Hello All,
I am having trouble configuring RADIUS authentication between Windows 2008 R2 and my 2960 switch.
I have configured the NPS server and associated network policies for my ASA firewall and that is working fine.
Ran RADIUS debugging against the authentication and can see the following
Jan 26 15:48:02 GMT: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Jan 26 15:48:02 GMT: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Jan 26 15:48:02 GMT: RADIUS(00000000): Config NAS IP: 0.0.0.0
Jan 26 15:48:02 GMT: RADIUS(00000000): sending
Jan 26 15:48:02 GMT: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x
Jan 26 15:48:02 GMT: RADIUS(00000000): Send Access-Request to x.x.x.x:1645 id 1645/22, len 56
Jan 26 15:48:02 GMT: RADIUS: authenticator AB D5 65 61 3E 6C CA 63 - 53 58 DE 03 53 CB C9 CF
Jan 26 15:48:02 GMT: RADIUS: User-Password [2] 18 *
Jan 26 15:48:02 GMT: RADIUS: User-Name [1] 12 "USERNAME"
Jan 26 15:48:02 GMT: RADIUS: NAS-IP-Address [4] 6 x.x.x.x
Jan 26 15:48:02 GMT: RADIUS: Received from id 1645/22 x.x.x.x:1645, Access-Reject, len 20
Jan 26 15:48:02 GMT: RADIUS: authenticator 81 E0 DE 5E E6 A3 6A 20 - CE 79 ED E9 08 CC DA D0
Jan 26 15:48:02 GMT: RADIUS(00000000): Received from id 1645/22
This is my config
aaa new-model
aaa group server radius RADIUSSWITCH
aaa authentication login default group RADIUSSWITCH local
aaa authorization exec default group radius local
aaa session-id common
radius-server attribute 4 x.x.x.x
radius-server host x.x.x.x auth-port 1645 acct-port 1646 non-standard key 7 073F204F4308375D43
2960-Switch#test aaa group RADIUSSWITCH "myusername" "mypassword" new-code
User rejected
I configured the following to try and fix the Config NAS IP: 0.0.0.0 error
radius-server attribute 4 x.x.x.x
Following that configuration the Config NAS IP: 0.0.0.0 is not in the resulting debug, but I still cannot authenticate.
I also added the radius-server attribute 6 on-for-login-auth command to the config, but this did not help.
My switch is running the following
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE, RELEASE SOFTWARE (fc2)
I have searched and cannot find any related bug information against the IOS version.
Below are the Windows event logs that I am seeing
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: ServerName\Username
Account Name: Username
Account Domain: ServerName
Fully Qualified Account Name: ServerName\Username
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: x.x.x.x (Switch IP)
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: -
NAS Port: -
RADIUS Client:
Client Friendly Name: Cisco Switch 2
Client IP Address: x.x.x.x (Switch IP)
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: ServerName
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
I am using the Windows local user database to authenticate and not Active directory.
Also receiving the following NPS event log
A RADIUS message was received from the invalid RADIUS client IP address x.x.x.x (Switch IP)
Any help would be greatly appreciated.
Kind regards,
Leo.
