cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8451
Views
0
Helpful
8
Replies

Radius Authentication failed after Cisco 3850 Switch IOS upgrade

Woody393
Level 1
Level 1

Dear Members,

 

As described in the title of this discussion, we are having a stacked pair of Cisco 3850 switches, in which we have RADIUS configuration existing on it. RADIUS was working fine before we upgrade to IOS  Version 03.07.05E RELEASE SOFTWARE (fc1). No configuration change was made before or after the upgrade.

After the upgrade, each time we try to login using our RADIUS user account, we get "Authentication Failed" message. We are still however, able to login using the local switch user account.

We Noticed that the syntax for "radius-server host 1.2.3.4 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxx" was missing, which we believe is the issue. When tried to add it back we noticed that the "radius-server" command is not supported in the new IOS. Also, followed the new procedure published in the Cisco website, but always was getting the error "%Server already exists with same address port combination."

 

Seeking for your valuable advise on how to overcome this issue.

 

Thanks.

1 Accepted Solution

Accepted Solutions

marce1000
VIP
VIP

 

 - Make sure the old syntax is also removed first, from the radius server   group definition, then add the radius servers first , using the new syntax , and then re-define the radius group , using the new syntax too.

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

8 Replies 8

marce1000
VIP
VIP

 

 - Make sure the old syntax is also removed first, from the radius server   group definition, then add the radius servers first , using the new syntax , and then re-define the radius group , using the new syntax too.

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Thanks a lot for the reply.

I have followed steps you provided. In fact I followed steps in below link:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/xe-3se/3850/sec-usr-rad-xe-3se-3850-book/sec-rad-mult-udp-ports.html

I was able to add the RADIUS servers hosts with port numbers, using the new configuration method. However, I was not able add them to the RADIUS group. I constantly keeps getting this message which I could not understand "%Use server name xxx to configure server". 

 

Any thoughts would be much appreciated.

 

Thanks.

 

 

 

 - Yes, that is confusing , as far as I can remember , 'server name' should be interpreted as 'server direct-hostname .... ' (if you get my drift). I find the help-text 'buggy'!

 

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

 

 - Apologies, this is how I have it ;  (it's a bit the reverse of what I said)

aaa group server radius ISE
   server name ise03
   server name ise04
ip radius source-interface vlanxxxx

 

M.

 

        

 - 



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Still No luck. I got below error after issuing the commands provided:

 

%AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*

 

Thank,

 

 - Strange, but make sure the (singlet) radius servers are defined first,  (they must exist so to speak); otherwise try a reload (could be some  residual effect). If still not successful look at the latest gold-starred software version for your platform (if needed, consider upgrading).

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Hello marce1000,

 

Many thanks for your great help. I tried the steps once again and issue got resolved. 

 

Regards

 

 

In my case it was solved by searching within the AAA configuration everything related to radius, I deleted this configuration and then I could already create the connection by radius

 

aaa group server radius NPS
server 172.16.20.20
server-private 172.16.20.20 key 7 xxxxxxxx

!

no aaa group server radius NPS
!

radius server Radius-PR
address ipv4 172.16.20.20 auth-port 1645 acct-port 1646
key xxxxxxxx

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: