Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14583
Views
5
Helpful
18
Replies

Catalyst 9000er series - Webinterface Access RADIUS won't work

malawi
Community Member

‎04-18-2019 01:23 AM

Hi guys,

my problem in a few lines:

- I can't access the webinterface of my 9300-48T, 9300-24T, 9500-40X via RADIUS authentication

- But I can access via radius over ssh
- I can access the webinterface with local credentials

- I configured "ip http authentication aaa"

- On my 2960X-models it work's without any issues

 

There is the following log-message on one of my 9000-Switches:


Apr 18 09:42:45.056 cest: %WEBSERVER-5-LOGIN_FAILED: Switch 2 R0/0: nginx: Login Un-Successful from host 172.20.0.19 using crypto cipher 'ECDHE-RSA-AES256-GCM-SHA384'

 

 

Login-failure:

Bildschirmfoto vom 2019-04-18 10-18-01.png

 

Can anybody tell me a solution oder put me in the right direction?

Many thanks!

1 person had this problem
Labels:
0 Helpful
18 Replies 18

Jasper Lampitoc
Visitor
In response to Richard Burts

‎03-17-2021 05:27 PM

Hi Sir Rick,

 

I've adjusted the logging buffered to 7 but nothing changes in logs, however I've now run debugged for radius & aaa kindly see below:

 

 

*Mar 18 08:17:53.063 PHT: AAA/AUTHEN/LOGIN (00000000): Pick method list 'RadiusTest'
*Mar 18 08:17:53.063 PHT: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Mar 18 08:17:53.063 PHT: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Mar 18 08:17:53.063 PHT: RADIUS(00000000): Config NAS IP: 0.0.0.0
*Mar 18 08:17:53.063 PHT: vrfid: [65535] ipv6 tableid : [0]
*Mar 18 08:17:53.063 PHT: idb is NULL
*Mar 18 08:17:53.063 PHT: RADIUS(00000000): Config NAS IPv6: ::
*Mar 18 08:17:53.063 PHT: RADIUS(00000000): sending
*Mar 18 08:17:53.063 PHT: RADIUS/DECODE(00000000): There is no General DB. Want server details may not be specified
*Mar 18 08:17:53.064 PHT: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x
*Mar 18 08:17:53.064 PHT: RADIUS(00000000): Send Access-Request to x.x.x.x:1812 id 1645/50, len 54
RADIUS: authenticator 40 C6 F4 AD 9C 97 1E 5A - FB B5 CC 4C 2B A9 93 4F
*Mar 18 08:17:53.064 PHT: RADIUS: User-Name [1] 10 "trends23"
*Mar 18 08:17:53.064 PHT: RADIUS: User-Password [2] 18 *
*Mar 18 08:17:53.064 PHT: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
*Mar 18 08:17:53.064 PHT: RADIUS(00000000): Sending a IPv4 Radius Packet
*Mar 18 08:17:53.064 PHT: RADIUS(00000000): Started 5 sec timeout
*Mar 18 08:17:53.065 PHT: RADIUS: Received from id 1645/50 x.x.x.x:1812, Access-Accept, len 20
RADIUS: authenticator 8C 1E B3 04 78 32 40 B9 - 15 A0 F8 81 71 42 95 C0
*Mar 18 08:17:53.065 PHT: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
*Mar 18 08:17:53.065 PHT: RADIUS(00000000): Received from id 1645/50
*Mar 18 08:17:53.125 PHT: AAA/BIND(00023DCD): Bind i/f
*Mar 18 08:17:53.125 PHT: AAA/BIND(00023DCE): Bind i/f
*Mar 18 08:17:53.199 PHT: AAA/BIND(00023DCF): Bind i/f
*Mar 18 08:17:53.199 PHT: AAA/BIND(00023DD0): Bind i/f
*Mar 18 08:17:53.066 PHT: %WEBSERVER-5-LOGIN_FAILED: Switch 1 R0/0: nginx: Login Un-Successful from host x.x.x.x

 

What are your thoughts on this?

 

Regards,

Jasper

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jasper Lampitoc

‎03-18-2021 01:21 AM

Jasper

 

Thanks for the debug output. Seeing the output makes me wonder about the server log message that you posted. The log indicated success but this output confirms that Radius did not authenticate.

 

I am puzzled about your statement that SSH is successful but GUI is not. Is it possible that SSH is using Radius configuration different from what GUI is using?

HTH

Rick
0 Helpful

Jasper Lampitoc
Visitor
In response to Richard Burts

‎03-18-2021 02:30 AM

Hi Rick,

 

How come did the log messages confirms that the HTTP in radius didn't authenticate, is it because the message "There is no General DB. Want server details may not be specified"?

 

I really don't know but SSH really works, this is also my first time configuring aaa authentication to a cisco switch. I researched about the log messages from debugs and some of the documents I read if there is a message like this ~~ "There is no General DB. Want server details may not be specified" the problem is coming from radius server.

 

Regards,

Jasper

0 Helpful

RohitSingh91693
Frequent Visitor
Frequent Visitor

‎03-08-2022 12:45 AM

Hello Malawi,

 

I am able to understand that you are not able to access Web Gui using the same credentials used for ssh that means one Config is missing

 

Below is the command

 

ip http authentication local

 

 

0 Helpful
Customers Also Viewed These Support Documents