03-15-2021 04:18 AM
Hi
im doing radius server (Microsoft) as Authentication Server to control all users devices from accessing the network
this is whats under SW interface
switchport access vlan 20
switchport mode access
ip access-group Rad-ACL in
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
now the NIC of PC showing Authentication Failed and on the server showing no logs which made me thing its Switch configuration issue
any configuration template or document?
currently im following this with same issue
03-15-2021 04:21 AM
Hi @Hisoma Sama
Has the switch been defined on the RADIUS server, with the correct IP address and shared secret?
What is the output of "show aaa server"?
Please provide the output of "show run aaa"
Refer to this secure wired access guide for more information on switch configuration, it is for ISE as a RADIUS server but the switch configuration still applies.
03-15-2021 04:39 AM - edited 03-15-2021 04:39 AM
show run aaa
!
aaa authentication dot1x default group radius
!
!
!
!
!
!
radius server Authserver
address ipv4 <server ip> auth-port 1812 acct-port 1813
key <server key>
!
!
aaa group server radius NPS-test
server-private <server ip> key <server key>
ip radius source-interface Vlan20
!
!
!
aaa new-model
aaa session-id common
------------------
show aaa servers
RADIUS: id 3, priority 1, host <server ip>, auth-port 1812, acct-port 1813
State: current UP, duration 262s, previous duration 0s
Dead: total time 0s, count 14
Quarantined: No
Authen: request 8, timeouts 8, failover 0, retransmission 6
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 2
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 4m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 2 minutes ago: 7
low - 0 hours, 4 minutes ago: 0
average: 2
RADIUS: id 2, priority 0, host <server ip>, auth-port 1645, acct-port 1646
State: current UP, duration 10478s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 2h54m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 2 hours, 54 minutes ago: 0
low - 2 hours, 54 minutes ago: 0
average: 0
03-15-2021 04:55 AM
Take a look here at how to configure your NPS, the client part is also explained but this is common for every use case no matter which radius you're using.
PEAP and EAP-TLS on Server 2008 and Cisco WLC (networklessons.com)
https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc/
***Please mark all helpful posts***
03-15-2021 04:49 AM
Ok, the radius servers appear to be up. Has the switch been defined on the RADIUS server, with the correct IP address and shared secret?
Change your radius group configuration as below:-
aaa group server radius NPS-test
server name Authserver
03-15-2021 05:06 AM
changed it still nothing
the server getting this error "a radius message was received from the invalid radius client ip address" and the ip is switch ip no pc
03-15-2021 05:10 AM
Define the RADIUS source interface, the same interface which relates to the IP address the RADIUS server is configured with.
ip radius source-interface <INTERFACE-NAME>
03-15-2021 05:13 AM
Hi Rob
its there already
aaa group server radius NPS-test
server-private <server ip> key <server key>
server name Authserver
ip radius source-interface Vlan20
!
aaa authentication dot1x default group radius
03-15-2021 05:19 AM
Ok, so what IP address did the RADIUS server receive the packet from?
Another IP address as configured on the switch?
VLAN 20 has an IP address on that switch right?
You can remove that server-private attribute if you have the server name defined.
aaa group server radius NPS-test
no server-private <server ip> key <server key>
03-15-2021 05:29 AM
command removed
and the RADIUS received the int vlan IP
and yes vlan alreayd has an IP
03-15-2021 05:36 AM
So the RADIUS server receieved the packet from the IP address of VLAN 20? Which is the correct IP address as defined on the RADIUS server? In which case perhaps delete the value on the RADIUS server and re-create and ensure the shared secret is correct.
If that doesnt work, perhaps you could share a screenshot of the RADIUS server error.
03-15-2021 05:54 AM
So the RADIUS server receieved the packet from the IP address of VLAN 20?
-yes
Which is the correct IP address as defined on the RADIUS server?
-yes we defined two one for the switch which is vlan int, the other is for user (PC which trying to autenticate) the error with Sw IP
In which case perhaps delete the value on the RADIUS server and re-create and ensure the shared secret is correct.
-Done
and the error attached
03-15-2021 05:59 AM
Ok, can you perhaps provide screenshots of your NPS radius server configuration?
You don't need to define the IP address(s) of the PCs connecting, only the switches IP address(es), as the RADIUS packet will always be sourced from the switch.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: