Re: 4500X and Radius

pwiscott · ‎10-02-2019

Hi,

Apologies for a subject probably already done to death !, I am having problems with Radius (Microsoft) authentication for my 4500X's. I have a mix of 2960's , 3560's all using the same Radius servers and profiles and they work fine so am guessing I have something wrong with my config on the 4500.

So my 4500 config looks like

aaa new-model
!
aaa group server radius XX_RAD_AUTH
server name PMRADIUS01
server name WARADIUS01
!
aaa authentication login VTY_AUTH local group XX_RAD_AUTH
aaa authorization exec VTY_AUTHOR local group XXX_RAD_AUTH

radius server PMRADIUS01
address ipv4 XX.XXX.28.69 auth-port 1645 acct-port 1646
key MYKEY123
!
radius server WARADIUS01
address ipv4 XX.XXX.28.70 auth-port 1645 acct-port 1646
key MYKEY123

line vty 0 4
exec-timeout 0 0
authorization exec VTY_AUTHOR
login authentication VTY_AUTH
transport input ssh
line vty 5 15
authorization exec VTY_AUTHOR
login authentication VTY_AUTH
transport input ssh

Network Policy on Microsoft Server

Cisco-AV-Pair shell:priv-lvl=15

Authentication Method Unencrypted authentication (PAP, SPAP)

Service-Type Login

marce1000 · ‎10-02-2019

>...

>I am having problems

- It would be interesting to know what these problems are.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

pwiscott · ‎10-02-2019

Only mildly interesting....

Login to switch via SSH is failing with an Access Denied message

Seb Rupik · ‎10-02-2019

Hi there,

Any reason my you have the radius group as the fallback method. If using local doesn't return an error then the AAA method won't try the radius group.

Try this:

!
aaa authentication login VTY_AUTH group XX_RAD_AUTH
aaa authorization exec VTY_AUTHOR group XXX_RAD_AUTH
!

cheers,

Seb.