Solved: Catalyst 3850 Radius Configuration issue

Samer.Ahmed · ‎08-17-2020

Hello,

I am having an issue with setting up my Windows server Radius with CISCO 3850, I am using NAS prompt with one AD group to authenticate admins into the network and this is my configuration, when I am trying to log in the switch is not authenticating the user.

aaa group server radius IAS
server-private 192.168.1.100 auth-port 1645 acct-port 1646 key ***
server-private 192.168.1.100 auth-port 1812 acct-port 1813 key ***
aaa authentication login userAuthentication local group IAS
aaa authorization exec userAuthorization local group IAS if-authenticated
aaa authorization network userAuthorization local group IAS
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
aaa session-id common

Georg Pauwen · ‎08-17-2020

Hello,

it looks like the NAS is accessed, because it is asking for a username. Check if it is not simply a password problem in the AV pair configuration. What does the rest of the configuration look like ? It should be something like below:

aaa new-model
!
aaa group server radius IAS
server-private 192.168.1.100 auth-port 1645 acct-port 1646 key ***
server-private 192.168.1.100 auth-port 1812 acct-port 1813 key ***
aaa authentication login userAuthentication group IAS local
aaa authorization exec userAuthorization group IAS local if-authenticated
aaa authorization network userAuthorization group IAS local
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
aaa session-id common
radius-server host 192.168.1.100 auth-port 1645 acct-port 1646 key ***
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key ***
!
ip radius source-interface x
!
line vty 0 4
authorization exec userAuthorization
login authentication userAuthentication
transport input ssh telnet
!
line vty 5 15
authorization exec userAuthorization
login authentication userAuthentication
transport input ssh telnet

View solution in original post

Seb Rupik · ‎08-17-2020

Hi there,

You need to change the sequence of your AAA methods. Currently it checks the local DB first. Since local is always available it never falls back to RADIUS.

!
aaa authentication login userAuthentication group IAS local 
aaa authorization exec userAuthorization group IAS local if-authenticated
aaa authorization network userAuthorization group IAS local 
!

...put local last.

cheers,

Seb.

Samer.Ahmed · ‎08-17-2020

Thank you for the help, still not working as you see

Georg Pauwen · ‎08-17-2020

Hello,

it looks like the NAS is accessed, because it is asking for a username. Check if it is not simply a password problem in the AV pair configuration. What does the rest of the configuration look like ? It should be something like below:

aaa new-model
!
aaa group server radius IAS
server-private 192.168.1.100 auth-port 1645 acct-port 1646 key ***
server-private 192.168.1.100 auth-port 1812 acct-port 1813 key ***
aaa authentication login userAuthentication group IAS local
aaa authorization exec userAuthorization group IAS local if-authenticated
aaa authorization network userAuthorization group IAS local
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
aaa session-id common
radius-server host 192.168.1.100 auth-port 1645 acct-port 1646 key ***
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key ***
!
ip radius source-interface x
!
line vty 0 4
authorization exec userAuthorization
login authentication userAuthentication
transport input ssh telnet
!
line vty 5 15
authorization exec userAuthorization
login authentication userAuthentication
transport input ssh telnet

Samer.Ahmed · ‎08-18-2020

fixed it was a server issue. thank you