Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1451
Views
10
Helpful
7
Replies

Cisco 9000 series switch SSH authentication on Active Directory Radius

David-Veo
Level 1
Level 1

‎11-30-2022 02:06 AM

Hi,

I am replacing my 300 series switch with 9000 series switch. Previously, I have create a NPS to as the radius server to Authenticate the SSH login on those switches. But I find that the syntax on 9000 series are different. I am not sure what should be the latest configuration.

 I am trying to create an aaa group include 2 NPS. 

Show Run
aaa group server radius NPS_group
server 10.2.10.1
server 10.2.10.2
ip radius source-interface Vlan10

aaa authentication login default group NPS_group local
aaa authorization exec default group NPS_group local
.....
 But when I try to add the server with IP address I got the error.

SW1(config)#radius server NPSP1
SW1(config-radius-server)#address ipv4 10.2.10.1
%Server already exists with same address port combination.

I am not sure how to add the address then. Any idea?

Labels:
0 Helpful
7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

‎11-30-2022 02:44 AM

The message seems to indicate that the server is already present in running config. In that case it is logical that you can not "add" the server which is what 

SW1(config)#radius server NPSP1
SW1(config-radius-server)#address ipv4 10.2.10.1

attempts to do. Perhaps it would be helpful if you post the running config with any sensitive information obscured (or if you do not want to show the complete config then perhaps show run | section aaa

HTH

Rick

David-Veo
Level 1
Level 1
In response to Richard Burts

‎11-30-2022 07:52 PM

Hi Richard,

 Thanks for your reply. I am not sure why it claim the server is exist. I have attached the running config and hiding the sensitive information. Thanks for your help.

David

Preview file
33 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to David-Veo

‎12-01-2022 01:00 AM

David

Thank you for posting the running config. I believe that the issue is really about the identity of the server. You are attempting to add the server in NPSP1 but that server address is already configured in NPS_group.

HTH

Rick
0 Helpful

David-Veo
Level 1
Level 1
In response to Richard Burts

‎12-01-2022 01:50 AM

Rick

 I think so. But how could I configure to use the AD server to do the authentication for SSH? Since from my C3650 switch, I can create a group to include the NPS. Also set the radius server with ip address and key, like below. So do you know how to configure it on 9000 series switches? I cannot find the latest syntax from the website.

Configure on C3650:

aaa group server radius NPS_group
server 10.2.10.1
server 10.2.10.2
ip radius source-interface Vlan34
-----
radius-server host 10.2.10.1 key 7 -
radius-server host 10.2.10.12 key 7 -

David


0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to David-Veo

‎12-01-2022 10:03 AM

David

I think that you have pretty much what you need in the config that you posted but it needs to be arranged slightly differently. The config has a server group NPS_1 which has 2 servers identified by IP address. Later in the config you specify keys for the servers but here the servers are identified differently:

radius server NPS_PS1
key 7 -
!
radius server NPS_PS2
key 7 -

I believe that you need to combine them perhaps looking like this (the important thing is that the key is not configured separately but is in sequence with the address)

aaa group server radius NPS_1
server 10.2.10.1

key 7 -
server 10.2.10.2

key 7 -

For additional details you might try this link:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-10/configuration_guide/sec/b_1610_sec_9200_cg/configuring_radius.html#concept_E0E43CC5AB1747CDA0DA4EF0A453F2E5

I find the organization of the document to be a bit confusing, but if you search for How to Configure RADIUS I think you will find what you need. Give it a try and let us know the results.

HTH

Rick
0 Helpful

David-Veo
Level 1
Level 1
In response to Richard Burts

‎12-04-2022 11:48 PM

Rick

 Thanks for your help. I finally configure successfully. It is about the sequence I configure.

 First, I create the Radius Server like:

radius server NPS_PS1
host ipv4 10.2.10.1
key XXX

radius server NPS_PS2
host ipv4 10.2.10.2
key XXX

Then create the radius group, add the radius server by name.

aaa group server radius NPS_Group
server name NPS_PS1
server name NPS_PS2

It is the way to add the radius server with ip address into the radius server group. Thanks for your help.

David


Richard Burts
Hall of Fame
Hall of Fame
In response to David-Veo

‎12-06-2022 01:15 AM

David

Thanks for the update. Glad to know that you were successful in getting it to work. +5 for sharing your solution with the community. And yes the sequence of steps is important.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card