03-15-2023 04:25 PM
Hi guys, could you help me ? Do you have some idea ?
I am trying to configure the Radius in my SW cisco (2960/3540), but doesn't work.
That's the script I am using:
----------------
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
----------------
radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
---------------
line vty 0 15
login authentication default
transport input ssh
Solved! Go to Solution.
03-16-2023 01:53 AM
Since you have local access :
I have typo in my previous post : you can do below and test it.
radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
!
aaa group server radius MY_RADIUS
server name GRP-TEST
!
aaa authentication login default group MY_RADIUS local
aaa authorization exec default group MY_RADIUS local
Still have issue : (try below and let us know the outcome)
no aaa authentication login default group MY_RADIUS local
no aaa authorization exec default group MY_RADIUS local
radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX
aaa authentication login default group radius local
aaa authorization exec default group radius local
03-15-2023 04:54 PM
debug aaa authentication
debug radius
03-15-2023 06:00 PM
FSA-SPT-TEMP01-PREST#
*Jan 4 03:02:18.829: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.2XX.XXX.X:1812,1813 is not responding.
*Jan 4 03:02:18.829: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.2XX.XXX.X:1812,1813 is being marked alive.
FSA-SPT-TEMP01-PREST#ping 10.2XX.XXX.X
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2XX.XXX.X, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/26 ms
I have already added this SW in my radius server, it has a registry.
I have others SWs that works perfectly, they are different models (C3750E)
03-16-2023 02:49 AM
ip radius source-interface x/x/x <<- use this command
03-15-2023 06:37 PM
what is the version of code running - post-show version?
Do you have a local user, and are you able to authenticate with the local user ? or are you locked out? if you are able to log in a local account that means the radius failing and going to local.
If you have only 1 Radius server, then I would suggest to the user host, since you are looking to use you need to define a group - I have provided both examples - test and let us know.
Only 1 Radius Server :
aaa new-model
radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX
Group :
radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
!
aaa group server radius MY_RADIUS
server name GRP-TEST
!
aaa authentication login default group GRP-TEST local
03-15-2023 11:57 PM
Hi @balaji.bandi Yes, I am using the local user to access the device.
Model:WS-C2960C-8PC-L
Version:15.0(2)SE8
I will try with these options.
Do I need to use just exactly those commands you gave me? Or I keep some previous config ?
03-16-2023 01:53 AM
Since you have local access :
I have typo in my previous post : you can do below and test it.
radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
!
aaa group server radius MY_RADIUS
server name GRP-TEST
!
aaa authentication login default group MY_RADIUS local
aaa authorization exec default group MY_RADIUS local
Still have issue : (try below and let us know the outcome)
no aaa authentication login default group MY_RADIUS local
no aaa authorization exec default group MY_RADIUS local
radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX
aaa authentication login default group radius local
aaa authorization exec default group radius local
03-16-2023 01:42 AM
Dear Gabsnet,
You may please go through this link : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_3_e/configuration/guide/b_1523e_consolidated_2960cx_3560cx_cg/b_consolidated_152ex_2960-X_cg_chapter_0100101.html
Please configure your switch according to this document.
GoodLuck..
03-16-2023 02:26 PM
@MHM Cisco World @balaji.bandi @Gaurav Kansal
Good morning gentlemen.
Thanks so much for the attention and help.
According to @balaji.bandi the first option solved the problem. I appreciate
03-16-2023 04:41 PM
are you sure you use radius or you use local password for access ??
please update me if you face issue later.
thanks
have a nice day.
03-16-2023 04:58 PM
@MHM Cisco World Yes, I am sure. Worked with my radius credentials.
There is just one point, I have different version of Switch.
In this 12.2(55)SE10 - WS-C2960S
I applied that config below
radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX
aaa authentication login default group radius local
aaa authorization exec default group radius local
I have attached the debug outcome
Have a good day.
03-17-2023 03:38 AM
both debug you share seem that radius not work
*Apr 9 14:54:41.637: RADIUS: response-authenticator decrypt fail, pak len 20
*
here the Password between the radius and R/SW is not match.
03-19-2023 07:04 PM
Do you think could be because of the firmware ?
03-16-2023 06:15 PM
Cheers for the feedback, and glad that works and all good.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide