cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2321
Views
0
Helpful
4
Replies

Need help on configuring Radius on CISCO 2950 switch

Hi Team , 

 

Need help in fixing the radius issue . 

 

We are able to login to the switch using admin credentials but not via radius .

Also I tried to replicate the config from the working switch but some commands are not working :

aaa server radius dynamic-author
aaa session-id common

 

Also when I change the config as below the admin and radius both does not work :

aaa authentication login default group Radius_SOP local
aaa authorization exec default group Radius_SOP local

 

 

CISCO_2950_SWITCH : 

 

aaa new-model

 

aaa group server radius ISE

server 10.245.193.32 auth-port 1812 acct-port 1813

server 10.245.193.33 auth-port 1812 acct-port 1813

server 10.245.193.34 auth-port 1812 acct-port 1813

 

!

aaa group server radius Radius_SOP

server 10.246.79.13 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication enable default enable

aaa authentication dot1x default group ISE

aaa authorization console

aaa authorization exec default local

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

 

only admin works radius does not work

 

 

++++++++++++++++++++++++++++++++++

CONFIGURATION ON WORKING SWITCH

++++++++++++++++++++++++++++++++++

 

aaa new-model

!

!

aaa group server radius ISE

server 10.245.193.32 auth-port 1645 acct-port 1646

server 10.245.193.33 auth-port 1645 acct-port 1646

server 10.245.193.34 auth-port 1645 acct-port 1646

load-balance method least-outstanding batch-size 5

!

 

aaa group server radius Radius_SOP

server 10.246.79.13 auth-port 1812 acct-port 1813

!

aaa authentication login default group Radius_SOP local

 

aaa authentication dot1x default group ISE

aaa authorization console

aaa authorization exec default group Radius_SOP local

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

!

!

aaa server radius dynamic-author                          >>>>>>>>>>>>>>>>>>>>>>> cannot run this command

client 10.245.193.32 server-key 7 0635260D6F6F

client 10.245.193.33 server-key 7 107D20352636

client 10.245.193.34 server-key 7 0468222A2C00

 

!

aaa session-id common  >>>>>>>>>>>>>>>>>>>>>>>> cannot run this command

4 Replies 4

Can anyone help me here please . 

 

Richard Burts
Hall of Fame
Hall of Fame

In the partial config that you post I do not see a server key defined for Radius_SOP (or for the other Radius group but that does not have anything to do with your current problem). Is there a server key definition? Not having a server key would certainly be a reason why Radius would not work.

 

Some other questions:

- is this switch to replace an existing switch or is this a new deployment?

- if this is a replacement does this switch have the same IP address as the switch that it is replacing? Or is it configured with a different address for testing?

- if it is a different address does the Radius server have a configuration for a client using this address?

- if this is a new deployment does the Radius server have a configuration for this client?

- does this switch have the command show radius? If so please execute the command and post the output.

HTH

Rick

HI @Richard Burts 

 

Thank you .

 

please find my answer below , I need your help here .

 

Switch#show radius statistics
       Maximum inQ length: 1
     Maximum waitQ length: 1
     Maximum doneQ length: 1
     Total responses seen: 73
   Packets with responses: 73
Packets without responses: 0
   Average response delay: 194 ms
   Maximum response delay: 1052 ms
Number of Radius timeouts: 0
     Duplicate ID detects: 0

 

  Elapsed time since counters last cleared: 1y48w5d13h10m

 

 

- is this switch to replace an existing switch or is this a new deployment?

No ,this is newly deployed .

 

- if this is a replacement does this switch have the same IP address as the switch that it is replacing? Or is it configured with a different address for testing?

New deployment(Since configured we never checked radius )

 

- if it is a different address does the Radius server have a configuration for a client using this address?

Should the radius server also be configured with Clients IP(switch's IP), if that is the case , should I be contacting the team who manages the radius server and ask them to register the switch IP ?

 

- if this is a new deployment does the Radius server have a configuration for this client?

How to check this ?

 

- does this switch have the command show radius? If so please execute the command and post the output.

it has #show radius statistics (output pasted above )

Thanks for the additional information. If this is a new deployment I would certainly check with the team that supports Radius. In my experience when I was deploying a new device I always needed to have the team configure an entry in the server for that client. Perhaps they have some way to dynamically recognize new clients, but I would check with them about it.

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: