cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

8988
Views
5
Helpful
19
Replies
Dean Thompson
Beginner

SG200-08 and Radius using IAS

I have set up the IAS following many topics, some vary slightly but most are the same.  The issue I have is my SG200-08 will not allow me access using radius.  Within the Windows Event Viewer I can see the following.

User deano was granted access.

Fully-Qualified-User-Name = HPMEDIASERVER\deano

NAS-IP-Address = <not present>

NAS-Identifier = A0-CF-5B-E4-72-5F

Client-Friendly-Name = Switch 1

Client-IP-Address = 192.168.0.36

Calling-Station-Identifier = <not present>

NAS-Port-Type = <not present>

NAS-Port = <not present>

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = ciscoauth

Authentication-Type = PAP

EAP-Type = <undetermined>

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The above tells me that I have been authorized and I see no failure or issue.  Now on the log on page for the switch it tells me..

Invalid Username or Password.

Please try again.

I unplug my network to it and access the security screen as I have it set to allow radius/local.  Everything is set up, I can't figure out what is going on with this!  does anyone have anything they can share as to why this is happening?

On a footnote, I also use Radius for my wireless devices, of which works fine... well until I removed everything in the remote access policy.

please help, this is driving me nuts... lol

19 REPLIES 19
Dean Thompson
Beginner

Can no one help me?  I have a 24 port Cisco swithch that is behaving the same!  I really do not want to do a reset on these, but it looks like I will have no option.

rmanthey
Enthusiast

Hello Dean,

Can you setup a port mirror on the port going towards your Radius? Have a computer connected with Wireshark when you try to log into your switch from a second computer? This should show you the packet exchange between the switch and the Radius server. Do you see the return packet come back from the Radius server?

If you continue to have problems and are in your support window please call in and have a technician assist you further. 1866-606-1866.

Thanks

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Thank you for your help, Yes I see the packet sent from the Switch to the Radius server and The Radius server reply.  I will paste the info below for you..

431    188.088930    192.168.0.36    192.168.0.2    RADIUS    124    Access-Request(1) (id=131, l=82)

432    188.091966    192.168.0.2    192.168.0.36    RADIUS    106    Access-Accept(2) (id=131, l=64)

Radius server being 192.168.0.2

I am going to do the same from the 24 port switch.

It as it has returned the following. 

2    1.154249    192.168.0.37    192.168.0.2    RADIUS    118    Access-Request(1) (id=0, l=76)

3    1.155518    192.168.0.2    192.168.0.37    RADIUS    125    Access-Accept(2) (id=0, l=83)

The local one I have next to me for testing the 0.36 unit I can unplug and get access to.  I will work with that and leave the 0.37 as it is in a working enviroment right now.

I appreciate you trying to help me with this...

Just to be clear, I can see in the Logs that everything is authenticated on the Radius server.  On the webpage for the router it shows

here is the wireshark grab of the data.

Take note of the arrows, I presume that is the correct data for the Vendor Specific under Remote Access Policy?

Other information that may be valid.  I brought my firewall down to make sure it was not the issue with the same results.  I also have seen this in the log files of the switch.

Now when you say "Support window," I have only had this unit about 4 weeks now.  The other is way outside unless I buy a support package for them.

Does anyone know of the valid settings in AIS Profile?  Cisco don't seem to want to help too much seeing as it is a Microsoft IAS.  I can't get any answers from Cisco relating to any settings the Cisco switches and routers use.  Right now I can't use the Radius server to authenticate the switches and routers.

Documentation on this equipment explains nothing also, not a good start for someone getting into Cisco branded equipment huh? lol

Dean Thompson
Beginner

This is what I love, people say Cisco has one of the best support systems in the world.  Yet they do not want to help a small business.

All I got from them is "we do not support Microsoft products."  No explanation on what settings I should even attempt to set up in my policies.  No details on protocols or anything related to setup.

I guess this topic is closed, but thank you to whom has helped me, you was more help then the OFFSHORE support Cisco offers.

I am experiencing EXACTLY the same thing.  I even updated to 1.0.2.0 from 1.0.0.16 today with no luck. Also, the default time of 1970 after a restart is annoying.  The device shouldn't be this buggy and slow for $180.

If you have found anything out, please post.  I'm thinking of going with the FreeRad product or similar, what a waste of a Saturday.......

Also, you cannot telnet or SSH into these POs's.  I should have found that out earlier....

Yeah, no telnet as these units are Smart (HAHA), Managed switches allow telnet and so forth.  I have found no help, unable to figure out the correct settings or anything.

It is not really the software, but Cisco told me it could be the policy that has the issue. Again no help on the policy as I was not using their software.

I am so annoyed with this I have given up, I will just have to set my switches and routers manually.  I was intending on having all my equipment which is all now Cisco..... use Radius for authentication.

As I said, I have given up.  If by accident I find something, then I will mention it here.  Funny thing is I wanted to buy a couple of 50 port switches, but right now I am looking at another vendor.

Dean Thompson
Beginner

I have found some interesting things about this unit.  It does not send out it's NAS-IP-Address even when configured to do so.  It never sends out it's type of NAS-Port, which is a problem when my Policy is looking for the NAS-Port to determine if this is a Wireless connection or Ethernet.

Authentication-Type = PAP, I can't get the unit to change to anything else, it always uses PAP even if the policy is not allowing this type.

I did have a Cisco Level 2 operator e-mail me with some pictures on a LAB setup they did using the same device, I am unable to make it work and he said he would do a Webex with me.  Not heard from him in 2 days now.

Another interesting thing, I am running the 1.0.2.0 Firmware. Well not interesting, but the latest version is now 1.0.0.16? Now what is up with that?

So I am still stuck, not knowing what is going on.. Oh and my Trouble ticket has been closed for me while I was out of town..


I have finally got one of my other switch types working.  SLM224G is now working via IAS Radius, yet still the SG200-08 will not authenticate.  Cisco gave me settings for the SG200-08, but when I use their settings IAS will deny with the following..

User admin was denied access.

Fully-Qualified-User-Name = NEPTUNE\admin

NAS-IP-Address =