Hi all. Im having a strange problem on a 6509 switch. I am trying to use a Tekradius Windows2008 server to aaa authenticate switch admin logins.
The Radius server and 6509 loop0 are in a management VRF "netman". I can happily ping to and from the Server and loopback0 interface without issue. I have also tested the radius server account using RadiusNT on a workstation. I get an accept reply with the following variables..
shell:priv-lvl=15
NAS-Prompt
Here are the relevant parts of my config as far as I can see..
aaa new-model
aaa group server radius SRADIUS
server-private 192.168.1.101 auth-port 1812 acct-port 1813 key cisco
ip vrf forwarding netman
ip radius source-interface Loopback0
!
aaa authentication login default group SRADIUS local
aaa authorization exec default group SRADIUS local
aaa accounting system default start-stop group SRADIUS
!
aaa session-id common
!
interface Loopback0
ip vrf forwarding netman
ip address 172.16.17.1 255.255.255.255
Here is a brief overview of my IP setup.
6509 Loop0 - 172.16.17.1 (Radius Source)
Radius Server - 192.168.1.101 (TekRadius)
6509 SVI Interface - 192.168.1.252 (LAN Interface) (also in netman VRF)
Using Wireshark I can see the radius communication to and from the correct IP addresses. However, why do i see "destination unreachable"?. There are no ACL's or firewalls between the Switch and Radius server..
1001 132.049236000 172.16.17.1 192.168.1.101 RADIUS 130 Access-Request(1) (id=219, l=88)
1002 132.062993000 192.168.1.101 172.16.17.1 RADIUS 100 Access-Accept(2) (id=219, l=58)
1003 132.063590000 192.168.1.252 192.168.1.101 ICMP 70 Destination unreachable (Port unreachable)
Here's a radius debug from the 6509.
9w0d: RADIUS: Pick NAS IP for u=0x52001320 tableid=0 cfg_addr=172.16.17.1
9w0d: RADIUS: ustruct sharecount=1
9w0d: Radius: radius_port_info() success=1 radius_nas_port=1
9w0d: RADIUS(00000000): Send Access-Request to 192.168.1.101:1812 id 21645/243,len 77
9w0d: RADIUS: authenticator FF BC 62 A7 54 4F 0E 7F - 3E E5 8D 15 BB 2D AE 16
9w0d: RADIUS: NAS-IP-Address [4] 6 172.16.17.1
9w0d: RADIUS: NAS-Port [5] 6 1
9w0d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
9w0d: RADIUS: User-Name [1] 7 "cisco"
9w0d: RADIUS: Calling-Station-Id [31] 14 "192.168.2.10"
9w0d: RADIUS: User-Password [2] 18 *
9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/243
9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/243
9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/243
9w0d: RADIUS: Tried all servers.
9w0d: RADIUS: No valid server found. Trying any viable server
9w0d: RADIUS: Tried all servers.
9w0d: RADIUS: No response from (192.168.1.101:1812,1813) for id 21645/243
9w0d: RADIUS: No response from server
9w0d: RADIUS: Pick NAS IP for u=0x52001320 tableid=0 cfg_addr=172.16.17.1
9w0d: RADIUS: ustruct sharecount=1
9w0d: Radius: radius_port_info() success=1 radius_nas_port=1
9w0d: RADIUS(00000000): Send Access-Request to 192.168.1.101:1812 id 21645/244,len 77
9w0d: RADIUS: authenticator F6 22 C0 76 D3 B5 50 1E - 4A 56 38 F9 DA 73 38 93
9w0d: RADIUS: NAS-IP-Address [4] 6 172.16.17.1
9w0d: RADIUS: NAS-Port [5] 6 1
9w0d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
9w0d: RADIUS: User-Name [1] 7 "cisco"
9w0d: RADIUS: Calling-Station-Id [31] 14 "192.168.2.10"
9w0d: RADIUS: User-Password [2] 18 *
9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/244
9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/244
9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/244
9w0d: RADIUS: Tried all servers.
9w0d: RADIUS: No valid server found. Trying any viable server
9w0d: RADIUS: Tried all servers.
