cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1994
Views
0
Helpful
3
Replies
Highlighted
Beginner

Catalyst 3560 can't access radius-server in vrf

Dear all:

          My configuration:              

                radius-server host 10.138.44.57 auth-port 1645 acct-port 1646 key 7 ******

                !

                aaa new-model

                !

                aaa authentication dot1x default group radius local

                !

                ip radius source-interface loopback1 vrf CC

                !

                interface loopback1

                   ip add 10.1.1.1 255.255.255.255

                   ip vrf forwarding CC

                !

           I CAN  ping IP 10.138.44.57(radius-server) in vrf CC.but,the switch can't access radius-server

           this is the debug logging :

                aug 24  %RADIUS-4-RADIUS_DEAD: RADIUS server 10.138.44.57:1645,1646 is not responding.

                aug 24 %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.138.44.57:1645,1646 is being marked alive.

1 ACCEPTED SOLUTION

Accepted Solutions
Participant

Catalyst 3560 can't access radius-server in vrf

Hello Chen,

The vrf keyword does not seem to be available at the "radius-server host" command.

In order for the dot1x authentication to work in the CC vrf, I think you need to associate the VRF under a newly created radius server group.

I have similar configurations on some 6500's and have seen the availability of the command on my lab 3560-X .

The configuration would be of this type =>

===========================================

aaa new-model

!

aaa group server radius TEST-VRF-RADIUS

server 10.138.44.57 auth-port 1645 acct-port 1646

ip vrf forwarding CC              

!

aaa authentication dot1x default group TEST-VRF-RADIUS local

!

ip radius source-interface loopback1 vrf CC

!

interface loopback1

ip add 10.1.1.1 255.255.255.255

ip vrf forwarding CC

!

radius-server [host 10.138.44.57] key  ******

===========================================

If it is still not working feel free to post associated radius/aaa debugs from the 3560 and also check if some authentication packets are arriving on the radius server.

Best regards.

Karim

View solution in original post

3 REPLIES 3
Participant

Catalyst 3560 can't access radius-server in vrf

Hello Chen,

The vrf keyword does not seem to be available at the "radius-server host" command.

In order for the dot1x authentication to work in the CC vrf, I think you need to associate the VRF under a newly created radius server group.

I have similar configurations on some 6500's and have seen the availability of the command on my lab 3560-X .

The configuration would be of this type =>

===========================================

aaa new-model

!

aaa group server radius TEST-VRF-RADIUS

server 10.138.44.57 auth-port 1645 acct-port 1646

ip vrf forwarding CC              

!

aaa authentication dot1x default group TEST-VRF-RADIUS local

!

ip radius source-interface loopback1 vrf CC

!

interface loopback1

ip add 10.1.1.1 255.255.255.255

ip vrf forwarding CC

!

radius-server [host 10.138.44.57] key  ******

===========================================

If it is still not working feel free to post associated radius/aaa debugs from the 3560 and also check if some authentication packets are arriving on the radius server.

Best regards.

Karim

View solution in original post

Beginner

Catalyst 3560 can't access radius-server in vrf

Dear krahmani323

Thank you

It's OK

Beginner

Catalyst 3560 can't access radius-server in vrf

Just wanted to help future people as some of the answers I found here were confusing.

This is all you need from the AAA perspective:

aaa new-model

!

!

aaa group server radius RADIUS-VRF-X

server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475

ip vrf forwarding X

!        

aaa authentication login default group RADIUS-VRF-X local

aaa authorization exec default group X local if-authenticated

Per VRF AAA reference:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

CreatePlease to create content
Content for Community-Ad