cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2195
Views
10
Helpful
10
Replies

AAA server problem

santoshbajimaya
Level 1
Level 1

Hello everyone,

I am trying to setup a AAA server just to authenticate users to the AD for accessing the network infrastructure as switches and routers. I have configured my cisco switch (2960) for the AAA authentication and also setup a AAA server to communicate with my AD. Here is the configuration I am using in my cisco switch;

DISW06E#sh run | section aaa
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa session-id common

radius-server host <ip address> auth-port 1812 acct-port 1813 key <password>

I am using Wireshark for troubleshooting the packets. Earlier, I could not see packet transfer between switch and AAA server. Later, I discovered that my firewall was preventing it. So, I setup a policy for the traffic flow.

 

Now, I can see the switch communicating with the AAA server with radius protocol. But the access is always rejected, I always get Access-reject (3) from the AAA server. I am not sure why. 

Also, I don't how to confirm if my AAA server is communicating with my AD for credentials. I checked in my Firewall. I can see many from AAA server with protocols as ntp, Kerberos, ldap, ms-scheduler and so on.

 

I am confused how to troubleshoot it now. I have attached my wireshark capture for ease.

10 Replies 10

cmarva
Level 4
Level 4

Sounds like you need to check your policy flow on the radius server. Not sure what you're using for radius but that is the place to look at this point.

I am using a Windows Server 2016 and have setup AAA server role (NPS server for radius authentication.)

Hello,

 

the config on the router looks ok...what are you using (e.g. Windows 2012) ?

 

The link below shows how to properly set up the RADIUS server on 2012, not sure if that helps...

 

https://glazenbakje.wordpress.com/2013/08/31/microsoft-windows-server-2012-radius-setup/

Actually, I am using Windows Server 2016 and I have setup the AAA roles same as the document you provided. I am just too curious of the traffic in my firewall. 

 

I have hereby attached the screen shot of my firewall. Could you please suggest why am I getting all those different protocol traffic between AAA server and AD.

Hi,

 

Have you checked the Windows logs for NPS messages?

 

Thanks

John

**Please rate posts you find helpful**

I checked the windows logs as well. It shows just the NPS services is in running state. No further logs.

I found a solution to my problem. I am sure I tried it earlier when it did not work. But now it is really fine. It was with the "Connection Request Policy" setup. All I needed to do was to add a policy with the same client friendly name as I configured it in the Radius client.

Thanks for the update telling us that you have solved the issue and how you solved it. +5 for the explanation. These communities are excellent places to ask questions and to learn about networking. I hope to see you  continue to be active in the communities.

 

HTH

 

Rick

HTH

Rick

Actually I was experiencing exactly same problem on Server 2012 and Cisco Asa1010 and changing parameters in NAP to Client friendly name did the trick. Thank you very much for sharing your finding, it definitely helped me.

I am glad that you were able to find the solution for your problem in this discussion. Thank you for sharing your experience and for affirming the validity of the suggested solution. These communities are excellent places to ask questions and to learn about networking. I hope to see you  continue to be active in the communities.

HTH

Rick
Review Cisco Networking for a $25 gift card