Solved: 3560CX switch Radius failing

jdiveney1 · ‎04-27-2023

I am trying to setup radius authentication on my edge switches. I started with a test 3560CX 8 port. The NPS server shows authentication is good. But the switch get an Access-Reject back the the server. Please see debugs and logs.

Switch debug:

Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2): ask "Password: "
Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2): send packet; GET_PASSWORD
Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2):Orig. component type = Exec
Apr 27 16:56:53.126: RADIUS(000000B2): Config NAS IP: 0.0.0.0
Apr 27 16:56:53.126: RADIUS(000000B2): Config NAS IPv6: ::
Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2): acct_session_id: 127
Apr 27 16:56:53.126: RADIUS(000000B2): sending
Apr 27 16:56:53.126: RADIUS/ENCODE: Best Local IP-Address 10.1.224.71 for Radius-Server 10.63.230.220
Apr 27 16:56:53.129: RADIUS(000000B2): Send Access-Request to 10.xx.xx.xx:1645 onvrf(0) id 1645/110, len 99
Apr 27 16:56:53.129: RADIUS: authenticator 9E C8 4F 6E 76 61 BE 56 - B9 04 70 77 A5 0B 67 96
Apr 27 16:56:53.129: RADIUS: User-Name [1] 19 "test@test.com"
Apr 27 16:56:53.129: RADIUS: Reply-Message [18] 12
Apr 27 16:56:53.129: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Apr 27 16:56:53.129: RADIUS: User-Password [2] 18 *
Apr 27 16:56:53.129: RADIUS: NAS-Port [5] 6 1
Apr 27 16:56:53.129: RADIUS: NAS-Port-Id [87] 6 "tty1"
Apr 27 16:56:53.129: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Apr 27 16:56:53.129: RADIUS: Service-Type [6] 6 Login [1]
Apr 27 16:56:53.129: RADIUS: NAS-IP-Address [4] 6 10.1.xx.xx
Apr 27 16:56:53.129: RADIUS(000000B2): Sending a IPv4 Radius Packet
Apr 27 16:56:53.129: RADIUS(000000B2): Started 30 sec timeout
Apr 27 16:56:53.147: RADIUS: Received from id 1645/110 10.xx.xx.xx:1645, Access-Reject, len 20
Apr 27 16:56:53.147: RADIUS: authenticator D2 F5 08 4F 12 11 CA F5 - 39 1E A3 6C C9 61 A7 B0
Apr 27 16:56:53.147: RADIUS(000000B2): Received from id 1645/110
Apr 27 16:56:55.149: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: test@test.c] [Source: 10.83.225.1] [localport: 22] [Reason: Login Authentication Failed] at 16:56:55 UTC Thu Apr 27 2023

NPS event viewer:

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: NPS22-2$
Account Domain: domain
Logon ID: 0x3E7

Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No

Impersonation Level: Impersonation

New Logon:
Security ID: domain\test
Account Name: test
Account Domain: domain
Logon ID: 0x10FDCA3E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -

jdiveney1 · ‎05-02-2023

I have this issue fixed. I had to disable the connection policy and re-enable it. Found it in the community post.

https://community.cisco.com/t5/switches-small-business/cisco-switch-vs-windows-nps-invalid-credentials/td-p/4643990

View solution in original post

Flavio Miranda · ‎04-27-2023

Hello

Can you share the command "show aaa servers" ?

show run | i aaa

jdiveney1 · ‎04-27-2023

Radius_Test#sho running-config | i aaa
aaa new-model
aaa group server radius NPS-servers
aaa authentication login default group radius local
aaa authentication login NO_RADIUS local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
aaa authorization reverse-access default group radius local
aaa accounting suppress null-username
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common

Flavio Miranda · ‎04-27-2023

Hi

aaa group server radius NPS-servers

aaa authentication dot1x default group NPS-servers
aaa authorization exec default group NPS-servers local
aaa authorization network default group NPS-servers
aaa authorization reverse-access default group NPS-servers local
aaa accounting suppress null-username
aaa accounting dot1x default start-stop group NPS-servers
aaa accounting exec default start-stop group NPS-servers
aaa accounting connection default start-stop group NPS-servers
aaa accounting system default start-stop group NPS-servers

If you are using a group's radius with the name NPS-servers, you need to use it on the aaa commands.

jdiveney1 · ‎04-27-2023

Still the same. Here is the config.

aaa new-model
!
!
aaa group server radius NPS-servers
server name nps22-2
server name nps22-1
!
aaa authentication login default group NPS-servers local
aaa authentication login NO_RADIUS local
aaa authentication enable default group NPS-servers enable
aaa authentication dot1x default group NPS-servers
aaa authorization exec default group NPS-servers local
aaa authorization network default group NPS-servers
aaa authorization reverse-access default group NPS-servers local
aaa accounting suppress null-username
aaa accounting dot1x default start-stop group NPS-servers
aaa accounting exec default start-stop group NPS-servers
aaa accounting connection default start-stop group NPS-servers
aaa accounting system default start-stop group NPS-servers
!
!
!
!
!
!
aaa session-id common
!
radius server nps22-2
address ipv4 10.xx.xx.xx auth-port 1645 acct-port 1646
timeout 10
retransmit 3
key 6 M]PJdIYSb`eUWY`JgWGgKDY\V_WNOeSeK
!
radius server nps22-1
address ipv4 10.xx.xx.xx auth-port 1645 acct-port 1646
timeout 10
retransmit 3
key 6 YdYJNUXYbPWaChNTQcDZaXV\]AWRfTRIX

MHM Cisco World · ‎04-27-2023

aaa authentication login default group NPS-servers local
aaa authentication login NO_RADIUS local

There are two aaa auth and you telent to vty' so you need config vty to select correct radius server.

First do

Vty x

Rotary 1

Auth default

Vty y

Rotary 2

Auth NO_Radius

Now you can select telnet using rotary to access specific vty and this force device to use specific aaa auth.

jdiveney1 · ‎04-27-2023

My IOS is Version 15.2(7)E7. There is no Auth command in VTY programming.

MHM Cisco World · ‎04-27-2023

Login authen defualt/ NO_radius

jdiveney1 · ‎04-27-2023

I see this on the NPS server every time. It's like it logs me out immediately. success, groups then log off.

An account was successfully logged on.

Group membership information.

An account was logged off.

MHM Cisco World · ‎04-27-2023

No aaa accounting dot1x default start-stop group NPS-servers
No aaa accounting exec default start-stop group NPS-servers
No aaa accounting connection default start-stop group NPS-servers
No aaa accounting system default start-stop group NPS-servers

Try deactivate account and check login

jdiveney1 · ‎04-27-2023

I took those statements out. No change. I tried an account deactivated and get failed. An account failed to log on.

Flavio Miranda · ‎04-27-2023

Show aaa servers

Is it UP?

jdiveney1 · ‎04-27-2023

RADIUS: id 1, priority 1, host 10.63.230.220, auth-port 1645, acct-port 1646
State: current UP, duration 910s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 6, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 6, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 52ms
Transaction: success 6, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 15m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 13 minutes ago: 6
low - 0 hours, 0 minutes ago: 0
average: 0

RADIUS: id 2, priority 2, host 10.63.230.145, auth-port 1645, acct-port 1646
State: current UP, duration 26s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 0m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 0 minutes ago: 0
low - 0 hours, 0 minutes ago: 0
average: 0

Flavio Miranda · ‎04-27-2023

I said you see successful on the NPS, right? But is seems all the attempts were rejected.

Authen: request 6, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 6, challenge 0

jdiveney1 · ‎04-27-2023

Yes, the NPS logs show success but immediately logged out.