Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4590
Views
0
Helpful
4
Replies

Trouble with Radius (MS NPS) on cisco Switches\Router

mlharv007
Level 1
Level 1

‎09-20-2012 07:42 PM - edited ‎03-10-2019 07:34 PM

All,

Thanks in advance.  We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers.  Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small.  I have attached my Microsoft NPS Network Policy.  Below is my IOS config:

aaa group server radius corp-radius

server 10.15.10.20 auth-port 1812 acct-port 1813

!

aaa authentication login default group corp-radius local

aaa authentication login radius-localfallback group corp-radius enable

aaa authorization exec default group radius

aaa accounting exec default start-stop group corp-radius

aaa accounting network default start-stop group corp-radius

!

!

!

!

!

aaa session-id common

radius-server attribute 6 on-for-login-auth

radius-server host 10.15.10.20 auth-port 1812 acct-port 1813 timeout 10 retransmit 3 key 7 1446435A5D

Also I have a debug output:

Sep 21 02:24:43.481: AAA/BIND(00000033): Bind i/f

Sep 21 02:24:43.481: AAA/AUTHEN/LOGIN (00000033): Pick method list 'default'

Sep 21 02:24:43.481: RADIUS/ENCODE(00000033): ask "Password: "

Sep 21 02:24:43.481: RADIUS/ENCODE(00000033): send packet; GET_PASSWORD

Sep 21 02:24:52.314: RADIUS/ENCODE(00000033):Orig. component type = Exec

Sep 21 02:24:52.314: RADIUS:  AAA Unsupported Attr: interface         [222] 4

Sep 21 02:24:52.314: RADIUS:   74 74                [ tt]

Sep 21 02:24:52.314: RADIUS(00000033): Config NAS IP: 0.0.0.0

Sep 21 02:24:52.314: RADIUS(00000033): Config NAS IPv6: ::

Sep 21 02:24:52.314: RADIUS/ENCODE(00000033): acct_session_id: 40

Sep 21 02:24:52.314: RADIUS(00000033): sending

Sep 21 02:24:52.314: RADIUS/ENCODE: Best Local IP-Address 10.15.10.15 for Radius-Server 10.15.10.20

Sep 21 02:24:52.314: RADIUS(00000033): Send Access-Request to 10.15.10.20:1812 id 1645/43, len 83

Sep 21 02:24:52.314: RADIUS:  authenticator A2 8E F9 0E 6D 24 EB 31 - C3 90 ED BE 0F 54 AE CF

Sep 21 02:24:52.314: RADIUS:  User-Name           [1]   15  "admin-lharvey"

Sep 21 02:24:52.314: RADIUS:  User-Password       [2]   18  *

Sep 21 02:24:52.314: RADIUS:  NAS-Port            [5]   6   1

Sep 21 02:24:52.314: RADIUS:  NAS-Port-Id         [87]  6   "tty1"

Sep 21 02:24:52.322: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

Sep 21 02:24:52.322: RADIUS:  Service-Type        [6]   6   Login                     [1]

Sep 21 02:24:52.322: RADIUS:  NAS-IP-Address      [4]   6   10.15.10.15

Sep 21 02:24:52.322: RADIUS(00000033): Sending a IPv4 Radius Packet

Sep 21 02:24:52.322: RADIUS(00000033): Started 10 sec timeout

Sep 21 02:24:52.330: RADIUS: Received from id 1645/43 10.15.10.20:1812, Access-Reject, len 20

Sep 21 02:24:52.330: RADIUS:  authenticator 61 69 0B DB E3 1F DE 88 - C9 C9 DB 8A 3A FD A2 07

Sep 21 02:24:52.330: RADIUS(00000033): Received from id 1645/43

Sep 21 02:24:54.343: AAA/AUTHEN/LOGIN (00000033): Pick method list 'default'

Sep 21 02:24:54.343: RADIUS/ENCODE(00000033): ask "Password: "

Sep 21 02:24:54.343: RADIUS/ENCODE(00000033): send packet; GET_PASSWORD

Any help or ideas would be greatly appreciated.

Thanks

Labels:
Preview file
53 KB
0 Helpful
4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

‎09-20-2012 07:51 PM

HI,

Do the event logs indicate any error messages? Also do you have multiple interfaces on this switch if so, are you using

10.15.10.15 as the client or is there another ip address, if so. please use the ip radius source-interface vlan x.

If not then please verify if the user you are testing with is the Windows Group and that the shared secret is correct.

Other than everything looks fine.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

mlharv007
Level 1
Level 1
In response to Tarik Admani

‎09-21-2012 05:19 AM

I have attached the event log message it states:

"The user attempted to use an authentication method that is not enabled on the matching network policy."

I have attached.

I have verified my KEYS and I have allow acces in my AD Dial-In properties.   My authentication on my network policy is unencrypted PAP,SPAP.

My network connection request is not set to override network policy.  I also have my WLAN using 802.1x on this NPS, but i have the RADIUS as processing order 1?

Is my switch using a different authentication message?

Thanks in advance.

Sorry, here is the correct image

0 Helpful

Travis Hysuick
Level 1
Level 1
In response to mlharv007

‎09-21-2012 08:42 AM

Hi Lane, by default, RADIUS requests will be sent via the PAP_ASCII method unless you specify otherwise in your AAA config on the NAS device, so the auth method should be fine as defined in your NPS policy.

However, I suspect the match order may have something to do with it, specifically, the match criteria for your WLAN. Could you please post the NPS Dot1x WLAN policy configuration?

Edit:

Lane, can you also post the vty line configuration from your switch as well? Remember that unless you specify a named AAA method for the vty/aux/con lines, default will apply to all input methods. Just a though that occurred to me after the inital post.

0 Helpful

mlharv007
Level 1
Level 1
In response to Travis Hysuick

‎09-21-2012 02:47 PM

Travis that was it!!  It was point correctly to my connection request policy, but using a different network request policy.  It wasn't pointed to the WLAN but I guess a default one when RRAS was installed maybe.  What is the best way to ensure requests are pointing to the correct policy in the future if we add/?  what did I miss te first time so I am not on the forum again.  Anyway thanks all,  I looked at the logs in NPS to long and not pick up on that.

Thanks,  Lane.

0 Helpful
Customers Also Viewed These Support Documents