08-23-2012 11:30 PM - edited 03-07-2019 08:30 AM
Dear all:
My configuration:
radius-server host 10.138.44.57 auth-port 1645 acct-port 1646 key 7 ******
!
aaa new-model
!
aaa authentication dot1x default group radius local
!
ip radius source-interface loopback1 vrf CC
!
interface loopback1
ip add 10.1.1.1 255.255.255.255
ip vrf forwarding CC
!
I CAN ping IP 10.138.44.57(radius-server) in vrf CC.but,the switch can't access radius-server
this is the debug logging :
aug 24 %RADIUS-4-RADIUS_DEAD: RADIUS server 10.138.44.57:1645,1646 is not responding.
aug 24 %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.138.44.57:1645,1646 is being marked alive.
Solved! Go to Solution.
08-24-2012 09:36 PM
Hello Chen,
The vrf keyword does not seem to be available at the "radius-server host" command.
In order for the dot1x authentication to work in the CC vrf, I think you need to associate the VRF under a newly created radius server group.
I have similar configurations on some 6500's and have seen the availability of the command on my lab 3560-X .
The configuration would be of this type =>
===========================================
aaa new-model
!
aaa group server radius TEST-VRF-RADIUS
server 10.138.44.57 auth-port 1645 acct-port 1646
ip vrf forwarding CC
!
aaa authentication dot1x default group TEST-VRF-RADIUS local
!
ip radius source-interface loopback1 vrf CC
!
interface loopback1
ip add 10.1.1.1 255.255.255.255
ip vrf forwarding CC
!
radius-server [host 10.138.44.57] key ******
===========================================
If it is still not working feel free to post associated radius/aaa debugs from the 3560 and also check if some authentication packets are arriving on the radius server.
Best regards.
Karim
08-24-2012 09:36 PM
Hello Chen,
The vrf keyword does not seem to be available at the "radius-server host" command.
In order for the dot1x authentication to work in the CC vrf, I think you need to associate the VRF under a newly created radius server group.
I have similar configurations on some 6500's and have seen the availability of the command on my lab 3560-X .
The configuration would be of this type =>
===========================================
aaa new-model
!
aaa group server radius TEST-VRF-RADIUS
server 10.138.44.57 auth-port 1645 acct-port 1646
ip vrf forwarding CC
!
aaa authentication dot1x default group TEST-VRF-RADIUS local
!
ip radius source-interface loopback1 vrf CC
!
interface loopback1
ip add 10.1.1.1 255.255.255.255
ip vrf forwarding CC
!
radius-server [host 10.138.44.57] key ******
===========================================
If it is still not working feel free to post associated radius/aaa debugs from the 3560 and also check if some authentication packets are arriving on the radius server.
Best regards.
Karim
08-29-2012 02:10 AM
Dear krahmani323
Thank you
It's OK
02-21-2014 10:43 PM
Just wanted to help future people as some of the answers I found here were confusing.
This is all you need from the AAA perspective:
aaa new-model
!
!
aaa group server radius RADIUS-VRF-X
server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
ip vrf forwarding X
!
aaa authentication login default group RADIUS-VRF-X local
aaa authorization exec default group X local if-authenticated
Per VRF AAA reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide