Solved: radius command changes

jkeene0007 · ‎10-02-2017

I recently upgraded a Catalyst 3650 from 03.03.03 to 03.07.05 and the switch is no longer recognizing my radius setup. I've pulled some info and examples of what the commands are now, and confirmed my auth and acct ports on the NPS server. Nothing is working.

The NPS server (Windows 2012 R2) hasn't logged a single connection attempt since the upgrade.

Here are the radius lines from the switch:

aaa authentication login default group radius local
aaa authorization exec default group radius local

radius server default
address ipv4 10.10.10.61 auth-port 1812 acct-port 1813
key switch19nps

Many thanks in advance

Meheretab Mengistu · ‎10-03-2017

I do not have version 03.07.05, but on 03.03.03 it works. Please try the following:

aaa new-model !Make sure you are running this command.
aaa authentication login default group radius local
!
radius server SERVER1
address ipv4 10.10.10.61 auth-port 1812 acct-port 1813 !(default ports are udp 1646 and 1645)
key switch19nps
retransmit 10
timeout 6
!

OR, the other alternative is:
aaa group server radius SERVER1
server 10.10.10.61 auth-port 1812 acct-port 1813
!
radius-server key switch19nps
!
aaa new-model
aaa authentication login default group SERVER1 local
!

Remember to check whether you are running 'aaa new-model' before making any changes. Also, be sure to use the correct UDP ports on both the switch and the server.

HTH,
Meheretab

HTH,
Meheretab

View solution in original post

Meheretab Mengistu · ‎10-02-2017

Hi,

Do you have layer 3 connectivity with the radius server? Could you ping it?
If yes, please try the following:
radius-server host 10.10.10.61 auth-port 1812 acct-port 1813 key switch19nps

HTH,
Meheretab

HTH,
Meheretab

jkeene0007 · ‎10-03-2017

Thanks for the suggestion, but unfortunately the command errored out at 'host'

GE-L3-07#ping 10.10.10.61
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.61, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

GE-L3-07(config)#$.10.10.61 auth-port 1812 acct-port 1813 key switch19nps
radius-server host 10.10.10.61 auth-port 1812 acct-port 1813 key switch19nps
^
% Invalid input detected at '^' marker.

Meheretab Mengistu · ‎10-03-2017

I do not have version 03.07.05, but on 03.03.03 it works. Please try the following:

aaa new-model !Make sure you are running this command.
aaa authentication login default group radius local
!
radius server SERVER1
address ipv4 10.10.10.61 auth-port 1812 acct-port 1813 !(default ports are udp 1646 and 1645)
key switch19nps
retransmit 10
timeout 6
!

OR, the other alternative is:
aaa group server radius SERVER1
server 10.10.10.61 auth-port 1812 acct-port 1813
!
radius-server key switch19nps
!
aaa new-model
aaa authentication login default group SERVER1 local
!

Remember to check whether you are running 'aaa new-model' before making any changes. Also, be sure to use the correct UDP ports on both the switch and the server.

HTH,
Meheretab

HTH,
Meheretab

Georg Pauwen · ‎10-02-2017

Hello,

default accounting port is UDP 1646, and default authentication port is UDP 1645, can you try those ?

You can also configure the 'automate tester' to test if the configure ports work at all....