02-20-2012 01:49 AM
RADIUS authentication SF300-24P
We have just purchased 20x SF300-24P switches to be installed at our remote offices and we are unable to get RADIUS authentication to work. We already use RADIUS on all our primary network CISCO switches (e.g. 4506s¸ 3560s, 3750s, AP1231Gs,etc) and these work fine so we know the RADIUS server is working.
We are trying to use RADIUS authentication to gain management access onto these switches. Quite simply although we can see that the RADIUS server is accepting the username and password being sent, however the switch says “authentication failed” when to receives the response. We are using Microsoft NPS RADIUS Clients for authentication purposes.
We have upgrade the switches to the latest firmware 1.1.2.0, via the console it seems to have a very cut down IOS version so we cannot use the typical CISCO command set to configure the RADIUS as we normally would. Looking at the web GUI there seems to be a number of options missing including the Accounting port. When debugging is switch on there is no indication to say that any of the settings have been misconfigured.
Any advice you could offer would be gratefully received.
Mike Lewis
02-20-2012 07:25 AM
Hello Mike,
On the latest firmware there is a CLI which is similar to the IOS but is not identical. It may take time getting used to using it. As for the RADIUS configuration, I can guide you to the configuration settings using the GUI. You will find it under Security > 802.1x > Properties.
02-20-2012 11:38 PM
Hi Robert,
Thank you for your reply. We have already attempted to setup RADIUS based authentication via the GUI using the guide. We added our RADIUS server with the appropriate key string, and then I ensured that RADIUS authentication was selected under the Management Access screen where it is listed above Local.
When trying to login via Telnet, Console or SSH they all report back as “authentication failed” when a correct username and password combination is used, if an invalid combination it simple asked for the username again with no warning or error prompt
We have captured the data packets from the RADIUS server and I can confirm that the correct that the user is successfully authenticated with “Access-Accept” and the parameters of Cisco_AVPair: shell:priv-lvl=15 are passed.
Is there something we are missing, another setting somewhere?
Many thanks,
Mike Lewis
02-21-2012 02:53 AM
We have the exact same problem with a SF 300-48P switch and Microsoft IAS RADIUS (running in 2003 Server). Other Cisco devices authenticate without problems, but the SF300 reports a IAS authentication failure. Our firmware version is 1.0.0.27
and we do plan to upgrade to the latest firmware, but after reading your post I don't think this will help since you have the same issue in 1.1.2.0
02-21-2012 04:30 AM
I have tested all versions of firmware and it would appear none of them work, I wonder if thsi feature works at all?
Mike Lewis
02-21-2012 10:54 AM
Same problem on SG300-28 with firmware 1.1.2.0
Did a test yesterday.
I am using FreeRADIUS 2.1.12
radius.log tells that username/password is correct but I do not get access to the CISCO GUI.
02-21-2012 11:19 AM
Hello everyone,
Thank you very much for the information. From what I can tell it is configured correctly. In order to better assist with this issue I suggest giving us a call at the support center and creating a case. If there is a problem with the feature we would really like know what is happening so we can fix it. Below is a link to contact us.
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Please refer to this thread as well. Thank you!
02-22-2012 01:16 AM
I just spoke to Cisco SBSC (Small Business Support Center). I could not open a case as I was told that RADIUS authentication is not supported. When I asked the engineer on the suggested course of action I got the reply that we must wait for a new Firmware which will support RADIUS but no timeframe was given.I must say that I am really disappointed if this is the official position of Cisco.
02-22-2012 02:02 AM
I have also logged a support case with CISCO SBSC, they said they will look into the issue and get back to me. I don’t believe it is acceptable to say that RADIUS authentication is not supported as both the documentation and the GUI give clear indications that the switch supports this feature. I will let you know once I hear back.
Mike Lewis
02-22-2012 06:05 AM
Thank you for the update.
Costas, the admin guide and data sheet for the Sx300 series switch does say it supports RADIUS authentication. I am a bit disappointed that you would be told otherwise.
Mike, please message me the case number you have gotten and I will look into for you.
02-22-2012 07:09 AM
Hi Robert,
I have sent you the requested case number.
Mike Lewis
02-22-2012 10:56 AM
Hi Mike,
hi Costas,
I was told something similar when I asked for the accounting option which is documented in the Datasheet, was visible in the GUI on firmware 1.0.x and disapeared in firmware 1.1.2.0. Now they are working on the problem and I expect feedback on middle of mach about that.
I really don't know sure why there are so many problems and promised features which are not supported on the SG200/300 series and why cisco isn't able to fix these bugs just in time because the switches release date is over 1 year in the past.
02-22-2012 02:33 PM
Alexander,
Accounting option is being looked at in an up coming firmware. Not sure on the eta.
Cisco Small Business Support Center
Randy Manthey
CCNA, CCNA - Security
02-22-2012 02:43 PM
Costas,
Please provide me your case number so I can review the situation why this answer was given.
Thanks,
Cisco Small Business Support Center
Randy Manthey
CCNA, CCNA - Security
02-22-2012 02:05 PM
Hello everyone!
We have been checking and encountered the same issues. We found the following post from another user, that when tested, did help resolve the problem.
Please see the following:
https://supportforums.cisco.com/message/3568766#3568766
I hope this information helps you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide