Cisco SG200-26p refuses to use RADIUS logins

davehouser1 · ‎02-21-2022

I have a Cisco SG200-26p running the latest firmware 1.4.11.

I am connecting to a Synology RADIUS server, that uses local logins.
I have the cisco set up following this guide

I have syslog set up as well to see what is happening on the cisco.
I can see from the Radius Server that the authentication is successful and get a 200 OK every time I login with the RADIUS login.
I made sure the Management access authentication is set to have HTTP and HTTPS use "RADIUS" as their primary authentication.
NO matter what I try, the cisco will continue to show "Invalid user name or password. Please try again." at the login screen.
Syslog shows "AAA - REJECT - %AAA-W-REJECT: New http connection, source 10.10.10.101 destination 10.10.10.2 REJECTED".
I also found this post that details the same info as the link above, but shows configuration on a Windows server. We do not have Windows servers on our network, is this a requirement?

What gives? its like the Cisco isn't even trying to use the RADIUS login.
Why does the Cisco refuses to use the RADIUS login? What other troubleshooting can I perform?

marce1000 · ‎02-21-2022

- Check the logs of the Synology RADIUS server , do you see any (authenticating) requests coming in from the SG when trying to login ?

https://kb.synology.com/en-us/DSM/help/RadiusServer/rad_log?version=6

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

davehouser1 · ‎02-26-2022

I already stated in my original post this
I can see from the Radius Server that the authentication is successful and get a 200 OK every time

However to clarify, the logs show "(0) Login OK: [testuser] (from client cisco port 0)"

balaji.bandi · ‎02-22-2022

we need to check multiple places what is wrong, is radius server reachable ?

check below thread may help you :

https://community.cisco.com/t5/network-access-control/aaa-authorization-of-sf302-08mpp-issue/td-p/2556695

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

davehouser1 · ‎02-26-2022

Ok I tried all of that.
I gave up using the Synology Radius server, it seems that Cisco requires a bunch of specific settings that that server cannot support. I then tried deploying a FreeRadius container, its set up right, and I am providing those special vender lvl15 codes for cisco. Freeradius logs show the Cisco authenticates properly, and replies back. But still, the switch refuses to allow authentication via the web login. At that point, I gave in and deployed a windows 2008 server to set up NPS. I set everything up that is shown in this guide , which is wrong btw. The Cisco SG200 will always try to authenticate with PAP, but the guide says to only use mschap in the screen shots, its wrong. I finally got it so the Windows 2008 server was accepting the requests and sending back full access. Guess what the cisco SG200 did? Same thing, just refuses to work with any RADIUS server. Maybe the cisco is authenticating correctly on the backend, but the web interface refuses to allow access. Its plain broken. Of its not broken, the documentation out in the world does not reflect how the system actually works today. Whatever the reason, working with this switch is beyond frustrating.

Ok whatever, the whole purpose of this horrible journey was to get 802.1x set up and running. I am going to try and authenticate via Windows 802.1x see what happens.

davehouser1 · ‎03-03-2022

Ok, in the end, 802.1x + RADIUS works, no problem. I was able to get it to work on Windows Server, Freeradius, and even the Synology RADIUS server. However web interface login still refuses to work with RADIUS. Just will not work. I have concluded that this is due to either A) Radius is being used in some strange way that is not documented well by Cisco, or B) RADIUS web logins is broken on the SG200 switches. Unfortunately as this switch is EOL I assume Cisco will probably keep quite about it. Tbh I don't really care, I really just needed RADIUS to work for 802.1x, which it is. So, oh well.