an error in authentication as seen:
Oct 28 03:02:20.186: AAA/BIND(00000C64): Bind i/f
Oct 28 03:02:20.186: AAA/AUTHEN/LOGIN (00000C64): Pick method list 'MyList'
Oct 28 03:02:20.186: RADIUS/ENCODE(00000C64): ask "Password: "
Oct 28 03:02:20.186: RADIUS/ENCODE(00000C64): send packet; GET_PASSWORD
Oct 28 03:02:22.298: RADIUS/ENCODE(00000C64):Orig. component type = Exec
Oct 28 03:02:22.298: RADIUS/ENCODE: Skip encoding 0 length AAA Cisco vsa password
Oct 28 03:02:22.298: RADIUS/ENCODE(00000C64): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Oct 28 03:02:22.298: RADIUS(00000C64): Config NAS IP: 0.0.0.0
Oct 28 03:02:22.298: RADIUS(00000C64): Config NAS IPv6: ::
Oct 28 03:02:22.298: RADIUS/ENCODE(00000C64): acct_session_id: 3162
Oct 28 03:02:22.298: RADIUS(00000C64): sending
Oct 28 03:02:22.298: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Oct 28 03:02:22.298: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Oct 28 03:02:26.229: RADIUS/ENCODE(00000C64): author with failed authen
Oct 28 03:02:26.229: RADIUS/ENCODE(00000C64): send packet; BEGIN
The AAA config is basic and seen here:
aaa authentication login default group radius group tacacs+ local
aaa authentication login MyList group radius group tacacs+ local
aaa authentication enable default group radius group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group radius group tacacs+ local
line vty 0 4
login authentication MyList
transport input ssh
all help appreciated
Solved! Go to Solution.
10-27-2021 10:43 AM - edited 10-27-2021 10:44 AM
Hi @Paul Morgan the "radius-server host .." command is depreciated on newer IOS. Here is the new way:-
radius server SVR-1
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
key XXXXXXXX
!
radius server SVR-2
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
key XXXXXXXX
!
aaa group server radius ISE-RADIUS
server name SVR-1
server name SVR-2
10-27-2021 10:43 AM - edited 10-27-2021 10:44 AM
Hi @Paul Morgan the "radius-server host .." command is depreciated on newer IOS. Here is the new way:-
radius server SVR-1
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
key XXXXXXXX
!
radius server SVR-2
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
key XXXXXXXX
!
aaa group server radius ISE-RADIUS
server name SVR-1
server name SVR-2
10-28-2021 01:53 AM
Great! Works now. Many thanks.
It would be lovely if Cisco updated the docs - I was reading the XE-16.6 material which I think is fairly new ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide