Solved: SG300-28 RADIUS login

Martin Oesting · ‎06-05-2013

Hi,

I have some 2960s and they work like a charm. I configured RADIUS access on them and had no problems with that.

Now I have two C300 (SG300-28) and I can't get them to work with my RADIUS server, I always get an "authentication failed".

Here are the commands on one of the boxes:

encrypted radius-server key <encrypted key>

radius-server host <radius host IP> auth-port 1645 acct-port 1646

aaa authentication enable SSH radius enable

aaa authentication login SSH radius local

Also, why is it presenting me the login twice when I connect via ssh (first with "login-as:" and no password and then with "User Name:" and with a password?!) ? At the first login I can type whatever I want and only the second login is the real one.

Greetings

Martin

Michal Bruncko · ‎01-06-2015

Still not working even after two years? :)
- do you have similar configuration like mentioned here: http://www.tech-recipes.com/rx/1478/how-to-setup-ias-to-use-radius-to-authenticate-cisco-device/ ?
- did you tried to increase IAS logging verbosity?
- did you performed packet capture to see RADIUS conversation between both parties? If so, did you saw Access-Accept or Access-Reject response coming from RADIUS server?
- if it is "Access-Reject", are you sure you are using correct login name password? did you see correct values (username and password) inside RADIUS conversation (inside message Access-Request)? If so, are you use complicated password with non ASCII characters? Have you tried to simplify it to include only ASCII characters in password (I hope this is requirement)?
- if it is "Access-Accept" message coming from RADIUS and you still not having access to device, have you checked mandatory fields inside "Access-Accept" message? both following were required in my scenario:

Service-Type = Administrative-User,
Cisco-AVPair = "shell:priv-lvl=15"

For me it is working well, but I am using FreeRADIUS instead of IAS (but this should not matter at all).

View solution in original post

Brendan Kearney · ‎06-05-2013

i have an sg300-28 using radius for auth too. i am able to ssh to the device with no issue using my id. make sure your radius server is sending back the authorization string that is expected (i imagine it is doing so, since your 29xx's are working).

below is the auth config i have for my switch. telnet is shut off, http is shut off, https, ssh and snmp are turned on. only radius is allowed when using ssh or https. console is radius or local.

encrypted radius-server key <<>>

radius-server host 192.168.25.1 source 0.0.0.0

radius-server host 192.168.50.1 source 0.0.0.0

logging host 192.168.25.1

aaa authentication enable Console radius enable

aaa authentication enable SSH radius

aaa authentication enable Telnet radius

ip http authentication aaa login-authentication radius

aaa authentication login Console radius local

aaa authentication login SSH radius

aaa authentication login Telnet radius

aaa authentication dot1x default radius

aaa accounting dot1x start-stop group radius

aaa accounting login start-stop group radius

line telnet

login authentication Telnet

enable authentication Telnet

password <<>> encrypted

exit

line ssh

login authentication SSH

enable authentication SSH

password <<>> encrypted

exit

line console

login authentication Console

enable authentication Console

password <<>> encrypted

exit

Martin Oesting · ‎06-06-2013

Your config looks like mine. The crazy thing is, the event log of the RADIUS server (MS Windows 2008 R2) shows an information event with the details that the login against the RADIUS was a success. So why is the SG300 giving me an

"authentication failed"?

And do you have an answer to the second question of my post?

Martin

Brendan Kearney · ‎06-06-2013

is your RADIUS server replying with

Cisco-AVPair = "shell:priv-lvl=15"

in the auth response? it seems that this is not happening. i have no idea about the other question you have.

Martin Oesting · ‎06-06-2013

Hi,

I did a debug radius on one of the 2960 (didn't find out how to do this on the SG300):

RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"

They use the same Policy on the RADIUS.

Greetings

Martin

Brendan Kearney · ‎06-07-2013

notice that the string i provided and the one you captured are different.

Cisco-AVPair = "shell:priv-lvl=15"

vs.

Cisco AVpair [1] 19 "shell:priv-lvl=15"

as far as i know, only the number at the end of the string (which indicates access level) should change. the extra characters being returned by your RADIUS server might be the issue. maybe try setting a new RadiusReplyItem value, and see if that works.

WalterCoria · ‎12-28-2014

OMG .... 2 years + and this is still an issue? WTF?

brendankearney's semi-workaround did work for me.

Strange part is that I have a small lab setup and it worked there ... in production it did not. As stated in the other comments above all other "Big Boy" switches work without issue ... however these SBS switches do not without Brendan's work around!

I've wasted 12 hours on this today! And still not solution.

On FW version 1.4.0.88 ... Late Dec 2014. No joy!

Aleksandra Dargiel · ‎12-28-2014

Hi Walter,

You need to make sure both the “Administrative-User” and the privilege 15 values are to be seen in the accept message from the Radius server.

Regards,

Aleksandra

Jeremy Gibbs · ‎01-05-2015

You need to set your Standard radius attributes Service-Type from Login to Administrative. That should fix it. Let me know if it works.

dtapley1 · ‎04-11-2023

I took our Radius setup over from a former colleague who said it would not work on an SG300. Made the change suggested by Jeremy and everything is good to go. Thanks!

Steven Carnahan · ‎06-19-2013

I have tried for several days to get this to work on one of our SG300-28 switches. We have been using RADIUS on all our other Cisco gear (switches, routers ans ASA's) with no issue. We are trying to put two of these switches in front of a SAN so we don't need all the bells and whistles of the larger switches.

I have set up aaa through the CLI basically just like Brendan Kearney shows in the post in March. I can see that it is getting to the RADIUS server because this is in the RADIUS log:

"","IAS",06/18/2013,15:00:04,1,"","",,,,,,"",,9,"","",,,,,,,1,,0,"311 1 06/18/2013 10:14:44 63",,,,,,,,,"05000010",,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,

With the retries set to 3 it locks out the AD account as well so it is attempting to authenticate. I had to set the console to permit local in order to get access back both through SSH (PuTTy). I then went in and remove almost all of the aaa configuration so that I could get back on through the Web GUI.

I also have the dual logon issue mentioned in the original post.

First login doesn't seem to care what you put in.

theitcrowd · ‎06-23-2014

I had the same issue (with SG300 switch) and wasn't able to find a solution, so I am posting what I did here to fix it just in case someone else happens to wander past.

The issue seemed to be the assumption that "Cisco-AVPair = "shell:priv-lvl=15"" should be passed back to the device from the RADIUS server as it does with IOS devices. Once I removed this, I was able to logon to the SG300 switch successfully using RADIUS for SSH. Web Authentication still didn't like this though... not sure about that, so have left web authentication as local.

That line is required for our IOS based devices. We use Microsoft NPS for our Radius Server, so I now have two network policies, one for SG devices and one for IOS devices.

As for the 'double logon' it still seems to be an issue, but couldn't find a resolution.

Thanks.

Michal Bruncko · ‎12-29-2014

To fix double-login you have to enable ssh-like password authentication on switch using command:

ip ssh password-auth

Steven Carnahan · ‎01-06-2015

I tried your command and it fails:

iib-san-3#ip ssh password-auth
% Unrecognized command

Here is the help for the ip command:

iib-san-3#ip
dhcp Dhcp configuration commands
source-guard IP Source Guard action commands

I don't see ssh as an option.

Michal Bruncko · ‎01-06-2015

it is an configuration command, so you have to put it inside configuration mode

SG300-28 RADIUS login

Cisco Business Product Family

Cisco Switching Product Family