04-18-2019 01:23 AM
Hi guys,
my problem in a few lines:
- I can't access the webinterface of my 9300-48T, 9300-24T, 9500-40X via RADIUS authentication
- But I can access via radius over ssh
- I can access the webinterface with local credentials
- I configured "ip http authentication aaa"
- On my 2960X-models it work's without any issues
There is the following log-message on one of my 9000-Switches:
Apr 18 09:42:45.056 cest: %WEBSERVER-5-LOGIN_FAILED: Switch 2 R0/0: nginx: Login Un-Successful from host 172.20.0.19 using crypto cipher 'ECDHE-RSA-AES256-GCM-SHA384'
Login-failure:
Can anybody tell me a solution oder put me in the right direction?
Many thanks!
04-18-2019 02:05 AM
- Check the radius server's authentication logs when this is tried ; if there's no activity then the auth-setup is (still) incorrect.
M.
04-18-2019 02:29 AM
Thank you marce1000,
on the RADIUS server there is no activity when I try to access over the webinterface. But there is activity when I try it over ssh.
I'm confused about this because the authentication over ssh works perfectly and over https it doesn't work.
Therfore I would exclude the "auth-setup is incorrect" thing.
04-18-2019 02:44 AM
- If the radius servers sees no incoming authorization request, when the web interface is tried , then it means that there is something wrong with the intended and or needed configuration on the switch (I am afraid).
M.
04-18-2019 03:11 AM
Yes, it sounds plausible. But I don't understand, why our firewall logs a package when I try to login over the webinterface !?
This means that the switch sends a packet to our radius-server. But at the server is no packet incomming. No error, no logs, nothing.
But on the 2960X I have the same configuration and it works. Maybe there is a bug in the webinterface on the 9000er series...
Over ssh it works on the 9000er series, too! Only with webinterface there is a problem.
SW-Version: 16.10.1
04-18-2019 03:25 AM
>...
>This means that the switch sends a packet to our radius-server
- Not at all! There will always be activity in your firewall logs when you access the web-interface of the Catalyst for whatever reason (network traffic) . You are deviating from the real problem which I already explained.
M.
04-18-2019 04:07 AM
Well, there is a packet logged with port UDP 1645 in the firewall. As fare a I know thats a "Radius-Port".
I did exactly the same configuration steps on both switch types (2960, 9000series):
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default local group radius if-authenticated
aaa accounting system default start-stop group radius
radius server radius1
address ipv4 1.2.3.4 auth-port 1812 acct-port 1813
key 0 radiussharedkey
radius server radius2
address ipv4 1.2.3.4 auth-port 1812 acct-port 1813
key 0 radiussharedkey
ip http authentication aaa
That's all...
04-30-2020 06:18 PM
Did you ever find a resolution for this?
Thanks
08-07-2020 12:12 AM
Perhaps the following commands will help you:
ip http authentication aaa login-authentication radius
ip http authentication aaa exec-authorization radius
03-16-2021 11:39 PM
Hi All,
I have the same problem and scenario, is deleting crypto pki trustpoint TP-self-signed can resolve the issue or not?
03-17-2021 12:14 AM
You certainly can try deleting the trustpoint for self signed but I would be surprised if that solved your issue. The original post included having a log message about crypto cipher, do you have any similar log message? It might be helpful if you would post your config or at least all of the config related to aaa, to http/https, and to radius.
03-17-2021 12:25 AM - edited 03-17-2021 12:28 AM
Hi Sir Richard,
Good day.
Kindly see below configuration:
aaa new-model
!
aaa group server radius xxxxxTest
server name xxxxx
aaa authentication login RadiusTest group xxxxxTest local
radius server xxxxx
address ipv4 x.x.x.x auth-port 1812 acct-port 1812
key 7 yyyyyyyyyyyyyy
ip http server
ip http authentication aaa login-authentication RadiusTest
ip http secure-server
Logs was like this
*Mar 17 13:22:28.249 PHT: %WEBSERVER-5-LOGIN_FAILED: Switch 1 R0/0: nginx: Login Un-Successful from host x.x.x.x
*Mar 17 13:22:35.288 PHT: %WEBSERVER-5-LOGIN_FAILED: Switch 1 R0/0: nginx: Login Un-Successful from host x.x.x.x
but on SSH i can successfully login using the UN PW from radius server
Hope you can help me,
Regards,
03-17-2021 01:06 AM
Thanks for the additional information. When you attempt to access the web interface would you then check the logs on the radius server and see if there are any messages related to your attempt?
03-17-2021 01:09 AM - edited 03-17-2021 01:11 AM
Hi,
This was the logs from radius server
Regards,
Jasper
03-17-2021 07:33 AM
Thanks for posting the log message from the Radius server. It is quite surprising. Radius says successful and the switch says failed. So we need to look deeper. Can you make sure that the logging level for logging buffered is set to 7, attempt to login, and check logs? Perhaps the next step would be to run debug for radius and for aaa authentication and see if the debug output gives us anything helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide