Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1540
Views
30
Helpful
12
Replies

SW config issue for Radius

Hisoma Sama
Level 1
Level 1

‎03-15-2021 04:18 AM

Hi

 

im doing radius server (Microsoft) as Authentication Server to control all users devices from accessing the network 

 

this is whats under SW interface

switchport access vlan 20
switchport mode access
ip access-group Rad-ACL in
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast

 

now the NIC of PC showing Authentication Failed and on the server showing no logs which made me thing its Switch configuration issue

 

any configuration template or document?

 

currently im following this with same issue

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-1/best_practices_guide/BP_Cat3850/BP_wired_security.pdf

Labels:
0 Helpful
12 Replies 12

Rob Ingram
VIP
VIP

‎03-15-2021 04:21 AM

Hi @Hisoma Sama 

Has the switch been defined on the RADIUS server, with the correct IP address and shared secret?

 

What is the output of "show aaa server"?

Please provide the output of "show run aaa"

 

Refer to this secure wired access guide for more information on switch configuration, it is for ISE as a RADIUS server but the switch configuration still applies.

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Hisoma Sama
Level 1
Level 1
In response to Rob Ingram

‎03-15-2021 04:39 AM - edited ‎03-15-2021 04:39 AM

show run aaa
!
aaa authentication dot1x default group radius

!
!
!
!
!
!
radius server Authserver
address ipv4 <server ip> auth-port 1812 acct-port 1813
key <server key>
!
!
aaa group server radius NPS-test
server-private <server ip> key <server key>
ip radius source-interface Vlan20
!
!
!
aaa new-model
aaa session-id common

 

 

------------------

 

show aaa servers

RADIUS: id 3, priority 1, host <server ip>, auth-port 1812, acct-port 1813
State: current UP, duration 262s, previous duration 0s
Dead: total time 0s, count 14
Quarantined: No
Authen: request 8, timeouts 8, failover 0, retransmission 6
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 2
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 4m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 2 minutes ago: 7
low - 0 hours, 4 minutes ago: 0
average: 2

RADIUS: id 2, priority 0, host <server ip>, auth-port 1645, acct-port 1646
State: current UP, duration 10478s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 2h54m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 2 hours, 54 minutes ago: 0
low - 2 hours, 54 minutes ago: 0
average: 0

0 Helpful

Spooster IT Services
Level 7
Level 7
In response to Hisoma Sama

‎03-15-2021 04:55 AM

@Hisoma Sama 

 

Take a look here at how to configure your NPS, the client part is also explained but this is common for every use case no matter which radius you're using.

 

PEAP and EAP-TLS on Server 2008 and Cisco WLC (networklessons.com)

https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

 

 

***Please mark all helpful posts***

Spooster IT Services Team

Rob Ingram
VIP
VIP

‎03-15-2021 04:49 AM

Ok, the radius servers appear to be up. Has the switch been defined on the RADIUS server, with the correct IP address and shared secret?

 

Change your radius group configuration as below:-

aaa group server radius NPS-test
server name Authserver

 

Hisoma Sama
Level 1
Level 1
In response to Rob Ingram

‎03-15-2021 05:06 AM

changed it still nothing

 

the server getting this error "a radius message was received from the invalid radius client ip address" and the ip is switch ip no pc

 

0 Helpful

Rob Ingram
VIP
VIP

‎03-15-2021 05:10 AM

@Hisoma Sama 

Define the RADIUS source interface, the same interface which relates to the IP address the RADIUS server is configured with.

 

ip radius source-interface <INTERFACE-NAME>

 

Hisoma Sama
Level 1
Level 1
In response to Rob Ingram

‎03-15-2021 05:13 AM

Hi Rob 

its there already

 

aaa group server radius NPS-test
server-private <server ip> key <server key>
server name Authserver
ip radius source-interface Vlan20
!
aaa authentication dot1x default group radius

0 Helpful

Rob Ingram
VIP
VIP

‎03-15-2021 05:19 AM

Ok, so what IP address did the RADIUS server receive the packet from?

Another IP address as configured on the switch?

VLAN 20 has an IP address on that switch right?

 

You can remove that server-private attribute if you have the server name defined.

aaa group server radius NPS-test
no server-private <server ip> key <server key>

 

Hisoma Sama
Level 1
Level 1
In response to Rob Ingram

‎03-15-2021 05:29 AM

command removed

 

and the RADIUS  received the int vlan IP

and yes vlan alreayd has an IP

0 Helpful

Rob Ingram
VIP
VIP

‎03-15-2021 05:36 AM

So the RADIUS server receieved the packet from the IP address of VLAN 20? Which is the correct IP address as defined on the RADIUS server? In which case perhaps delete the value on the RADIUS server and re-create and ensure the shared secret is correct.

If that doesnt work, perhaps you could share a screenshot of the RADIUS server error.

Hisoma Sama
Level 1
Level 1
In response to Rob Ingram

‎03-15-2021 05:54 AM

So the RADIUS server receieved the packet from the IP address of VLAN 20? 

-yes

 

Which is the correct IP address as defined on the RADIUS server?

-yes we defined two one for the switch which is vlan int, the other is for user (PC which trying to autenticate)  the error with Sw IP

 

In which case perhaps delete the value on the RADIUS server and re-create and ensure the shared secret is correct.

-Done

 

and the error attached

Preview file
197 KB
0 Helpful

Rob Ingram
VIP
VIP

‎03-15-2021 05:59 AM

Ok, can you perhaps provide screenshots of your NPS radius server configuration?

 

You don't need to define the IP address(s) of the PCs connecting, only the switches IP address(es), as the RADIUS packet will always be sourced from the switch.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents