Re: Change AD servers switch is using to authenticate - Page 2

bacjac38 · ‎01-23-2025

I am not an advanced level SSH tech but can find my way as required but for this I need assistance. I've inherited a switch stack that points to a 2008R2 NPS server to login. Please assist with the commands to change the NPS/RADIUS server it uses to authentication requests. Thank you in advance.

bacjac38 · ‎01-24-2025

Interesting. To gather screen shot and events, I tried to log back in again and noticed that the new NPS server logs (.143) was not registering the attempt, but I did get locked out. I then checked the original server NPS logs (.141) and there it was.

Then I decrypted the original key (at your suggestion THANKS) which saved the day. I entered it back to the shared secret on the original NPS server and successfully logged in.

Here's the latest config which looks like I've made several errors:

NGM1P3750LAN#show run | sec aaa
aaa new-model
aaa group server radius ITNetAdmins
 server 10.1.6.141
 server 10.1.6.141 auth-port 1812 acct-port 1813
 server 10.1.6.142
 server 10.1.6.142 auth-port 1812 acct-port 1813
 server name ISE3
 server name ISE4
aaa authentication login default group ITNetAdmins local
aaa authentication enable default group ITNetAdmins enable
aaa authentication ppp ITNetAdmins local
aaa authorization console
aaa authorization exec default group ITNetAdmins local
aaa authorization commands 15 ITNetAdmins local
aaa authorization network ITNetAdmins local
aaa session-id common
ip http authentication aaa command-authorization 2 ITNetUsers


NGM1P3750LAN#show run | sec radius
aaa group server radius ITNetAdmins
 server 10.1.6.141
 server 10.1.6.141 auth-port 1812 acct-port 1813
 server 10.1.6.142
 server 10.1.6.142 auth-port 1812 acct-port 1813
 server name ISE3
 server name ISE4
ip radius source-interface Vlan4
radius-server host 10.1.6.141 auth-port 1812 acct-port 1813 key 7 04494D225E3419         7D5A3A3712064A
radius-server host 10.1.6.142 auth-port 1812 acct-port 1813 key 7 105C4F3D540247         385F27182E3069
radius-server host 10.1.4.220
radius server ISE3
 address ipv4 10.1.6.143 auth-port 1812 acct-port 1813
 key 7 10195C493644311909307E05141B7730300502044D530409
radius server ISE4
 address ipv4 10.1.6.145 auth-port 1812 acct-port 1813
 key 7 055C535F121F6D1B1C31433C3B3F402F39322D217B704157

Rob Ingram · ‎01-24-2025

@bacjac38 as you've still got the original RADIUS servers defined in the AAA group, the connection request would be sent to the first RADIUS server, which is why you aren't seeing the connection request on the new NPS server (.143). Authentications would only be sent to the .143 and .145 servers if the .141 and .142 are unavailable.

Perhaps use the "test aaa group radius server....." command to test authentications to the new RADIUS server work before you remove the old NPS servers from the AAA group.

bacjac38 · ‎01-24-2025

The config now is a mess and have to figure out how to clean it up before I add testing statements. The new NPS does have logs when I attempted to connect earlier today. After several hours when coming back it, it reverted back. (?) Log from the new server is attached.

Aref Alsouqi · ‎01-25-2025

As suggested by @Rob Ingram you would need to remove the old RADIUS servers IP addresses from the switch configs. So, assuming you don't need 10.1.6.141, 10.1.6.142, or 10.1.4.220, and you only need 10.1.6.143 and 10.1.6.145 then you can remove the old servers refrences with the commands:

no radius-server host 10.1.6.141
no radius-server host 10.1.6.142
no radius-server host 10.1.4.220

aaa group server radius ITNetAdmins
no server 10.1.6.141
no server 10.1.6.142

bacjac38 · ‎01-29-2025

Thank you. Anything else to enter afterward? Are there additional commands to complete this or are there additional commands to enter?

What about the local backdoor un/pw: cisco/cisco. Does that still work? Can that account be reset if RADIUS fails?

Aref Alsouqi · ‎02-03-2025

You're welcome. Those negate commands are to clean up the RADIUS servers that aren't in use. Regarding the failback to the local users that will be managed by the aaa policies you have applied and it won't be affected by removing the servers that are not in use.

MHM Cisco World · ‎01-24-2025

You use local in end of your authc login'

This make SW try use local username/password

To force SW to use local remove SW from NPS (as NAD)

Then try access use local

MHM

bacjac38 · ‎01-24-2025

@MHM Cisco World - are you referring to:

aaa authorization commands 15 ITNetAdmins local

My apologies - don't know what this means:

This make SW try use local username/password
To force SW to use local remove SW from NPS (as NAD)

MHM Cisco World · ‎01-25-2025

you can now access to SW ?

if yes share the
show aaa server <<-

with last coded you use

MHM

bacjac38 · ‎01-29-2025

output attached

bacjac38 · ‎01-29-2025

attached

MHM Cisco World · ‎01-30-2025

sorry I try but i cannot open file
.rtf <<- can you use usual text or pdf file

MHM

bacjac38 · ‎01-30-2025