Solved: Access via Management Port with radius authentication

lecabral · ‎04-29-2024

Hi all,

I'm configuring a 9200L switch to be a spare, just with its management interface Gi0/0 configured. It's up and running, and I can login using a local account. However radius is not working, it seems that the switch is unable to contact the radius servers:

004408: *Apr 29 11:19:33: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.10.22:1812,1813 is not responding.
004409: *Apr 29 11:19:49: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.10.30:1812,1813 is not responding.
004410: *Apr 29 11:20:05: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.10.50:1812,1813 is not responding.
004411: *Apr 29 11:20:05: %RADIUS-3-ALLDEADSERVER: Group ISE_GRP: No active radius servers found. Id 6.

I tried adding the ip radius source-interface global command and inside the AAA group, no luck. Any idea or references will be appreciated.

Thank you,

LeoC.

lecabral · ‎04-29-2024

It finally worked, with this config:

!
aaa group server radius ISE_GRP
server name ISE_SRV1
server name ISE_SRV2
server name ISE_SRV3
ip vrf forwarding Mgmt-vrf
deadtime 10
!

Thank all for your guidance!

LeoC

View solution in original post

MHM Cisco World · ‎04-29-2024

Share the config of SW AAA and radius server

MHM

balaji.bandi · ‎04-29-2024

how is your configuration looks like for the gig 0/0

is that in VRF mgmt ?

ip radius source-interface xxx

also try to ping radius using sourcing that interface?

Quick question is this TACACS or Radius (802.1X) ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

lecabral · ‎04-29-2024

@MHM Cisco World and @balaji.bandi Here is the AAA config. Radius (via ISE) is used for authentication and authorization.

SPARESw01#sh run aaa
!
aaa authentication login default local group ISE_GRP
aaa authentication login netctrl group ISE_GRP local
aaa authorization exec netctrl group ISE_GRP local 
aaa authorization network default local group ISE_GRP 
username xxxx privilege 15 password yyyy
!
!
radius server ISE_SRV1
address ipv4 10.10.10.22 auth-port 1812 acct-port 1813
timeout 5
retransmit 3
key xxxx
!
radius server ISE_SRV2
address ipv4 10.10.10.50 auth-port 1812 acct-port 1813
timeout 5
retransmit 3
key xxxx
!
radius server ISE_SRV3
address ipv4 10.10.10.50 auth-port 1812 acct-port 1813
timeout 5
retransmit 3
key xxxx
!
!
aaa group server radius ISE_GRP
server name ISE_SRV1
server name ISE_SRV2
server name ISE_SRV3
ip radius source-interface GigabitEthernet0/0
deadtime 10
!
!
!
!
aaa new-model
aaa session-id common
!
!
ip radius source-interface GigabitEthernet0/0 vrf Mgmt-vrf

SPARESw01#sh run int gi0/0
Building configuration...

Current configuration : 128 bytes
!
interface GigabitEthernet0/0
description Management OOB
vrf forwarding Mgmt-vrf
ip address 10.1.1.240 255.255.255.0
end

SPARESw01#sh run | i route
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.1.1.1 permanent name Default_OOB

SPARESw01#ping vrf Mgmt-vrf 10.10.10.22 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

The line "ip radius source-interface GigabitEthernet0/0" under the AAA group is the last I added to test, no luck.

Scott Leport · ‎04-29-2024

ip radius source-interface GigabitEthernet0/0 vrf Mgmt-vrf

lecabral · ‎04-29-2024

It finally worked, with this config:

!
aaa group server radius ISE_GRP
server name ISE_SRV1
server name ISE_SRV2
server name ISE_SRV3
ip vrf forwarding Mgmt-vrf
deadtime 10
!

Thank all for your guidance!

LeoC