cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6685
Views
5
Helpful
18
Replies

Catalyst 9000er series - Webinterface Access RADIUS won't work

malawi
Beginner
Beginner

Hi guys,

my problem in a few lines:

- I can't access the webinterface of my 9300-48T, 9300-24T, 9500-40X via RADIUS authentication

- But I can access via radius over ssh
- I can access the webinterface with local credentials

- I configured "ip http authentication aaa"

- On my 2960X-models it work's without any issues

 

There is the following log-message on one of my 9000-Switches:


Apr 18 09:42:45.056 cest: %WEBSERVER-5-LOGIN_FAILED: Switch 2 R0/0: nginx: Login Un-Successful from host 172.20.0.19 using crypto cipher 'ECDHE-RSA-AES256-GCM-SHA384'

 

 

Login-failure:

Bildschirmfoto vom 2019-04-18 10-18-01.png

 

Can anybody tell me a solution oder put me in the right direction?

Many thanks!

18 Replies 18

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

 - Check the radius server's authentication logs when this is tried ; if there's no activity then the auth-setup is (still) incorrect.

 M.

Thank you marce1000,

on the RADIUS server there is no activity when I try to access over the webinterface. But there is activity when I try it over ssh. 

I'm confused about this because the authentication over ssh works perfectly and over https it doesn't work.

Therfore I would exclude the "auth-setup is incorrect" thing.

 

 - If the radius servers sees no incoming authorization request, when the web interface is tried  , then it means that there is something wrong with the intended and or needed configuration on the switch (I am afraid).

 M.

Yes, it sounds plausible. But I don't understand, why our firewall logs a package when I try to login over the webinterface !? 

This means that the switch sends a packet to our radius-server. But at the server is no packet incomming. No error, no logs, nothing.

But on the 2960X I have the same configuration and it works. Maybe there is a bug in the webinterface on the 9000er series...


Over ssh it works on the 9000er series, too! Only with webinterface there is a problem.

SW-Version: 16.10.1


>...

>This means that the switch sends a packet to our radius-server

 - Not at all!  There will always be activity in your firewall logs when you access the web-interface of the Catalyst for whatever reason (network traffic) . You  are deviating from the real problem which I already explained.

 M.

Well, there is a packet logged with port UDP 1645 in the firewall. As fare a I know thats a "Radius-Port". 

I did exactly the same configuration steps on both switch types (2960, 9000series):

aaa new-model

aaa authentication login default local group radius

aaa authorization exec default local group radius if-authenticated

aaa accounting system default start-stop group radius

 

radius server radius1

   address ipv4 1.2.3.4 auth-port 1812 acct-port 1813
   key 0 radiussharedkey

radius server radius2

   address ipv4 1.2.3.4 auth-port 1812 acct-port 1813
   key 0 radiussharedkey

 

ip http authentication aaa

 

That's all...

Did you ever find a resolution for this?

 

Thanks

Perhaps the following commands will help you:

 

ip http authentication aaa login-authentication radius
ip http authentication aaa exec-authorization radius

Jasper Lampitoc
Beginner
Beginner

Hi All,

 

I have the same problem and scenario, is deleting crypto pki trustpoint TP-self-signed can resolve the issue or not? 

 

 

You certainly can try deleting the trustpoint for self signed but I would be surprised if that solved your issue. The original post included having a log message about crypto cipher, do you have any similar log message? It might be helpful if you would post your config or at least all of the config related to aaa, to http/https, and to radius.

HTH

Rick

Hi Sir Richard,

Good day.

 

Kindly see below configuration:

 

aaa new-model
!
aaa group server radius xxxxxTest
server name xxxxx

aaa authentication login RadiusTest group xxxxxTest local

 

radius server xxxxx
address ipv4 x.x.x.x auth-port 1812 acct-port 1812
key 7 yyyyyyyyyyyyyy

 

 

ip http server
ip http authentication aaa login-authentication RadiusTest
ip http secure-server

 

 

Logs was like this

*Mar 17 13:22:28.249 PHT: %WEBSERVER-5-LOGIN_FAILED: Switch 1 R0/0: nginx: Login Un-Successful from host x.x.x.x
*Mar 17 13:22:35.288 PHT: %WEBSERVER-5-LOGIN_FAILED: Switch 1 R0/0: nginx: Login Un-Successful from host x.x.x.x

 

but on SSH i can successfully login using the UN PW from radius server

 

Hope you can help me,

Regards,

 

 

 

 

Thanks for the additional information. When you attempt to access the web interface would you then check the logs on the radius server and see if there are any messages related to your attempt?

HTH

Rick

 

Hi,

 

This was the logs from radius server

 

Radius Logs.PNG

Regards,

Jasper

Thanks for posting the log message from the Radius server. It is quite surprising. Radius says successful and the switch says failed. So we need to look deeper. Can you make sure that the logging level for logging buffered is set to 7, attempt to login, and check logs? Perhaps the next step would be to run debug for radius and for aaa authentication and see if the debug output gives us anything helpful.

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers