cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
0
Helpful
2
Replies

switching TACACS+ to RADIUS help

Paul Morgan
Level 1
Level 1

Hey all,

My employer is not facilitating ISE and has asked I convert all our Cisco NAC to RADIUS.

I only know what I can find on the net for configuring RADIUS and Im already finding things that dont make sense.

The Cisco.com material says config thus:

radius-server host 10.45.1.2
radius-server key myRaDiUSpassWoRd

But my 4300 series routers dont have that command.

The standard command looks like:

aaa group server radius MS-NPS
  server 10.x.x.89 auth-port 1812 acct-port 1813
  server 10.x.x.89 auth-port 1812 acct-port 1813

but this offers no "key" option and this gives me an error in authentication as seen:

Oct 28 03:02:20.186: AAA/BIND(00000C64): Bind i/f
Oct 28 03:02:20.186: AAA/AUTHEN/LOGIN (00000C64): Pick method list 'MyList'
Oct 28 03:02:20.186: RADIUS/ENCODE(00000C64): ask "Password: "
Oct 28 03:02:20.186: RADIUS/ENCODE(00000C64): send packet; GET_PASSWORD
Oct 28 03:02:22.298: RADIUS/ENCODE(00000C64):Orig. component type = Exec
Oct 28 03:02:22.298: RADIUS/ENCODE: Skip encoding 0 length AAA Cisco vsa password
Oct 28 03:02:22.298: RADIUS/ENCODE(00000C64): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Oct 28 03:02:22.298: RADIUS(00000C64): Config NAS IP: 0.0.0.0
Oct 28 03:02:22.298: RADIUS(00000C64): Config NAS IPv6: ::
Oct 28 03:02:22.298: RADIUS/ENCODE(00000C64): acct_session_id: 3162
Oct 28 03:02:22.298: RADIUS(00000C64): sending
Oct 28 03:02:22.298: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Oct 28 03:02:22.298: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
Oct 28 03:02:26.229: RADIUS/ENCODE(00000C64): author with failed authen
Oct 28 03:02:26.229: RADIUS/ENCODE(00000C64): send packet; BEGIN

 

The AAA config is basic and seen here:

aaa authentication login default group radius group tacacs+ local
aaa authentication login MyList group radius group tacacs+ local
aaa authentication enable default group radius group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group radius group tacacs+ local

 

line vty 0 4
login authentication MyList
transport input ssh

 

all help appreciated

1 Accepted Solution

Accepted Solutions

Hi @Paul Morgan the "radius-server host .." command is depreciated on newer IOS. Here is the new way:-

 

radius server SVR-1 
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
key XXXXXXXX
!
radius server SVR-2
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
key XXXXXXXX
!
aaa group server radius ISE-RADIUS
server name SVR-1
server name SVR-2

 

View solution in original post

2 Replies 2

Hi @Paul Morgan the "radius-server host .." command is depreciated on newer IOS. Here is the new way:-

 

radius server SVR-1 
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
key XXXXXXXX
!
radius server SVR-2
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
key XXXXXXXX
!
aaa group server radius ISE-RADIUS
server name SVR-1
server name SVR-2

 

Great! Works now. Many thanks.

It would be lovely if Cisco updated the docs - I was reading the XE-16.6 material which I think is fairly new ?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/xe-16-6/sec-usr-rad-xe-16-6-book/sec-cfg-radius.html#GUID-4DFCD169-F159-472D-925E-F1DFDC82510D

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: