I have some 2960s and they work like a charm. I configured RADIUS access on them and had no problems with that.
Now I have two C300 (SG300-28) and I can't get them to work with my RADIUS server, I always get an "authentication failed".
Here are the commands on one of the boxes:
encrypted radius-server key <encrypted key>
radius-server host <radius host IP> auth-port 1645 acct-port 1646
aaa authentication enable SSH radius enable
aaa authentication login SSH radius local
Also, why is it presenting me the login twice when I connect via ssh (first with "login-as:" and no password and then with "User Name:" and with a password?!) ? At the first login I can type whatever I want and only the second login is the real one.
Solved! Go to Solution.
Service-Type = Administrative-User, Cisco-AVPair = "shell:priv-lvl=15"
i have an sg300-28 using radius for auth too. i am able to ssh to the device with no issue using my id. make sure your radius server is sending back the authorization string that is expected (i imagine it is doing so, since your 29xx's are working).
below is the auth config i have for my switch. telnet is shut off, http is shut off, https, ssh and snmp are turned on. only radius is allowed when using ssh or https. console is radius or local.
encrypted radius-server key <<
radius-server host 192.168.25.1 source 0.0.0.0
radius-server host 192.168.50.1 source 0.0.0.0
logging host 192.168.25.1
aaa authentication enable Console radius enable
aaa authentication enable SSH radius
aaa authentication enable Telnet radius
ip http authentication aaa login-authentication radius
aaa authentication login Console radius local
aaa authentication login SSH radius
aaa authentication login Telnet radius
aaa authentication dot1x default radius
aaa accounting dot1x start-stop group radius
aaa accounting login start-stop group radius
login authentication Telnet
enable authentication Telnet
login authentication SSH
enable authentication SSH
login authentication Console
enable authentication Console
Your config looks like mine. The crazy thing is, the event log of the RADIUS server (MS Windows 2008 R2) shows an information event with the details that the login against the RADIUS was a success. So why is the SG300 giving me an
And do you have an answer to the second question of my post?
is your RADIUS server replying with
Cisco-AVPair = "shell:priv-lvl=15"
in the auth response? it seems that this is not happening. i have no idea about the other question you have.
I did a debug radius on one of the 2960 (didn't find out how to do this on the SG300):
RADIUS: Cisco AVpair  19 "shell:priv-lvl=15"
They use the same Policy on the RADIUS.
notice that the string i provided and the one you captured are different.
Cisco-AVPair = "shell:priv-lvl=15"
Cisco AVpair  19 "shell:priv-lvl=15"
as far as i know, only the number at the end of the string (which indicates access level) should change. the extra characters being returned by your RADIUS server might be the issue. maybe try setting a new RadiusReplyItem value, and see if that works.
OMG .... 2 years + and this is still an issue? WTF?
brendankearney's semi-workaround did work for me.
Strange part is that I have a small lab setup and it worked there ... in production it did not. As stated in the other comments above all other "Big Boy" switches work without issue ... however these SBS switches do not without Brendan's work around!
I've wasted 12 hours on this today! And still not solution.
On FW version 126.96.36.199 ... Late Dec 2014. No joy!
You need to make sure both the “Administrative-User” and the privilege 15 values are to be seen in the accept message from the Radius server.
I have tried for several days to get this to work on one of our SG300-28 switches. We have been using RADIUS on all our other Cisco gear (switches, routers ans ASA's) with no issue. We are trying to put two of these switches in front of a SAN so we don't need all the bells and whistles of the larger switches.
I have set up aaa through the CLI basically just like Brendan Kearney shows in the post in March. I can see that it is getting to the RADIUS server because this is in the RADIUS log:
With the retries set to 3 it locks out the AD account as well so it is attempting to authenticate. I had to set the console to permit local in order to get access back both through SSH (PuTTy). I then went in and remove almost all of the aaa configuration so that I could get back on through the Web GUI.
I also have the dual logon issue mentioned in the original post.
First login doesn't seem to care what you put in.
I had the same issue (with SG300 switch) and wasn't able to find a solution, so I am posting what I did here to fix it just in case someone else happens to wander past.
The issue seemed to be the assumption that "Cisco-AVPair = "shell:priv-lvl=15"" should be passed back to the device from the RADIUS server as it does with IOS devices. Once I removed this, I was able to logon to the SG300 switch successfully using RADIUS for SSH. Web Authentication still didn't like this though... not sure about that, so have left web authentication as local.
That line is required for our IOS based devices. We use Microsoft NPS for our Radius Server, so I now have two network policies, one for SG devices and one for IOS devices.
As for the 'double logon' it still seems to be an issue, but couldn't find a resolution.
I tried your command and it fails:
iib-san-3#ip ssh password-auth
% Unrecognized command
Here is the help for the ip command:
dhcp Dhcp configuration commands
source-guard IP Source Guard action commands
I don't see ssh as an option.
Thank you, that worked like a charm. Now only get the Login as prompt and not the additional Username prompt.
Now I just need to get the Radius working properly. :)