9w0d: RADIUS: No response from (192.168.1.101:1812,1813) for id 21645/244
9w0d: RADIUS: No response from server
9w0d: RADIUS: Pick NAS IP for u=0x52001320 tableid=0 cfg_addr=172.16.17.1
9w0d: RADIUS: ustruct sharecount=1
9w0d: Radius: radius_port_info() success=1 radius_nas_port=1
9w0d: RADIUS(00000000): Send Access-Request to 192.168.1.101:1812 id 21645/245,len 77
9w0d: RADIUS: authenticator 27 4F 5F 46 A5 5F D7 40 - 0D 0F 22 9C 44 79 BD F1
9w0d: RADIUS: NAS-IP-Address [4] 6 172.16.17.1
9w0d: RADIUS: NAS-Port [5] 6 1
9w0d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
9w0d: RADIUS: User-Name [1] 7 "cisco"
9w0d: RADIUS: Calling-Station-Id [31] 14 "192.168.2.10"
9w0d: RADIUS: User-Password [2] 18 *
9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/245
9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/245
9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/245
9w0d: RADIUS: Tried all servers.
9w0d: RADIUS: No valid server found. Trying any viable server
9w0d: RADIUS: Tried all servers.
9w0d: RADIUS: No response from (192.168.1.101:1812,1813) for id 21645/245
9w0d: RADIUS: No response from server 9w0d: RADIUS: Pick NAS IP for u=0x52001320 tableid=0 cfg_addr=172.16.17.19w0d: RADIUS: ustruct sharecount=19w0d: Radius: radius_port_info() success=1 radius_nas_port=19w0d: RADIUS(00000000): Send Access-Request to 192.168.1.101:1812 id 21645/243,len 779w0d: RADIUS: authenticator FF BC 62 A7 54 4F 0E 7F - 3E E5 8D 15 BB 2D AE 169w0d: RADIUS: NAS-IP-Address [4] 6 172.16.17.19w0d: RADIUS: NAS-Port [5] 6 19w0d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]9w0d: RADIUS: User-Name [1] 7 "cisco"9w0d: RADIUS: Calling-Station-Id [31] 14 "192.168.2.10"9w0d: RADIUS: User-Password [2] 18 *9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/2439w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/2439w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/2439w0d: RADIUS: Tried all servers.9w0d: RADIUS: No valid server found. Trying any viable server9w0d: RADIUS: Tried all servers.9w0d: RADIUS: No response from (192.168.1.101:1812,1813) for id 21645/2439w0d: RADIUS: No response from server9w0d: RADIUS: Pick NAS IP for u=0x52001320 tableid=0 cfg_addr=172.16.17.19w0d: RADIUS: ustruct sharecount=19w0d: Radius: radius_port_info() success=1 radius_nas_port=19w0d: RADIUS(00000000): Send Access-Request to 192.168.1.101:1812 id 21645/244,len 779w0d: RADIUS: authenticator F6 22 C0 76 D3 B5 50 1E - 4A 56 38 F9 DA 73 38 939w0d: RADIUS: NAS-IP-Address [4] 6 172.16.17.19w0d: RADIUS: NAS-Port [5] 6 19w0d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]9w0d: RADIUS: User-Name [1] 7 "cisco"9w0d: RADIUS: Calling-Station-Id [31] 14 "192.168.2.10"9w0d: RADIUS: User-Password [2] 18 *9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/2449w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/2449w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/2449w0d: RADIUS: Tried all servers.9w0d: RADIUS: No valid server found. Trying any viable server9w0d: RADIUS: Tried all servers.9w0d: RADIUS: No response from (192.168.1.101:1812,1813) for id 21645/2449w0d: RADIUS: No response from server9w0d: RADIUS: Pick NAS IP for u=0x52001320 tableid=0 cfg_addr=172.16.17.19w0d: RADIUS: ustruct sharecount=19w0d: Radius: radius_port_info() success=1 radius_nas_port=19w0d: RADIUS(00000000): Send Access-Request to 192.168.1.101:1812 id 21645/245,len 779w0d: RADIUS: authenticator 27 4F 5F 46 A5 5F D7 40 - 0D 0F 22 9C 44 79 BD F19w0d: RADIUS: NAS-IP-Address [4] 6 172.16.17.19w0d: RADIUS: NAS-Port [5] 6 19w0d: RADIUS: NAS-Port-Type [61] 6 Virtual [5]9w0d: RADIUS: User-Name [1] 7 "cisco"9w0d: RADIUS: Calling-Station-Id [31] 14 "192.168.2.10"9w0d: RADIUS: User-Password [2] 18 *9w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/2459w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/2459w0d: RADIUS: Retransmit to (192.168.1.101:1812,1813) for id 21645/2459w0d: RADIUS: Tried all servers.9w0d: RADIUS: No valid server found. Trying any viable server9w0d: RADIUS: Tried all servers.9w0d: RADIUS: No response from (192.168.1.101:1812,1813) for id 21645/2459w0d: RADIUS: No response from serverWhat am i missing?
Thanks very much for any help guys
Cheers
Matt
