cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

SG200-08 and Radius using IAS

Dean Thompson
Beginner
Beginner

I have set up the IAS following many topics, some vary slightly but most are the same.  The issue I have is my SG200-08 will not allow me access using radius.  Within the Windows Event Viewer I can see the following.

User deano was granted access.

Fully-Qualified-User-Name = HPMEDIASERVER\deano

NAS-IP-Address = <not present>

NAS-Identifier = A0-CF-5B-E4-72-5F

Client-Friendly-Name = Switch 1

Client-IP-Address = 192.168.0.36

Calling-Station-Identifier = <not present>

NAS-Port-Type = <not present>

NAS-Port = <not present>

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = ciscoauth

Authentication-Type = PAP

EAP-Type = <undetermined>

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The above tells me that I have been authorized and I see no failure or issue.  Now on the log on page for the switch it tells me..

Invalid Username or Password.

Please try again.

I unplug my network to it and access the security screen as I have it set to allow radius/local.  Everything is set up, I can't figure out what is going on with this!  does anyone have anything they can share as to why this is happening?

On a footnote, I also use Radius for my wireless devices, of which works fine... well until I removed everything in the remote access policy.

please help, this is driving me nuts... lol

19 REPLIES 19

Dean Thompson
Beginner
Beginner

Can no one help me?  I have a 24 port Cisco swithch that is behaving the same!  I really do not want to do a reset on these, but it looks like I will have no option.

rmanthey
Enthusiast
Enthusiast

Hello Dean,

Can you setup a port mirror on the port going towards your Radius? Have a computer connected with Wireshark when you try to log into your switch from a second computer? This should show you the packet exchange between the switch and the Radius server. Do you see the return packet come back from the Radius server?

If you continue to have problems and are in your support window please call in and have a technician assist you further. 1866-606-1866.

Thanks

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Thank you for your help, Yes I see the packet sent from the Switch to the Radius server and The Radius server reply.  I will paste the info below for you..

431    188.088930    192.168.0.36    192.168.0.2    RADIUS    124    Access-Request(1) (id=131, l=82)

432    188.091966    192.168.0.2    192.168.0.36    RADIUS    106    Access-Accept(2) (id=131, l=64)

Radius server being 192.168.0.2

I am going to do the same from the 24 port switch.

It as it has returned the following. 

2    1.154249    192.168.0.37    192.168.0.2    RADIUS    118    Access-Request(1) (id=0, l=76)

3    1.155518    192.168.0.2    192.168.0.37    RADIUS    125    Access-Accept(2) (id=0, l=83)

The local one I have next to me for testing the 0.36 unit I can unplug and get access to.  I will work with that and leave the 0.37 as it is in a working enviroment right now.

I appreciate you trying to help me with this...

Just to be clear, I can see in the Logs that everything is authenticated on the Radius server.  On the webpage for the router it shows

here is the wireshark grab of the data.

Take note of the arrows, I presume that is the correct data for the Vendor Specific under Remote Access Policy?

Other information that may be valid.  I brought my firewall down to make sure it was not the issue with the same results.  I also have seen this in the log files of the switch.

Now when you say "Support window," I have only had this unit about 4 weeks now.  The other is way outside unless I buy a support package for them.