Solved: Re: AAA Configuration

Ranjita · ‎05-01-2024

Hi All,
I need some advice on AAA config. My switches are able to reach the RADIUS but the device still accepts only local login.

Please have a look at the config and guide me on how to correct it:

aaa group server radius AA-RADIUS
server-private 10.169.15.5 auth-port 1645 key 7 0832594C0418171E1C0E380B383B212C3C17231F08190D
server-private 10.169.15.6 key 7 15131E180C673B2B3A2775734553434312435B555246070D1D22564A4756565A760A57090856
aaa authentication login default group radius local
aaa session-id common

BR,

Ranjita

MHM Cisco World · ‎05-02-2024

Sorry I was checking this count

incorrect <- this count increment when the request form is wrong or server key is wrong? Double check server key

Also you add many servers one with 1812 and other with 1645' we already check 1645 and it not work' remove it do test again and share show aaa server

Thanks

MHM

View solution in original post

MHM Cisco World · ‎05-02-2024

debug aaa authentication
must cause of this issue is radius add SW IP different than SW use as source
the common solution is use

radius source-interface

MHM

Ranjita · ‎05-02-2024

Hi,
Thanks for the suggestion. I updated my config and it didnt help.

sh run | inc ip radius
ip radius source-interface Vlan403

Attached is the debug aaa file. The password for individual user is in line with RADIUS.

MHM Cisco World · ‎05-02-2024

Are you run

Aaa new model

In your config?

If not the that reason.

Note:- dont wr the config until ypu are totally sure yoh can access SW vai new config, this give retrun point.

MHM

Ranjita · ‎05-02-2024

Hi,
Yes I am

do sh run | inc aaa
aaa new-model
aaa group server radius UR-RADIUS
aaa authentication login default group UR-RADIUS local
aaa authentication enable default enable
aaa session-id common

MHM Cisco World · ‎05-02-2024

show aaa server <<- share this

MHM

Ranjita · ‎05-02-2024

Hi,
pls check attachment

MHM Cisco World · ‎05-02-2024

Change the port to be 1812 not 1645.

Do show aaa server again

Authen: request 0, timeouts 0, failover 0, retransmission 0
             Response: accept 0,

These counter must be increase.

Note:- I am sure you try ping server IP use source vlan403 and success

MHM

Ranjita · ‎05-02-2024

Hi ,

Yes the ping works.I tried using source as well. I have updated the port

X02YAL11UH001-KF002-SW#sh aaa server

RADIUS: id 6, priority 0, host 10.169.29.5, auth-port 1645, acct-port 1813, hostname UR-RADIUS_PrivateServer_10.169.29.5_1645_1813
State: current UP, duration 1263s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 1384672s, previous duration 0s
SMD Platform Dead: total time 0s, count 0
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
WNCD Platform Dead: total time 0s, count 0UP
Quarantined: No
Authen: request 4, timeouts 4, failover 0, retransmission 3
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 4, time 0ms
Transaction: success 0, failure 1
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Dot1x transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
MAC auth transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
MAC author transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 21m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Consecutive Timeouts: total 3
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 3, current 3 total 3
Requests per minute past 24 hours:
high - 0 hours, 3 minutes ago: 4
low - 0 hours, 21 minutes ago: 0
average: 0

RADIUS: id 8, priority 0, host 10.169.29.5, auth-port 1812, acct-port 1813, hostname UR-RADIUS_PrivateServer_10.169.29.5_1812_1813
State: current UP, duration 42s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 1384678s, previous duration 0s
SMD Platform Dead: total time 0s, count 0
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
WNCD Platform Dead: total time 0s, count 0UP
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Dot1x transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
MAC auth transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
MAC author transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 0m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Consecutive Timeouts: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0

RADIUS: id 9, priority 0, host 10.169.29.6, auth-port 1812, acct-port 1813, hostname UR-RADIUS_PrivateServer_10.169.29.6_1812_1813
State: current UP, duration 48s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 48s, previous duration 0s
SMD Platform Dead: total time 0s, count 0
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
WNCD Platform Dead: total time 0s, count 0UP
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Dot1x transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
MAC auth transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
MAC author transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 0m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Consecutive Timeouts: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0

MHM Cisco World · ‎05-02-2024

Sorry I was checking this count

incorrect <- this count increment when the request form is wrong or server key is wrong? Double check server key

Also you add many servers one with 1812 and other with 1645' we already check 1645 and it not work' remove it do test again and share show aaa server

Thanks

MHM

balaji.bandi · ‎05-02-2024

what device is this ? what IOS code running on it ? - what Radius Server ?

Make sure Radius server are reachable use show radius and show radius counters all also try, ping to radius server

try changing as below bold and test it

aaa authentication login default group AA-RADIUS local

My suggestion config as below :

aaa new-model

radius server RAD_1
address ipv4 10.10.10.10
key mykey
radius server RAD_2
address ipv4 20.20.20.20
key mykey2

aaa group server radius RAD_GRP
server name RAD_1
server name RAD_2

aaa authentication login default group RAD_GRP local

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ranjita · ‎05-02-2024

Hi,
I am working on catalyst 9200 devices running on 17.9 IoS. The Radius server can be reached from the switch.
I am unable to add my key in the config as suggested:

X02YAL11UH001-KF002-(config-radius-server)#$ort 1645 ?
acct-port UDP port for RADIUS accounting server (default is 1813)
<cr> <cr>

X02YAL11UH001-KF002-(config-radius-server)#$9.5 auth-port 1645 acct-port ?
<0-65534> Port number

X02YAL11UH001-KF002-(config-radius-server)#$ort 1645 acct-port 1813 ?
<cr> <cr>

X02YAL11UH001-KF002-(config-radius-server)#$ort 1645 acct-port 1813 key ?