Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9579
Views
0
Helpful
8
Replies

Radius Authentication failed after Cisco 3850 Switch IOS upgrade

Go to solution
Woody393
Level 1
Level 1

‎02-14-2018 05:04 AM - edited ‎03-01-2019 06:24 PM

Dear Members,

 

As described in the title of this discussion, we are having a stacked pair of Cisco 3850 switches, in which we have RADIUS configuration existing on it. RADIUS was working fine before we upgrade to IOS  Version 03.07.05E RELEASE SOFTWARE (fc1). No configuration change was made before or after the upgrade.

After the upgrade, each time we try to login using our RADIUS user account, we get "Authentication Failed" message. We are still however, able to login using the local switch user account.

We Noticed that the syntax for "radius-server host 1.2.3.4 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxx" was missing, which we believe is the issue. When tried to add it back we noticed that the "radius-server" command is not supported in the new IOS. Also, followed the new procedure published in the Cisco website, but always was getting the error "%Server already exists with same address port combination."

 

Seeking for your valuable advise on how to overcome this issue.

 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎02-14-2018 05:14 AM - edited ‎02-14-2018 05:14 AM

 

 - Make sure the old syntax is also removed first, from the radius server   group definition, then add the radius servers first , using the new syntax , and then re-define the radius group , using the new syntax too.

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful
8 Replies 8

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎02-14-2018 05:14 AM - edited ‎02-14-2018 05:14 AM

 

 - Make sure the old syntax is also removed first, from the radius server   group definition, then add the radius servers first , using the new syntax , and then re-define the radius group , using the new syntax too.

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Woody393
Level 1
Level 1
In response to marce1000

‎02-14-2018 06:38 AM

Thanks a lot for the reply.

I have followed steps you provided. In fact I followed steps in below link:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/xe-3se/3850/sec-usr-rad-xe-3se-3850-book/sec-rad-mult-udp-ports.html

I was able to add the RADIUS servers hosts with port numbers, using the new configuration method. However, I was not able add them to the RADIUS group. I constantly keeps getting this message which I could not understand "%Use server name xxx to configure server". 

 

Any thoughts would be much appreciated.

 

Thanks.

 

 

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to Woody393

‎02-14-2018 06:44 AM

 

 - Yes, that is confusing , as far as I can remember , 'server name' should be interpreted as 'server direct-hostname .... ' (if you get my drift). I find the help-text 'buggy'!

 

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to Woody393

‎02-14-2018 06:48 AM

 

 - Apologies, this is how I have it ;  (it's a bit the reverse of what I said)

aaa group server radius ISE
   server name ise03
   server name ise04
ip radius source-interface vlanxxxx

 

M.

 

        

 - 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Woody393
Level 1
Level 1
In response to marce1000

‎02-14-2018 07:22 AM

Still No luck. I got below error after issuing the commands provided:

 

%AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*

 

Thank,

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to Woody393

‎02-14-2018 08:09 AM

 

 - Strange, but make sure the (singlet) radius servers are defined first,  (they must exist so to speak); otherwise try a reload (could be some  residual effect). If still not successful look at the latest gold-starred software version for your platform (if needed, consider upgrading).

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Woody393
Level 1
Level 1
In response to marce1000

‎02-18-2018 01:28 AM

Hello marce1000,

 

Many thanks for your great help. I tried the steps once again and issue got resolved. 

 

Regards

 

 

0 Helpful

Go to solution
juanesdemarcos85
Level 1
Level 1
In response to marce1000

‎03-05-2020 05:23 AM

In my case it was solved by searching within the AAA configuration everything related to radius, I deleted this configuration and then I could already create the connection by radius

 

aaa group server radius NPS
server 172.16.20.20
server-private 172.16.20.20 key 7 xxxxxxxx

!

no aaa group server radius NPS
!

radius server Radius-PR
address ipv4 172.16.20.20 auth-port 1645 acct-port 1646
key xxxxxxxx

0 Helpful
Customers Also Viewed These Support Documents