Cisco Switch Radius configuration.

Antony.xavier · ‎01-24-2022

Hi Team,

Please find the below radius config for model C2950-I6Q4L2-M software version 12.1(22)EA1b, I am unable to authenticate this device in Radius server.

AAA new-model
AAA authentication login default group RADIUS_SERVERS local
AAA authorization exec default group RADIUS_SERVERS local if-authenticated
AAA authorization commands 5 default if-authenticated

AAA group server radius RADIUS_SERVERS
server 1.1.1.1 AUTH-port 1812 acct-port 1813
server 2.2.2.2 AUTH-port 1812 acct-port 1813

radius-server host 1.1.1.1 AUTH-port 1812 acct-port 1813 key Pre-shared Key
radius-server host 2.2.2.2 AUTH-port 1812 acct-port 1813 key Pre-shared Key

Debug error log:

=============

Jan 25 06:23:07: %RADIUS-4-NOSERV: Warning: Server 1.1.1.1:1812,1813 is not defined.
Jan 25 06:23:46: %RADIUS-4-NOSERV: Warning: Server 2.2.2.2:1812,1813 is not defined.

Jan 25 06:53:21: %RADIUS-4-SERVREF: Warning: Server 1.1.1.1:1812,1813 is still referenced by server group.
Jan 25 06:53:41: %RADIUS-4-SERVREF: Warning: Server 2.2.2.2.10:1812,1813 is still referenced by server group.

Please share the AAA test command for this switch model C2950. Any help is much appreciated.

Thanks,

Antony

vencislav.metev · ‎01-24-2022

Hi,

Try first to define:

radius-server host 1.1.1.1 AUTH-port 1812 acct-port 1813 key Pre-shared Key
radius-server host 2.2.2.2 AUTH-port 1812 acct-port 1813 key Pre-shared Key

then:

AAA group server radius RADIUS_SERVERS
server 1.1.1.1
server 2.2.2.2

Regards,

Ventsi

Antony.xavier · ‎01-25-2022

Hi Ventsi,

I did tried this method but still no luck, please find the below debug logs.

Jan 25 08:36:43: AAA: parse name=tty2 IDB type=-1 TTY=-1
Jan 25 08:36:43: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Jan 25 08:36:43: AAA/MEMORY: create user (0x80CBE92C) user='' RUSER='' port='tty2' REM_ADDR='1.1.1.1' authen_type=ASCII service=LOGIN PRIV=1
Jan 25 08:36:43: AAA/AUTHEN/START (266799843): port='tty2' list='' action=LOGIN service=LOGIN
Jan 25 08:36:43: AAA/AUTHEN/START (266799843): using "default" list
Jan 25 08:36:43: AAA/AUTHEN/START (266799843): Method=NPS_RADIUS_SERVERS (radius)
Jan 25 08:36:43: AAA/AUTHEN (266799843): status = GETUSER
Jan 25 08:36:47: AAA/AUTHEN/CONT (266799843): continue login (user='(UNDEF)')
Jan 25 08:36:47: AAA/AUTHEN (266799843): status = GETUSER
Jan 25 08:36:47: AAA/AUTHEN (266799843): Method=NPS_RADIUS_SERVERS (radius)
Jan 25 08:36:47: AAA/AUTHEN (266799843): status = GETPASS
Jan 25 08:36:56: AAA/AUTHEN/CONT (266799843): continue login (user='Antony')
Jan 25 08:36:56: AAA/AUTHEN (266799843): status = GETPASS
Jan 25 08:36:56: AAA/AUTHEN (266799843): Method=NPS_RADIUS_SERVERS (radius)
Jan 25 08:37:36: AAA/AUTHEN (266799843): status = ERROR
Jan 25 08:37:36: AAA/AUTHEN/START (1575298841): port='tty2' list='' action=LOGIN service=LOGIN
Jan 25 08:37:36: AAA/AUTHEN/START (1575298841): Restart
Jan 25 08:37:36: AAA/AUTHEN/START (1575298841): Method=LOCAL
Jan 25 08:37:36: AAA/AUTHEN (1575298841): User not found, end of method list
Jan 25 08:37:36: AAA/AUTHEN (1575298841): status = FAIL

Regards,

Antony.

vencislav.metev · ‎01-25-2022

Hi,

Can you check on RADIUS server if there are any errors?

Regards,

Ventsi

balaji.bandi · ‎01-25-2022

12.X format is bit different as below :

SUMMARY STEPS

1. enable

2. configure terminal

3. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]

4. aaa group server {radius | tacacs+} group-name

5. server ip-address [auth-port port-number] [acct-port port-number]

6. end

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/12-2sx/sec-usr-rad-12-2sx-book/sec-cfg-radius.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Antony.xavier · ‎01-25-2022

Hi Balaji,

I did tried this method but still no luck, please find the below debug logs.

Jan 25 08:36:43: AAA: parse name=tty2 IDB type=-1 TTY=-1
Jan 25 08:36:43: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Jan 25 08:36:43: AAA/MEMORY: create user (0x80CBE92C) user='' RUSER='' port='tty2' REM_ADDR='1.1.1.1' authen_type=ASCII service=LOGIN PRIV=1
Jan 25 08:36:43: AAA/AUTHEN/START (266799843): port='tty2' list='' action=LOGIN service=LOGIN
Jan 25 08:36:43: AAA/AUTHEN/START (266799843): using "default" list
Jan 25 08:36:43: AAA/AUTHEN/START (266799843): Method=NPS_RADIUS_SERVERS (radius)
Jan 25 08:36:43: AAA/AUTHEN (266799843): status = GETUSER
Jan 25 08:36:47: AAA/AUTHEN/CONT (266799843): continue login (user='(UNDEF)')
Jan 25 08:36:47: AAA/AUTHEN (266799843): status = GETUSER
Jan 25 08:36:47: AAA/AUTHEN (266799843): Method=NPS_RADIUS_SERVERS (radius)
Jan 25 08:36:47: AAA/AUTHEN (266799843): status = GETPASS
Jan 25 08:36:56: AAA/AUTHEN/CONT (266799843): continue login (user='Antony')
Jan 25 08:36:56: AAA/AUTHEN (266799843): status = GETPASS
Jan 25 08:36:56: AAA/AUTHEN (266799843): Method=NPS_RADIUS_SERVERS (radius)
Jan 25 08:37:36: AAA/AUTHEN (266799843): status = ERROR
Jan 25 08:37:36: AAA/AUTHEN/START (1575298841): port='tty2' list='' action=LOGIN service=LOGIN
Jan 25 08:37:36: AAA/AUTHEN/START (1575298841): Restart
Jan 25 08:37:36: AAA/AUTHEN/START (1575298841): Method=LOCAL
Jan 25 08:37:36: AAA/AUTHEN (1575298841): User not found, end of method list
Jan 25 08:37:36: AAA/AUTHEN (1575298841): status = FAIL

Regards,

Antony.

balaji.bandi · ‎01-25-2022

Can you post show run from switch ( what radius server you using ? ) Cisco radius / Tacacs or MS NPS ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Antony.xavier · ‎01-25-2022

Below is the running config from the switch:

SW01#show running-config
Building configuration...

Current configuration : 8974 bytes
!
! Last configuration change at 04:19:31 CST Tue Jan 25 2022 by etglocal
! NVRAM config last updated at 03:47:59 CST Tue Jan 25 2022 by etglocal
!
version 12.1
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname SW01
!
logging console critical
aaa new-model
aaa group server radius NPS_RADIUS_SERVERS
server 10.0.10.11 auth-port 1812 acct-port 1813
server 10.130.0.10 auth-port 1812 acct-port 1813
!
aaa authentication login default group NPS_RADIUS_SERVERS local
aaa authorization exec default group NPS_RADIUS_SERVERS local if-authenticated
aaa authorization commands 5 default if-authenticated
enable secret 5 $1$p9qO$34kSAJKXSY2.OKURMIRjG/
!
username etglocal secret 5 $1$cuDL$fTxy2/E.M7aEkxTDSp6321
clock timezone CST -6
clock summer-time cdt recurring
ip subnet-zero
no ip source-route
!
no ip domain-lookup
ip name-server 10.0.10.10
ip name-server 10.0.10.11
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan415
ip address 192.168.21.2 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.21.1
no ip http server
logging trap warnings
logging 10.0.10.55
access-list 11 permit 10.193.48.251 log
access-list 11 permit 10.128.169.11 log
access-list 11 permit 10.128.169.12 log
access-list 11 permit 10.193.48.200 log
access-list 11 permit 10.0.10.55 log
access-list 11 permit 10.193.48.186
access-list 11 permit 207.250.73.55 log
access-list 11 permit 10.10.18.94 log
access-list 11 permit 10.128.112.155 log
access-list 11 permit 10.193.48.159 log
access-list 11 permit 10.128.112.156 log
access-list 11 permit 10.0.16.100 log
access-list 11 permit 10.200.43.105 log
access-list 11 permit 10.200.43.101 log
access-list 11 permit 10.200.40.36 log
access-list 11 permit 10.0.10.253 log
access-list 11 permit 10.0.0.0 0.255.255.255 log
access-list 11 deny any
access-list 21 permit 10.0.10.55
access-list 21 permit 10.0.11.131
snmp-server group ACTUANT v3 auth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF
snmp-server community Zrgdn7mJdwh49jcn RO 21
snmp-server location Building D Lower Computer Room
snmp-server contact AMMNF.ATU-NETWORK@actuant.com
snmp-server enable traps snmp authentication warmstart linkdown linkup coldstart
snmp-server enable traps config
snmp-server enable traps copy-config
snmp-server enable traps syslog
snmp-server enable traps entity
snmp-server enable traps flash insertion removal
snmp-server enable traps bridge
snmp-server enable traps stpx
snmp-server enable traps rtr
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps MAC-Notification
snmp-server enable traps envmon fan shutdown supply temperature
snmp-server enable traps hsrp
snmp-server enable traps cluster
snmp-server host 10.0.10.55 Zrgdn7mJdwh49jcn tty config copy-config entity vtp vlancreate vlandelete port-security MAC-Notification envmon
snmp-server host 10.0.10.55 version 3 AUTH local
tacacs-server key c!Sc0k@y+k$3%acS
radius-server host 10.0.10.11 auth-port 1812 acct-port 1813 key T8TR2UWRfCd6kJrE
radius-server host 10.130.0.10 auth-port 1812 acct-port 1813 key T8TR2UWRfCd6kJrE
radius-server retransmit 3
privilege interface level 5 shutdown
privilege interface level 5 ip
privilege configure level 5 interface
privilege exec level 5 show running-config
privilege exec level 5 show ip
privilege exec level 5 configure terminal
privilege exec level 5 interface gigabitethernet
privilege exec level 5 interface
privilege exec level 5 show
!
line con 0
exec-timeout 20 0
password 7 0017060B095E19521B28414B
stopbits 1
line vty 0 4
access-class 11 in
exec-timeout 20 0
line vty 5 15
access-class 11 in
exec-timeout 20 0
!
ntp authentication-key 1 md5 034109243F4E766E05 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17180112
ntp access-group peer 20
ntp server 1.2.3.4 key 1
!
end