cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1589
Views
0
Helpful
0
Replies

NAS-IP-Address Different from Client-IP-Address

cer43tcent
Level 1
Level 1

I have a problem where switches were upgraded from 3750G to 3750X and some don't authenticate users via RADIUS anymore.  I've verified the shared secret is correct.  I've also compared aaa configs against a working switch.  For a non working switch the System logs on a Windows 2003 IAS Server show the NAS-IP-Address is correct (ex. 172.16.9.43) but the Client-IP-Address is different (ex. 172.16.9.18).  And to make it more weird, the 172.16.9.18 is the IP of another switch that works fine for RADIUS user authentication. 

Not sure if this is in conjunction with the RADIUS authentication failure, but on switches that fail RADIUS user authentication I have to logon with the local username/password and I get the message for enable password

Password required, but none set

Password:

I can enter the enable password and get access, but this behavior along with what was mentioned above occurs on each switch that fails RADIUS user authentication. 

To troubleshoot I've cleared arp and mac tables and deleted readded RADIUS client info but to no success.  I put some debug output below.  Any ideas on what the issue may be?

SW123#

4d16h: RADIUS/ENCODE(00000460): ask "Password: "

4d16h: RADIUS/ENCODE(00000460): send packet; GET_PASSWORD

4d16h: RADIUS/ENCODE(00000460):Orig. component type = Exec

4d16h: RADIUS:  AAA Unsupported Attr: interface         [221] 4   77806604

4d16h: RADIUS/ENCODE(00000460): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

4d16h: RADIUS(00000460): Config NAS IP: 172.16.9.43

4d16h: RADIUS(00000460): Config NAS IPv6: ::

4d16h: RADIUS/ENCODE(00000460): acct_session_id: 1110

4d16h: RADIUS(00000460): Config NAS IP: 172.16.9.43

4d16h: RADIUS(00000460): sending

4d16h: RADIUS(00000460): Sending a IPv4 Radius Packet

4d16h: RADIUS(00000460): Send Access-Request to 10.10.5.16:1645 id 1645/25,len 94

4d16h: RADIUS:  authenticator 01 4D A2 53 DD 29 9C 01 - 6E 5C AB 70 3F 7E E9 0D

4d16h: RADIUS:  User-Name           [1]   18  "sw.admin.sa"

4d16h: RADIUS:  User-Password       [2]   18  *

4d16h: RADIUS:  NAS-Port            [5]   6   1

4d16h: RADIUS:  NAS-Port-Id         [87]  6   "tty1"

4d16h: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

4d16h: RADIUS:  NAS-IP-Address      [4]   6   172.16.9.43

4d16h: RADIUS:  Nas-Identifier      [32]  14  "lan-sw-group"

4d16h: RADIUS(00000460): Started 5 sec timeout

4d16h: RADIUS(00000460): Request timed out!

4d16h: RADIUS: Retransmit to (10.10.5.16:1645,1646) for id 1645/25

4d16h: RADIUS(00000460): Started 5 sec timeout

4d16h: RADIUS(00000460): Request timed out!

4d16h: RADIUS: Retransmit to (10.10.5.16:1645,1646) for id 1645/25

4d16h: RADIUS(00000460): Started 5 sec timeout

4d16h: RADIUS(00000460): Request timed out!

4d16h: RADIUS: Retransmit to (10.10.5.16:1645,1646) for id 1645/25

4d16h: RADIUS(00000460): Started 5 sec timeout

4d16h: RADIUS(00000460): Request timed out!

4d16h: RADIUS: No response from (10.10.5.16:1645,1646) for id 1645/25

4d16h: RADIUS/DECODE: No response from radius-server; parse response; FAIL

4d16h: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

4d16h: RADIUS/ENCODE(00000460): ask "Password: "

4d16h: RADIUS/ENCODE(00000460): send packet; GET_PASSWORD

0 Replies 0

Review Cisco Networking for a $25 gift card