Solved: Re: RADIUS config - Doesn't work

gabsnet · ‎03-15-2023

Hi guys, could you help me ? Do you have some idea ?

I am trying to configure the Radius in my SW cisco (2960/3540), but doesn't work.

That's the script I am using:

----------------

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

----------------

radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X

key XXXXXX

---------------

line vty 0 15

login authentication default

transport input ssh

balaji.bandi · ‎03-16-2023

Since you have local access :

I have typo in my previous post : you can do below and test it.

radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
!
aaa group server radius MY_RADIUS
server name GRP-TEST
!
aaa authentication login default group MY_RADIUS local

aaa authorization exec default group MY_RADIUS local

Still have issue : (try below and let us know the outcome)

no aaa authentication login default group MY_RADIUS local

no aaa authorization exec default group MY_RADIUS local

radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX

aaa authentication login default group radius local

aaa authorization exec default group radius local

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

MHM Cisco World · ‎03-15-2023

debug aaa authentication
debug radius

gabsnet · ‎03-15-2023

FSA-SPT-TEMP01-PREST#
*Jan 4 03:02:18.829: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.2XX.XXX.X:1812,1813 is not responding.
*Jan 4 03:02:18.829: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.2XX.XXX.X:1812,1813 is being marked alive.

FSA-SPT-TEMP01-PREST#ping 10.2XX.XXX.X
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2XX.XXX.X, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/26 ms

I have already added this SW in my radius server, it has a registry.
I have others SWs that works perfectly, they are different models (C3750E)

MHM Cisco World · ‎03-16-2023

ip radius source-interface x/x/x <<- use this command

balaji.bandi · ‎03-15-2023

what is the version of code running - post-show version?

Do you have a local user, and are you able to authenticate with the local user ? or are you locked out? if you are able to log in a local account that means the radius failing and going to local.

If you have only 1 Radius server, then I would suggest to the user host, since you are looking to use you need to define a group - I have provided both examples - test and let us know.

Only 1 Radius Server :

aaa new-model
radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX

Group :

radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
!
aaa group server radius MY_RADIUS
server name GRP-TEST
!
aaa authentication login default group GRP-TEST local

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gabsnet · ‎03-15-2023

Hi @balaji.bandi Yes, I am using the local user to access the device.

Model:WS-C2960C-8PC-L
Version:15.0(2)SE8

I will try with these options.

Do I need to use just exactly those commands you gave me? Or I keep some previous config ?

balaji.bandi · ‎03-16-2023

Since you have local access :

I have typo in my previous post : you can do below and test it.

radius server GRP-TEST address ipv4 X.X.X.X auth-port X acct-port X
key XXXXXX
!
aaa group server radius MY_RADIUS
server name GRP-TEST
!
aaa authentication login default group MY_RADIUS local

aaa authorization exec default group MY_RADIUS local

Still have issue : (try below and let us know the outcome)

no aaa authentication login default group MY_RADIUS local

no aaa authorization exec default group MY_RADIUS local

radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX

aaa authentication login default group radius local

aaa authorization exec default group radius local

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Gaurav Kansal · ‎03-16-2023

Dear Gabsnet,

You may please go through this link : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_3_e/configuration/guide/b_1523e_consolidated_2960cx_3560cx_cg/b_consolidated_152ex_2960-X_cg_chapter_0100101.html
Please configure your switch according to this document.
GoodLuck..

gabsnet · ‎03-16-2023

@MHM Cisco World @balaji.bandi @Gaurav Kansal

Good morning gentlemen.
Thanks so much for the attention and help.

According to @balaji.bandi the first option solved the problem. I appreciate

MHM Cisco World · ‎03-16-2023

are you sure you use radius or you use local password for access ??
please update me if you face issue later.
thanks
have a nice day.

gabsnet · ‎03-16-2023

@MHM Cisco World Yes, I am sure. Worked with my radius credentials.

There is just one point, I have different version of Switch.
In this 12.2(55)SE10 - WS-C2960S
I applied that config below

radius-server host x.x.x.x auth-port AAAA acct-port BBBBB key XXXXXXXX

aaa authentication login default group radius local

aaa authorization exec default group radius local

I have attached the debug outcome

Have a good day.

MHM Cisco World · ‎03-17-2023

both debug you share seem that radius not work

*Apr  9 14:54:41.637: RADIUS: response-authenticator decrypt fail, pak len 20
*

here the Password between the radius and R/SW is not match.

gabsnet · ‎03-19-2023

Do you think could be because of the firmware ?

balaji.bandi · ‎03-16-2023

Cheers for the feedback, and glad that works and all good.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help