AAA authentication Failed with Steel Belted Radius Server

Vadim Semenov · ‎08-31-2015

dear Collegues,

could you please say why i get Access-Reject when i trying to authenticate/authorise in Switch with using Domain user account from AD at the same time authentication wireless clients is OK.

Log from switch

Aug 31 07:28:41.635: AAA/AUTHEN/CONT (1117842455): continue_login (user='TestUser')
Aug 31 07:28:41.635: AAA/AUTHEN (1117842455): status = GETPASS
Aug 31 07:28:41.639: AAA/AUTHEN (1117842455): Method=Belted (radius)
Aug 31 07:28:41.639: RADIUS: ustruct sharecount=1
Aug 31 07:28:41.639: RADIUS: Initial Transmit tty1 id 59 10.10.10.10:1812, Access-Request, len 80
Aug 31 07:28:41.643: Attribute 4 6 0A1A8170
Aug 31 07:28:41.643: Attribute 5 6 00000001
Aug 31 07:28:41.643: Attribute 61 6 00000005
Aug 31 07:28:41.643: Attribute 1 9 44655278
Aug 31 07:28:41.643: Attribute 31 15 31302E32
Aug 31 07:28:41.643: Attribute 2 18 A543D65A
Aug 31 07:28:41.647: RADIUS: Received from id 59 10.10.10.10:1812, Access-Reject, len 20
Aug 31 07:28:41.651: RADIUS: saved authorization data for user 80D74DB0 at 0
Aug 31 07:28:41.651: AAA/AUTHEN (1117842455): status = FAIL
Aug 31 07:28:43.651: AAA/MEMORY: free_user (0x80D74DB0) user='TestUser' ruser='' port='tty1' rem_addr='10.10.10.11' authen_type=ASCII service=LOGIN priv=15
Aug 31 07:28:48.939: AAA: parse name=tty1 idb type=-1 tty=-1
Aug 31 07:28:48.939: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Aug 31 07:28:48.939: AAA/MEMORY: create_user (0x80D5A740) user='' ruser='' port='tty1' rem_addr='10.10.10.11' authen_type=ASCII service=LOGIN priv=15
Aug 31 07:28:48.939: AAA/AUTHEN/START (1398096274): port='tty1' list='Belted' action=LOGIN service=LOGIN
Aug 31 07:28:48.939: AAA/AUTHEN/START (1398096274): found list Belted
Aug 31 07:28:48.939: AAA/AUTHEN/START (1398096274): Method=Belted (radius)
Aug 31 07:28:48.943: AAA/AUTHEN (1398096274): status = GETUSER

Pat Kinnison · ‎09-04-2015

This appears to be a failed authentication attempt. You are not even getting passes the gate to be authorized.

#1 - The first step is are you using the correct Username/Password.

#2 - Do you have the correct policy setup on the Radius Side to allow the Authentication to AD. A Lot of times the Username is Right and the Password is Right but the Radius server is rejecting the connection because the AD communication to the Radius server isn't correct. To the switch it just receives the failed authentication because Radius was unable to verify the communication.

Vadim Semenov · ‎09-07-2015

The most intresting fact is what WiFi users successfully authenticated through Steel Belted Radius but obviously through different protocols, like a EAP-TLS. I just added new host in Belted radius which include ip address of switch and password which is the same between switch and radius.

If i create user inside Belted radius database - login attempt is succesful but it don't actually what i want. Monitoring tools on that Radius is very poor - i can see only successful\ unsuccessul attempt.

Vadim Semenov · ‎10-19-2015

I checked Logs on Belted radius

10/01/2015 16:00:36 Unable to find user User1 with matching password
10/01/2015 16:00:36 Sent reject response

and on AD server there is no information about User1 attempt to Authentincate.

Does it need to setup separate settings for, for example, authentication wifi users and users from the active network equipment?