Whilst the screen options are slightly different for setting up MS Network Policy Server, I have been able to configure the settings correctly to enable successful authentication.

Thank you for all your help.

Mike Lewis

Robert

Thanks for the link.

I have received a new SG 300 today and tried to setup radius auth according to the thread you linked but am unable to authenticate.

IASLog reports an IAS_SUCCESS for the login attempts but the switch refuses access to the web interface.

The switch log gives the following replies

"%AAA-W-REJECT: New https connection, source 10.1.1.112 destination 10.1.1.119  REJECTED"

The radius authentication works with other devices (juniper router) so there shouldn't be a problem there. Running firmware

1.1.1.8

no response here?  am i missing something?  should i have a ticket open or something?  i would really like to have radius auth work as it is supposed to...

I managed to do a few tests using the latest Firmware release ver 1.2.7.76 which is publicly available as of 9th of August (see here: https://supportforums.cisco.com/docs/DOC-25157 ).

I am happy to report that RADIUS authentication finally works as expected!

P.S. This procedure:

https://supportforums.cisco.com/message/3568766#3568766

mentioned by Robert is correct and can work with SF300 switches with Firmware release ver 1.0.0.27 (my bad, sorry for any confusion) but the IAS logs report that the connection result is Unknown so start and stop session time are useless. You have to upgrade the firmware in order to obtain accurate logging information.

Hi Brendan,

what you are missing is that you probably did not try enough like I did 3 months ago when preparing switch config templates for customer deployment rollout, using 1.1.2.0 fw. It took me 1,5 days of crazy investigating what the problem with AAA could be... And then it came - I had used only the "priv15" item in Access Accept and it worked!! So simple.. Anyway, admin guide whispers something about this, unfortunately misses "only" word there.

Reading that latest 1.2.7.76 fw is again buggy more than normal, I'm much thankful that my service setup is running even with 1.1.2.0.. which I recommend to you as well.

Rregards,

Peter

Brendan, whichever is the "top option" for the log in when you look at the gui, is what will work. So if you have Radius + local set, the Radius will work. If you move local as the top option, the local login will work but the Radius won't work. That is an expected behavior.

Dave Hornstein actually raised this issue quite a while back. He may have some further insight.

-Tom
Please rate helpful posts

Brendan, whichever is the "top option" for the log in when you look at  the gui, is what will work. So if you have Radius + local set, the  Radius will work. If you move local as the top option, the local login  will work but the Radius won't work. That is an expected broken behavior.

corrected...

Here is the documentation excerpt-

For the RADIUS server to grant access to the web-based switch configuration

utility, the RADIUS server must return cisco-avpair = shell:priv-lvl=15.

User authentication occurs in the order that the authentication methods are

selected. If the first authentication method is not available, the next selected

method is used. For example, if the selected authentication methods are RADIUS

and Local, and all configured RADIUS servers are queried in priority order and do

not reply, the user is authenticated locally.

If an authentication method fails or the user has insufficient privilege level, the user

is denied access to the switch. In other words, if authentication fails at an

authentication method, the switch stops the authentication attempt; it does not

continue and does not attempt to use the next authentication method.

Of course the point of interest here is the second paragraph. The initial wording is the behavior you want. The second portion is very open for interpretation (I do agree it is somewhat ambiguous but consistent with the switch behavior). When I read the example and it says the Radius is busy or not responding then you will authenticate locally. Which seems fair enough. But what it doesn't say, is if you can use one or the other, but instead it seems based on preference failure.

-Tom
Please rate helpful posts

while i dont fully agree with the logic, i do see its reason and merits.  now that i have read that help section several times over, i see what its meant to do.  by requiring a failure of the auth service (not a reject of auth) to occur before descending to other auth types you avoid brute-force attacks.

Brendan, from what I recall we were told by the instructor at a Cisco security seminar that it is never a good idea to have RADIUS authentication as the only method because if RADIUS server fails you are effectively locked out of your devices. Using RADIUS is usually dictated by the security policy of an organization so it should be the default authentication and local authentication should be used as the fallback method and this is the logic of our current configuration.

Brendan,

If you indeed just send that "priv15" item only!.. you should have no issues with single AAA setup, or any combination with tt..If its about console problem, I have not tested setup of 1.AAA, 2. local.. as I use local method only for Console, and HTTP+SSH+Telnet with AAA+local. I can't help more here, I'm sorry.

i have the radius auth set for all access methods and the local auth for console only.  my logic is that if my radius server is down, then i have more to worry about then logging into my switch.  being that this is in my house, and not in a prod environment, affords me that flexibility.

the reason i called the auth logic broken was that radius returned a user not found error, not user auth failed.  i am used to systems or services that differentiate between the two and continue to attempt authentication until a method returns user auth pass/fail or all methods have been attempted.  i see how this is generally more processing time than say a switch might want to spend on auth, and keeping that in mind might be what i need to do.  general proccessing equipment (servers, PC's, etc) dont blink when having to do this kind of stuff, but purpose built gear with less horsepower have to pick and choose their battles better, so to speak.