04-27-2023 10:05 AM
I am trying to setup radius authentication on my edge switches. I started with a test 3560CX 8 port. The NPS server shows authentication is good. But the switch get an Access-Reject back the the server. Please see debugs and logs.
Switch debug:
Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2): ask "Password: "
Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2): send packet; GET_PASSWORD
Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2):Orig. component type = Exec
Apr 27 16:56:53.126: RADIUS(000000B2): Config NAS IP: 0.0.0.0
Apr 27 16:56:53.126: RADIUS(000000B2): Config NAS IPv6: ::
Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2): acct_session_id: 127
Apr 27 16:56:53.126: RADIUS(000000B2): sending
Apr 27 16:56:53.126: RADIUS/ENCODE: Best Local IP-Address 10.1.224.71 for Radius-Server 10.63.230.220
Apr 27 16:56:53.129: RADIUS(000000B2): Send Access-Request to 10.xx.xx.xx:1645 onvrf(0) id 1645/110, len 99
Apr 27 16:56:53.129: RADIUS: authenticator 9E C8 4F 6E 76 61 BE 56 - B9 04 70 77 A5 0B 67 96
Apr 27 16:56:53.129: RADIUS: User-Name [1] 19 "test@test.com"
Apr 27 16:56:53.129: RADIUS: Reply-Message [18] 12
Apr 27 16:56:53.129: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Apr 27 16:56:53.129: RADIUS: User-Password [2] 18 *
Apr 27 16:56:53.129: RADIUS: NAS-Port [5] 6 1
Apr 27 16:56:53.129: RADIUS: NAS-Port-Id [87] 6 "tty1"
Apr 27 16:56:53.129: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Apr 27 16:56:53.129: RADIUS: Service-Type [6] 6 Login [1]
Apr 27 16:56:53.129: RADIUS: NAS-IP-Address [4] 6 10.1.xx.xx
Apr 27 16:56:53.129: RADIUS(000000B2): Sending a IPv4 Radius Packet
Apr 27 16:56:53.129: RADIUS(000000B2): Started 30 sec timeout
Apr 27 16:56:53.147: RADIUS: Received from id 1645/110 10.xx.xx.xx:1645, Access-Reject, len 20
Apr 27 16:56:53.147: RADIUS: authenticator D2 F5 08 4F 12 11 CA F5 - 39 1E A3 6C C9 61 A7 B0
Apr 27 16:56:53.147: RADIUS(000000B2): Received from id 1645/110
Apr 27 16:56:55.149: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: test@test.c] [Source: 10.83.225.1] [localport: 22] [Reason: Login Authentication Failed] at 16:56:55 UTC Thu Apr 27 2023
NPS event viewer:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: NPS22-2$
Account Domain: domain
Logon ID: 0x3E7
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: domain\test
Account Name: test
Account Domain: domain
Logon ID: 0x10FDCA3E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Solved! Go to Solution.
05-02-2023 08:16 AM
I have this issue fixed. I had to disable the connection policy and re-enable it. Found it in the community post.
04-27-2023 10:19 AM
Hello
Can you share the command "show aaa servers" ?
show run | i aaa
04-27-2023 11:20 AM
Radius_Test#sho running-config | i aaa
aaa new-model
aaa group server radius NPS-servers
aaa authentication login default group radius local
aaa authentication login NO_RADIUS local
aaa authentication enable default group radius enable
aaa authentication dot1x default group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
aaa authorization reverse-access default group radius local
aaa accounting suppress null-username
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common
04-27-2023 11:48 AM
Hi
aaa group server radius NPS-servers
aaa authentication dot1x default group NPS-servers
aaa authorization exec default group NPS-servers local
aaa authorization network default group NPS-servers
aaa authorization reverse-access default group NPS-servers local
aaa accounting suppress null-username
aaa accounting dot1x default start-stop group NPS-servers
aaa accounting exec default start-stop group NPS-servers
aaa accounting connection default start-stop group NPS-servers
aaa accounting system default start-stop group NPS-servers
If you are using a group's radius with the name NPS-servers, you need to use it on the aaa commands.
04-27-2023 12:56 PM
Still the same. Here is the config.
aaa new-model
!
!
aaa group server radius NPS-servers
server name nps22-2
server name nps22-1
!
aaa authentication login default group NPS-servers local
aaa authentication login NO_RADIUS local
aaa authentication enable default group NPS-servers enable
aaa authentication dot1x default group NPS-servers
aaa authorization exec default group NPS-servers local
aaa authorization network default group NPS-servers
aaa authorization reverse-access default group NPS-servers local
aaa accounting suppress null-username
aaa accounting dot1x default start-stop group NPS-servers
aaa accounting exec default start-stop group NPS-servers
aaa accounting connection default start-stop group NPS-servers
aaa accounting system default start-stop group NPS-servers
!
!
!
!
!
!
aaa session-id common
!
radius server nps22-2
address ipv4 10.xx.xx.xx auth-port 1645 acct-port 1646
timeout 10
retransmit 3
key 6 M]PJdIYSb`eUWY`JgWGgKDY\V_WNOeSeK
!
radius server nps22-1
address ipv4 10.xx.xx.xx auth-port 1645 acct-port 1646
timeout 10
retransmit 3
key 6 YdYJNUXYbPWaChNTQcDZaXV\]AWRfTRIX
04-27-2023 01:09 PM - edited 04-27-2023 01:15 PM
aaa authentication login default group NPS-servers local
aaa authentication login NO_RADIUS local
There are two aaa auth and you telent to vty' so you need config vty to select correct radius server.
First do
Vty x
Rotary 1
Auth default
Vty y
Rotary 2
Auth NO_Radius
Now you can select telnet using rotary to access specific vty and this force device to use specific aaa auth.
04-27-2023 01:53 PM
My IOS is Version 15.2(7)E7. There is no Auth command in VTY programming.
04-27-2023 02:04 PM - edited 04-27-2023 02:04 PM
Login authen defualt/ NO_radius
04-27-2023 02:07 PM
I see this on the NPS server every time. It's like it logs me out immediately. success, groups then log off.
An account was successfully logged on.
Group membership information.
An account was logged off.
04-27-2023 02:14 PM
No aaa accounting dot1x default start-stop group NPS-servers
No aaa accounting exec default start-stop group NPS-servers
No aaa accounting connection default start-stop group NPS-servers
No aaa accounting system default start-stop group NPS-servers
Try deactivate account and check login
04-27-2023 02:21 PM
I took those statements out. No change. I tried an account deactivated and get failed. An account failed to log on.
04-27-2023 02:06 PM
Show aaa servers
Is it UP?
04-27-2023 02:13 PM
RADIUS: id 1, priority 1, host 10.63.230.220, auth-port 1645, acct-port 1646
State: current UP, duration 910s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 6, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 6, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 52ms
Transaction: success 6, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 15m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 13 minutes ago: 6
low - 0 hours, 0 minutes ago: 0
average: 0
RADIUS: id 2, priority 2, host 10.63.230.145, auth-port 1645, acct-port 1646
State: current UP, duration 26s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 0m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 0 minutes ago: 0
low - 0 hours, 0 minutes ago: 0
average: 0
04-27-2023 02:23 PM
I said you see successful on the NPS, right? But is seems all the attempts were rejected.
Authen: request 6, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 6, challenge 0
04-27-2023 02:26 PM
Yes, the NPS logs show success but immediately logged out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide