07-01-2020 03:12 AM
Hi Team ,
Need help in fixing the radius issue .
We are able to login to the switch using admin credentials but not via radius .
Also I tried to replicate the config from the working switch but some commands are not working :
aaa server radius dynamic-author
aaa session-id common
Also when I change the config as below the admin and radius both does not work :
aaa authentication login default group Radius_SOP local
aaa authorization exec default group Radius_SOP local
CISCO_2950_SWITCH :
aaa new-model
aaa group server radius ISE
server 10.245.193.32 auth-port 1812 acct-port 1813
server 10.245.193.33 auth-port 1812 acct-port 1813
server 10.245.193.34 auth-port 1812 acct-port 1813
!
aaa group server radius Radius_SOP
server 10.246.79.13 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication enable default enable
aaa authentication dot1x default group ISE
aaa authorization console
aaa authorization exec default local
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
only admin works radius does not work
++++++++++++++++++++++++++++++++++
CONFIGURATION ON WORKING SWITCH
++++++++++++++++++++++++++++++++++
aaa new-model
!
!
aaa group server radius ISE
server 10.245.193.32 auth-port 1645 acct-port 1646
server 10.245.193.33 auth-port 1645 acct-port 1646
server 10.245.193.34 auth-port 1645 acct-port 1646
load-balance method least-outstanding batch-size 5
!
aaa group server radius Radius_SOP
server 10.246.79.13 auth-port 1812 acct-port 1813
!
aaa authentication login default group Radius_SOP local
aaa authentication dot1x default group ISE
aaa authorization console
aaa authorization exec default group Radius_SOP local
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
!
!
aaa server radius dynamic-author >>>>>>>>>>>>>>>>>>>>>>> cannot run this command
client 10.245.193.32 server-key 7 0635260D6F6F
client 10.245.193.33 server-key 7 107D20352636
client 10.245.193.34 server-key 7 0468222A2C00
!
aaa session-id common >>>>>>>>>>>>>>>>>>>>>>>> cannot run this command
07-01-2020 12:59 PM
Can anyone help me here please .
07-02-2020 03:00 PM
In the partial config that you post I do not see a server key defined for Radius_SOP (or for the other Radius group but that does not have anything to do with your current problem). Is there a server key definition? Not having a server key would certainly be a reason why Radius would not work.
Some other questions:
- is this switch to replace an existing switch or is this a new deployment?
- if this is a replacement does this switch have the same IP address as the switch that it is replacing? Or is it configured with a different address for testing?
- if it is a different address does the Radius server have a configuration for a client using this address?
- if this is a new deployment does the Radius server have a configuration for this client?
- does this switch have the command show radius? If so please execute the command and post the output.
07-08-2020 12:24 PM
Thank you .
please find my answer below , I need your help here .
Switch#show radius statistics
Maximum inQ length: 1
Maximum waitQ length: 1
Maximum doneQ length: 1
Total responses seen: 73
Packets with responses: 73
Packets without responses: 0
Average response delay: 194 ms
Maximum response delay: 1052 ms
Number of Radius timeouts: 0
Duplicate ID detects: 0
Elapsed time since counters last cleared: 1y48w5d13h10m
- is this switch to replace an existing switch or is this a new deployment?
No ,this is newly deployed .
- if this is a replacement does this switch have the same IP address as the switch that it is replacing? Or is it configured with a different address for testing?
New deployment(Since configured we never checked radius )
- if it is a different address does the Radius server have a configuration for a client using this address?
Should the radius server also be configured with Clients IP(switch's IP), if that is the case , should I be contacting the team who manages the radius server and ask them to register the switch IP ?
- if this is a new deployment does the Radius server have a configuration for this client?
How to check this ?
- does this switch have the command show radius? If so please execute the command and post the output.
it has #show radius statistics (output pasted above )
07-09-2020 08:06 AM
Thanks for the additional information. If this is a new deployment I would certainly check with the team that supports Radius. In my experience when I was deploying a new device I always needed to have the team configure an entry in the server for that client. Perhaps they have some way to dynamically recognize new clients, but I would check with them about it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: