03-15-2023 04:25 PM
Hi guys, could you help me ? Do you have some idea ?
I am trying to configure the Radius in my SW cisco (2960/3540), but doesn't work.
That's the script I am using:
----------------
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
----------------
radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
---------------
line vty 0 15
login authentication default
transport input ssh
Solved! Go to Solution.
03-16-2023 01:53 AM
Since you have local access :
I have typo in my previous post : you can do below and test it.
radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
!
aaa group server radius MY_RADIUS
server name GRP-TEST
!
aaa authentication login default group MY_RADIUS local
aaa authorization exec default group MY_RADIUS local
Still have issue : (try below and let us know the outcome)
no aaa authentication login default group MY_RADIUS local
no aaa authorization exec default group MY_RADIUS local
radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX
aaa authentication login default group radius local
aaa authorization exec default group radius local
03-15-2023 04:54 PM
debug aaa authentication
debug radius
03-15-2023 06:00 PM
FSA-SPT-TEMP01-PREST#
*Jan 4 03:02:18.829: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.2XX.XXX.X:1812,1813 is not responding.
*Jan 4 03:02:18.829: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.2XX.XXX.X:1812,1813 is being marked alive.
FSA-SPT-TEMP01-PREST#ping 10.2XX.XXX.X
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2XX.XXX.X, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/26 ms
I have already added this SW in my radius server, it has a registry.
I have others SWs that works perfectly, they are different models (C3750E)
03-16-2023 02:49 AM
ip radius source-interface x/x/x <<- use this command
03-15-2023 06:37 PM
what is the version of code running - post-show version?
Do you have a local user, and are you able to authenticate with the local user ? or are you locked out? if you are able to log in a local account that means the radius failing and going to local.
If you have only 1 Radius server, then I would suggest to the user host, since you are looking to use you need to define a group - I have provided both examples - test and let us know.
Only 1 Radius Server :
aaa new-model
radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX
Group :
radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
!
aaa group server radius MY_RADIUS
server name GRP-TEST
!
aaa authentication login default group GRP-TEST local
03-15-2023 11:57 PM
Hi @balaji.bandi Yes, I am using the local user to access the device.
Model:WS-C2960C-8PC-L
Version:15.0(2)SE8
I will try with these options.
Do I need to use just exactly those commands you gave me? Or I keep some previous config ?
03-16-2023 01:53 AM
Since you have local access :
I have typo in my previous post : you can do below and test it.
radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
!
aaa group server radius MY_RADIUS
server name GRP-TEST
!
aaa authentication login default group MY_RADIUS local
aaa authorization exec default group MY_RADIUS local
Still have issue : (try below and let us know the outcome)
no aaa authentication login default group MY_RADIUS local
no aaa authorization exec default group MY_RADIUS local
radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX
aaa authentication login default group radius local
aaa authorization exec default group radius local
03-16-2023 01:42 AM
Dear Gabsnet,
You may please go through this link : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_3_e/configuration/guide/b_1523e_consolidated_2960cx_3560cx_cg/b_consolidated_152ex_2960-X_cg_chapter_0100101.html
Please configure your switch according to this document.
GoodLuck..
03-16-2023 02:26 PM
@MHM Cisco World @balaji.bandi @Gaurav Kansal
Good morning gentlemen.
Thanks so much for the attention and help.
According to @balaji.bandi the first option solved the problem. I appreciate
03-16-2023 04:41 PM
are you sure you use radius or you use local password for access ??
please update me if you face issue later.
thanks
have a nice day.
03-16-2023 04:58 PM
@MHM Cisco World Yes, I am sure. Worked with my radius credentials.
There is just one point, I have different version of Switch.
In this 12.2(55)SE10 - WS-C2960S
I applied that config below
radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX
aaa authentication login default group radius local
aaa authorization exec default group radius local
I have attached the debug outcome
Have a good day.
03-17-2023 03:38 AM
both debug you share seem that radius not work
*Apr 9 14:54:41.637: RADIUS: response-authenticator decrypt fail, pak len 20
*
here the Password between the radius and R/SW is not match.
03-19-2023 07:04 PM
Do you think could be because of the firmware ?
03-16-2023 06:15 PM
Cheers for the feedback, and glad that works and all good.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: