cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2728
Views
0
Helpful
3
Replies

Catalyst 3560 can't access radius-server in vrf

canalc
Level 1
Level 1

Dear all:

          My configuration:              

                radius-server host 10.138.44.57 auth-port 1645 acct-port 1646 key 7 ******

                !

                aaa new-model

                !

                aaa authentication dot1x default group radius local

                !

                ip radius source-interface loopback1 vrf CC

                !

                interface loopback1

                   ip add 10.1.1.1 255.255.255.255

                   ip vrf forwarding CC

                !

           I CAN  ping IP 10.138.44.57(radius-server) in vrf CC.but,the switch can't access radius-server

           this is the debug logging :

                aug 24  %RADIUS-4-RADIUS_DEAD: RADIUS server 10.138.44.57:1645,1646 is not responding.

                aug 24 %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.138.44.57:1645,1646 is being marked alive.

1 Accepted Solution

Accepted Solutions

krahmani323
Level 3
Level 3

Hello Chen,

The vrf keyword does not seem to be available at the "radius-server host" command.

In order for the dot1x authentication to work in the CC vrf, I think you need to associate the VRF under a newly created radius server group.

I have similar configurations on some 6500's and have seen the availability of the command on my lab 3560-X .

The configuration would be of this type =>

===========================================

aaa new-model

!

aaa group server radius TEST-VRF-RADIUS

server 10.138.44.57 auth-port 1645 acct-port 1646

ip vrf forwarding CC              

!

aaa authentication dot1x default group TEST-VRF-RADIUS local

!

ip radius source-interface loopback1 vrf CC

!

interface loopback1

ip add 10.1.1.1 255.255.255.255

ip vrf forwarding CC

!

radius-server [host 10.138.44.57] key  ******

===========================================

If it is still not working feel free to post associated radius/aaa debugs from the 3560 and also check if some authentication packets are arriving on the radius server.

Best regards.

Karim

View solution in original post

3 Replies 3

krahmani323
Level 3
Level 3

Hello Chen,

The vrf keyword does not seem to be available at the "radius-server host" command.

In order for the dot1x authentication to work in the CC vrf, I think you need to associate the VRF under a newly created radius server group.

I have similar configurations on some 6500's and have seen the availability of the command on my lab 3560-X .

The configuration would be of this type =>

===========================================

aaa new-model

!

aaa group server radius TEST-VRF-RADIUS

server 10.138.44.57 auth-port 1645 acct-port 1646

ip vrf forwarding CC              

!

aaa authentication dot1x default group TEST-VRF-RADIUS local

!

ip radius source-interface loopback1 vrf CC

!

interface loopback1

ip add 10.1.1.1 255.255.255.255

ip vrf forwarding CC

!

radius-server [host 10.138.44.57] key  ******

===========================================

If it is still not working feel free to post associated radius/aaa debugs from the 3560 and also check if some authentication packets are arriving on the radius server.

Best regards.

Karim

Dear krahmani323

Thank you

It's OK

Camarsi91
Level 1
Level 1

Just wanted to help future people as some of the answers I found here were confusing.

This is all you need from the AAA perspective:

aaa new-model

!

!

aaa group server radius RADIUS-VRF-X

server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475

ip vrf forwarding X

!        

aaa authentication login default group RADIUS-VRF-X local

aaa authorization exec default group X local if-authenticated

Per VRF AAA reference:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card