Solved: Re: 3560CX switch Radius failing - Page 2

jdiveney1 · ‎04-27-2023

I am trying to setup radius authentication on my edge switches. I started with a test 3560CX 8 port. The NPS server shows authentication is good. But the switch get an Access-Reject back the the server. Please see debugs and logs.

Switch debug:

Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2): ask "Password: "
Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2): send packet; GET_PASSWORD
Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2):Orig. component type = Exec
Apr 27 16:56:53.126: RADIUS(000000B2): Config NAS IP: 0.0.0.0
Apr 27 16:56:53.126: RADIUS(000000B2): Config NAS IPv6: ::
Apr 27 16:56:53.126: RADIUS/ENCODE(000000B2): acct_session_id: 127
Apr 27 16:56:53.126: RADIUS(000000B2): sending
Apr 27 16:56:53.126: RADIUS/ENCODE: Best Local IP-Address 10.1.224.71 for Radius-Server 10.63.230.220
Apr 27 16:56:53.129: RADIUS(000000B2): Send Access-Request to 10.xx.xx.xx:1645 onvrf(0) id 1645/110, len 99
Apr 27 16:56:53.129: RADIUS: authenticator 9E C8 4F 6E 76 61 BE 56 - B9 04 70 77 A5 0B 67 96
Apr 27 16:56:53.129: RADIUS: User-Name [1] 19 "test@test.com"
Apr 27 16:56:53.129: RADIUS: Reply-Message [18] 12
Apr 27 16:56:53.129: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Apr 27 16:56:53.129: RADIUS: User-Password [2] 18 *
Apr 27 16:56:53.129: RADIUS: NAS-Port [5] 6 1
Apr 27 16:56:53.129: RADIUS: NAS-Port-Id [87] 6 "tty1"
Apr 27 16:56:53.129: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Apr 27 16:56:53.129: RADIUS: Service-Type [6] 6 Login [1]
Apr 27 16:56:53.129: RADIUS: NAS-IP-Address [4] 6 10.1.xx.xx
Apr 27 16:56:53.129: RADIUS(000000B2): Sending a IPv4 Radius Packet
Apr 27 16:56:53.129: RADIUS(000000B2): Started 30 sec timeout
Apr 27 16:56:53.147: RADIUS: Received from id 1645/110 10.xx.xx.xx:1645, Access-Reject, len 20
Apr 27 16:56:53.147: RADIUS: authenticator D2 F5 08 4F 12 11 CA F5 - 39 1E A3 6C C9 61 A7 B0
Apr 27 16:56:53.147: RADIUS(000000B2): Received from id 1645/110
Apr 27 16:56:55.149: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: test@test.c] [Source: 10.83.225.1] [localport: 22] [Reason: Login Authentication Failed] at 16:56:55 UTC Thu Apr 27 2023

NPS event viewer:

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: NPS22-2$
Account Domain: domain
Logon ID: 0x3E7

Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No

Impersonation Level: Impersonation

New Logon:
Security ID: domain\test
Account Name: test
Account Domain: domain
Logon ID: 0x10FDCA3E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -

MHM Cisco World · ‎04-27-2023

You try telent' and use aaa for auth.

I think the NPS user is not correct.

jdiveney1 · ‎04-27-2023

Telnet is the same thing, NPS shows user account was successfully logged on but the switch gets a, RADIUS: Received from id 1645/2 10.63.230.220:1812, Access-Reject, len 20

jdiveney1 · ‎04-28-2023

I put the same config into my old 2012 NPS server this morning and it worked fine. The problem server is a 2022.

jdiveney1 · ‎05-02-2023

I have this issue fixed. I had to disable the connection policy and re-enable it. Found it in the community post.

https://community.cisco.com/t5/switches-small-business/cisco-switch-vs-windows-nps-invalid-credentials/td-p/4643990

MHM Cisco World · ‎05-02-2023

this for small business SW is it work fine with you?? what VTY line user use?

jdiveney1 · ‎05-02-2023

I am still in testing with the 3560CX. I do plane on deploying on 3560's and 3850's. I am using vty 0 4. So far the NPS servers are now authenticating with the proper AD group added. I have the enable working on con 0. I am working on getting the switch user account working if NPS is down.