I have set up the IAS following many topics, some vary slightly but most are the same. The issue I have is my SG200-08 will not allow me access using radius. Within the Windows Event Viewer I can see the following.
User deano was granted access.
Fully-Qualified-User-Name = HPMEDIASERVER\deano
NAS-IP-Address = <not present>
NAS-Identifier = A0-CF-5B-E4-72-5F
Client-Friendly-Name = Switch 1
Client-IP-Address = 192.168.0.36
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = ciscoauth
Authentication-Type = PAP
EAP-Type = <undetermined>
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The above tells me that I have been authorized and I see no failure or issue. Now on the log on page for the switch it tells me..
Invalid Username or Password.
Please try again.
I unplug my network to it and access the security screen as I have it set to allow radius/local. Everything is set up, I can't figure out what is going on with this! does anyone have anything they can share as to why this is happening?
On a footnote, I also use Radius for my wireless devices, of which works fine... well until I removed everything in the remote access policy.
please help, this is driving me nuts... lol
Can no one help me? I have a 24 port Cisco swithch that is behaving the same! I really do not want to do a reset on these, but it looks like I will have no option.
Can you setup a port mirror on the port going towards your Radius? Have a computer connected with Wireshark when you try to log into your switch from a second computer? This should show you the packet exchange between the switch and the Radius server. Do you see the return packet come back from the Radius server?
If you continue to have problems and are in your support window please call in and have a technician assist you further. 1866-606-1866.
Cisco Small Business Support Center
CCNA, CCNA - Security
Thank you for your help, Yes I see the packet sent from the Switch to the Radius server and The Radius server reply. I will paste the info below for you..
431 188.088930 192.168.0.36 192.168.0.2 RADIUS 124 Access-Request(1) (id=131, l=82)
432 188.091966 192.168.0.2 192.168.0.36 RADIUS 106 Access-Accept(2) (id=131, l=64)
Radius server being 192.168.0.2
I am going to do the same from the 24 port switch.
It as it has returned the following.
2 1.154249 192.168.0.37 192.168.0.2 RADIUS 118 Access-Request(1) (id=0, l=76)
3 1.155518 192.168.0.2 192.168.0.37 RADIUS 125 Access-Accept(2) (id=0, l=83)
The local one I have next to me for testing the 0.36 unit I can unplug and get access to. I will work with that and leave the 0.37 as it is in a working enviroment right now.
I appreciate you trying to help me with this...
Just to be clear, I can see in the Logs that everything is authenticated on the Radius server. On the webpage for the router it shows
here is the wireshark grab of the data.
Take note of the arrows, I presume that is the correct data for the Vendor Specific under Remote Access Policy?
Other information that may be valid. I brought my firewall down to make sure it was not the issue with the same results. I also have seen this in the log files of the switch.
Now when you say "Support window," I have only had this unit about 4 weeks now. The other is way outside unless I buy a support package for them.
Does anyone know of the valid settings in AIS Profile? Cisco don't seem to want to help too much seeing as it is a Microsoft IAS. I can't get any answers from Cisco relating to any settings the Cisco switches and routers use. Right now I can't use the Radius server to authenticate the switches and routers.
Documentation on this equipment explains nothing also, not a good start for someone getting into Cisco branded equipment huh? lol
This is what I love, people say Cisco has one of the best support systems in the world. Yet they do not want to help a small business.
All I got from them is "we do not support Microsoft products." No explanation on what settings I should even attempt to set up in my policies. No details on protocols or anything related to setup.
I guess this topic is closed, but thank you to whom has helped me, you was more help then the OFFSHORE support Cisco offers.
I am experiencing EXACTLY the same thing. I even updated to 18.104.22.168 from 22.214.171.124 today with no luck. Also, the default time of 1970 after a restart is annoying. The device shouldn't be this buggy and slow for $180.
If you have found anything out, please post. I'm thinking of going with the FreeRad product or similar, what a waste of a Saturday.......
Also, you cannot telnet or SSH into these POs's. I should have found that out earlier....
Yeah, no telnet as these units are Smart (HAHA), Managed switches allow telnet and so forth. I have found no help, unable to figure out the correct settings or anything.
It is not really the software, but Cisco told me it could be the policy that has the issue. Again no help on the policy as I was not using their software.
I am so annoyed with this I have given up, I will just have to set my switches and routers manually. I was intending on having all my equipment which is all now Cisco..... use Radius for authentication.
As I said, I have given up. If by accident I find something, then I will mention it here. Funny thing is I wanted to buy a couple of 50 port switches, but right now I am looking at another vendor.
I have found some interesting things about this unit. It does not send out it's NAS-IP-Address even when configured to do so. It never sends out it's type of NAS-Port, which is a problem when my Policy is looking for the NAS-Port to determine if this is a Wireless connection or Ethernet.
Authentication-Type = PAP, I can't get the unit to change to anything else, it always uses PAP even if the policy is not allowing this type.
I did have a Cisco Level 2 operator e-mail me with some pictures on a LAB setup they did using the same device, I am unable to make it work and he said he would do a Webex with me. Not heard from him in 2 days now.
Another interesting thing, I am running the 126.96.36.199 Firmware. Well not interesting, but the latest version is now 188.8.131.52? Now what is up with that?
So I am still stuck, not knowing what is going on.. Oh and my Trouble ticket has been closed for me while I was out of town..
I have finally got one of my other switch types working. SLM224G is now working via IAS Radius, yet still the SG200-08 will not authenticate. Cisco gave me settings for the SG200-08, but when I use their settings IAS will deny with the following..
User admin was denied access.
Fully-Qualified-User-Name = NEPTUNE\admin