cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
224
Views
0
Helpful
1
Replies
Beginner

C2960X error Radius through SSH

Hi there

 

I have a new C2960X that we are replacing a couple old ones with.

I can not get RADIUS working  .  yes the switch can ping the radius server .. i took out the key but it is there

 

HELP

 

I have it programmed like this

aaa new-model
!
!
aaa group server radius RADIUS_AUTH
!
aaa authentication login networkaccess group RADIUS_AUTH local enable
aaa authorization exec default group RADIUS_AUTH local if-authenticated


!
radius server RADIUS_AUTH
address ipv4 172.20.253.222 auth-port 1812 acct-port 1813
key 7 0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXD


line con 0
exec-timeout 0 0
line vty 0 4
access-class 99 in
exec-timeout 0 0
password 7 09584B051A0403
login authentication networkaccess
length 0
transport input ssh
line vty 5 15
access-class 99 in
exec-timeout 0 0
password 7 09584B051A0403
login authentication networkaccess
transport input ssh


crypto key gener rsa

 

 

 

what i get is 

 

login as: xxxxxxx
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: C2960X error Radius through SSH

Hi @Steveosh72 

 

You need to share your ISE config as well since that would tell us whether your RADIUS Policy Set is correct :-)

 

I have pasted the ISE 2.3/2.4/2.6 Style RADIUS Policy Set below for Cisco IOS and WLC devices

 

It shows what RADIUS attributes are expected during a device authentication via RADIUS at the Top Level of the Policy Set:

 

RADIUS.PNG

 

The point is this: you need to allow PAP only, and then depending on the Conditions shown above, create an Authentication and Authorization Policy accordingly - the top level conditions shown above are required to match on the RADIUS traffic that results from a device admin AAA event.

 

1 REPLY 1
VIP Advocate

Re: C2960X error Radius through SSH

Hi @Steveosh72 

 

You need to share your ISE config as well since that would tell us whether your RADIUS Policy Set is correct :-)

 

I have pasted the ISE 2.3/2.4/2.6 Style RADIUS Policy Set below for Cisco IOS and WLC devices

 

It shows what RADIUS attributes are expected during a device authentication via RADIUS at the Top Level of the Policy Set:

 

RADIUS.PNG

 

The point is this: you need to allow PAP only, and then depending on the Conditions shown above, create an Authentication and Authorization Policy accordingly - the top level conditions shown above are required to match on the RADIUS traffic that results from a device admin AAA event.