12-16-2015 09:10 AM - edited 03-10-2019 11:20 PM
Switch configured to use port 1812. Why in debug radius authentication, do we see port 1645 used between switch and ISE? See config and debug output below:
CONFIG:
L3-SWITCH(config)# radius server ISE-PRIMARY
L3-SWITCH(config-radius-server)# address ipv4 10.10.2.50 auth-port 1812 acct-port 1813
L3-SWITCH(config-radius-server)# automate-tester username ISE_HEALTH ignore-acct-port
L3-SWITCH(config-radius-server)# key sharedsecret
DEBUG OUTPUT:
L3-SWITCH# test aaa group radius admin admin$Pwd new-code
Attempting authentication test to server-group radius using radius
Dec 3 21:09:57.873: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 3 21:09:57.873: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Dec 3 21:09:57.873: RADIUS(00000000): Config NAS IP: 10.10.2.1
Dec 3 21:09:57.873: RADIUS(00000000): Config NAS IPv6: ::
Dec 3 21:09:57.873: RADIUS(00000000): sending
Dec 3 21:09:57.873: RADIUS/DECODE(00000000): There is no General DB. Want server details may not be specified
Dec 3 21:09:57.873: RADIUS(00000000): Send Access-Request to 10.10.2.50:1645 id 1645/2, len 51
Dec 3 21:09:57.873: RADIUS: authenticator 99 E2 71 98 E2 84 C8 BE - 34 B9 56 91 A8 E3 DC FB
Dec 3 21:09:57.873: RADIUS: User-Password [2] 18 *
Dec 3 21:09:57.873: RADIUS: User-Name [1] 7 "admin"
Dec 3 21:09:57.873: RADIUS: NAS-IP-Address [4] 6 10.10.2.1
Dec 3 21:09:57.873: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 3 21:09:57.873: RADIUS(00000000): Started 5 sec timeout
Dec 3 21:09:57.881: RADIUS: Received from id 1645/2 10.10.2.50:1645, Access-Reject, len 20
Dec 3 21:09:57.881: RADIUS: authenticator 61 6D 9A 38 9B 58 9E 44 - 4C 4A F2 1F 29 B3 74 3F
Dec 3 21:09:57.881: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
L3-SWITCH#
Thanks.
12-16-2015 09:41 AM
I don't think the "test aaa" command uses all the settings from your AAA server group. There is probably an option in the command to specify port.
12-16-2015 11:07 AM
command used is:
L3-SWITCH# test aaa group radius admin admin$Pwd new-code
new-code means use port 1812/1813. If the keyword would have been legacy, that would have mean to use port 1645/1646.
So, it's still puzzling that if we tell the switch to use NEW-CODE (1812), the switch is using port 1645.
12-16-2015 12:11 PM
12-17-2015 08:02 AM
Hello All,
Here is the issue. The command you are using to perform the test is using "radius" group which is default group IOS device uses to put the devices:
test aaa group radius admin admin$Pwd new-code
In order to test the configuration of the group you created and configured port 1812, you need to execute the test command using the group you created called "ISE-PRIMARY":
test aaa group ISE-PRIMARY admin admin$Pwd new-code/legacy
Note: Please mark it as answered if applicable
12-17-2015 12:56 PM
I tried Jan suggestion and it worked, on port 1812, without changing the group radius. Following are the results:
L3-Switch#test aaa group radius server 10.10.2.50 auth-port 1812 acct-port 1813 admin admin$Pwd new-code
User rejected
L3-Switch#
<output omitted>
Dec 17 13:20:12.803: RADIUS(00000000): Send Access-Request to 10.10.2.50:1812 id 1645/233, len 51
Dec 17 13:20:12.803: RADIUS: authenticator 8D 14 82 14 C4 AA 68 5B - DC D4 02 53 50 BB 02 AC
Dec 17 13:20:12.803: RADIUS: User-Password [2] 18 *
Dec 17 13:20:12.803: RADIUS: User-Name [1] 7 "admin"
<output omitted>
Dec 17 13:20:12.811: RADIUS: Received from id 1645/233 10.10.2.50:1812, Access-Reject, len 20
Dec 17 13:20:12.811: RADIUS: authenticator 8D 1E 41 8E 9D DC 8E 36 - 9C 70 1A 72 19 DC 04 FE
Dec 17 13:20:12.811: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
L3-Switch#
Dec 17 13:20:12.811: RADIUS(00000000): Received from id 1645/233
Dec 17 13:20:12.811: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 17 13:20:12.811: RADIUS(00000000): Config NAS IP: 10.10.2.1
Dec 17 13:20:12.811: RADIUS(00000000): Config NAS IPv6: ::
Dec 17 13:20:12.820: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 17 13:20:12.820: RADIUS(00000000): Started 5 sec timeout
Dec 17 13:20:12.820: RADIUS: Received from id 1646/208 10.10.2.50:1813, Accounting-response, len 20
Dec 17 13:20:12.82
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide