08-17-2020 02:44 AM
Hello,
I am having an issue with setting up my Windows server Radius with CISCO 3850, I am using NAS prompt with one AD group to authenticate admins into the network and this is my configuration, when I am trying to log in the switch is not authenticating the user.
aaa group server radius IAS
server-private 192.168.1.100 auth-port 1645 acct-port 1646 key ***
server-private 192.168.1.100 auth-port 1812 acct-port 1813 key ***
aaa authentication login userAuthentication local group IAS
aaa authorization exec userAuthorization local group IAS if-authenticated
aaa authorization network userAuthorization local group IAS
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
aaa session-id common
Solved! Go to Solution.
08-17-2020 04:59 AM
Hello,
it looks like the NAS is accessed, because it is asking for a username. Check if it is not simply a password problem in the AV pair configuration. What does the rest of the configuration look like ? It should be something like below:
aaa new-model
!
aaa group server radius IAS
server-private 192.168.1.100 auth-port 1645 acct-port 1646 key ***
server-private 192.168.1.100 auth-port 1812 acct-port 1813 key ***
aaa authentication login userAuthentication group IAS local
aaa authorization exec userAuthorization group IAS local if-authenticated
aaa authorization network userAuthorization group IAS local
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
aaa session-id common
radius-server host 192.168.1.100 auth-port 1645 acct-port 1646 key ***
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key ***
!
ip radius source-interface x
!
line vty 0 4
authorization exec userAuthorization
login authentication userAuthentication
transport input ssh telnet
!
line vty 5 15
authorization exec userAuthorization
login authentication userAuthentication
transport input ssh telnet
08-17-2020 03:07 AM
Hi there,
You need to change the sequence of your AAA methods. Currently it checks the local DB first. Since local is always available it never falls back to RADIUS.
!
aaa authentication login userAuthentication group IAS local aaa authorization exec userAuthorization group IAS local if-authenticated aaa authorization network userAuthorization group IAS local
!
...put local last.
cheers,
Seb.
08-17-2020 03:41 AM
Thank you for the help, still not working as you see
08-17-2020 04:59 AM
Hello,
it looks like the NAS is accessed, because it is asking for a username. Check if it is not simply a password problem in the AV pair configuration. What does the rest of the configuration look like ? It should be something like below:
aaa new-model
!
aaa group server radius IAS
server-private 192.168.1.100 auth-port 1645 acct-port 1646 key ***
server-private 192.168.1.100 auth-port 1812 acct-port 1813 key ***
aaa authentication login userAuthentication group IAS local
aaa authorization exec userAuthorization group IAS local if-authenticated
aaa authorization network userAuthorization group IAS local
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
aaa session-id common
radius-server host 192.168.1.100 auth-port 1645 acct-port 1646 key ***
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key ***
!
ip radius source-interface x
!
line vty 0 4
authorization exec userAuthorization
login authentication userAuthentication
transport input ssh telnet
!
line vty 5 15
authorization exec userAuthorization
login authentication userAuthentication
transport input ssh telnet
08-18-2020 05:57 AM
fixed it was a server issue. thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide