cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

824
Views
0
Helpful
7
Replies
Highlighted
Beginner

Catalyst 9000er series - Webinterface Access RADIUS won't work

Hi guys,

my problem in a few lines:

- I can't access the webinterface of my 9300-48T, 9300-24T, 9500-40X via RADIUS authentication

- But I can access via radius over ssh
- I can access the webinterface with local credentials

- I configured "ip http authentication aaa"

- On my 2960X-models it work's without any issues

 

There is the following log-message on one of my 9000-Switches:


Apr 18 09:42:45.056 cest: %WEBSERVER-5-LOGIN_FAILED: Switch 2 R0/0: nginx: Login Un-Successful from host 172.20.0.19 using crypto cipher 'ECDHE-RSA-AES256-GCM-SHA384'

 

 

Login-failure:

Bildschirmfoto vom 2019-04-18 10-18-01.png

 

Can anybody tell me a solution oder put me in the right direction?

Many thanks!

7 REPLIES 7
Highlighted
VIP Engager

Re: Catalyst 9000er series - Webinterface Access RADIUS won't work

 

 - Check the radius server's authentication logs when this is tried ; if there's no activity then the auth-setup is (still) incorrect.

 M.

Highlighted
Beginner

Re: Catalyst 9000er series - Webinterface Access RADIUS won't work

Thank you marce1000,

on the RADIUS server there is no activity when I try to access over the webinterface. But there is activity when I try it over ssh. 

I'm confused about this because the authentication over ssh works perfectly and over https it doesn't work.

Therfore I would exclude the "auth-setup is incorrect" thing.

Highlighted
VIP Engager

Re: Catalyst 9000er series - Webinterface Access RADIUS won't work

 

 - If the radius servers sees no incoming authorization request, when the web interface is tried  , then it means that there is something wrong with the intended and or needed configuration on the switch (I am afraid).

 M.

Highlighted
Beginner

Re: Catalyst 9000er series - Webinterface Access RADIUS won't work

Yes, it sounds plausible. But I don't understand, why our firewall logs a package when I try to login over the webinterface !? 

This means that the switch sends a packet to our radius-server. But at the server is no packet incomming. No error, no logs, nothing.

But on the 2960X I have the same configuration and it works. Maybe there is a bug in the webinterface on the 9000er series...


Over ssh it works on the 9000er series, too! Only with webinterface there is a problem.

SW-Version: 16.10.1


Highlighted
VIP Engager

Re: Catalyst 9000er series - Webinterface Access RADIUS won't work

>...

>This means that the switch sends a packet to our radius-server

 - Not at all!  There will always be activity in your firewall logs when you access the web-interface of the Catalyst for whatever reason (network traffic) . You  are deviating from the real problem which I already explained.

 M.

Highlighted
Beginner

Re: Catalyst 9000er series - Webinterface Access RADIUS won't work

Well, there is a packet logged with port UDP 1645 in the firewall. As fare a I know thats a "Radius-Port". 

I did exactly the same configuration steps on both switch types (2960, 9000series):

aaa new-model

aaa authentication login default local group radius

aaa authorization exec default local group radius if-authenticated

aaa accounting system default start-stop group radius

 

radius server radius1

   address ipv4 1.2.3.4 auth-port 1812 acct-port 1813
   key 0 radiussharedkey

radius server radius2

   address ipv4 1.2.3.4 auth-port 1812 acct-port 1813
   key 0 radiussharedkey

 

ip http authentication aaa

 

That's all...

Highlighted
Beginner

Re: Catalyst 9000er series - Webinterface Access RADIUS won't work

Did you ever find a resolution for this?

 

Thanks

CreatePlease to create content
Content for Community-Ad