Hi,

I applied the key as plain text also I'm able to ping the RADIUS server from the switch

Thanks

Hello

But can you connect on those specific ports

Have you tried has @Seb Rupik stated use uuse the newer radius’s ports udp/1812-1813 

I tried both 1045 - 1046 and 1812 and 1813 also I check on the server if those are allow and yes both are.

Both devices (RADIUS and switch live in the same IP segment)

Also I test ports connectivity using traceroute on the switch and it goes tru:

Tracing the route to RAD01-PRD-BIG (172.20.60.85)
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *
    RAD01-PRD-BIG (172.20.60.85) 0 msec

I also check this:

RADIUS: id 6, priority 1, host 172.20.60.85, auth-port 1645, acct-port 1646
     State: current UP, duration 348s, previous duration 0s
     Dead: total time 0s, count 0
     Quarantined: No
     Authen: request 2, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 1, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 2110481461ms
             Transaction: success 2, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Author: request 0, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Account: request 0, timeouts 0, failover 0, retransmission 0
             Request: start 0, interim 0, stop 0
             Response: start 0, interim 0, stop 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Elapsed time since counters last cleared: 5m
     Estimated Outstanding Access Transactions: 0
     Estimated Outstanding Accounting Transactions: 0
     Estimated Throttled Access Transactions: 0
     Estimated Throttled Accounting Transactions: 0
     Maximum Throttled Transactions: access 0, accounting 0
     Requests per minute past 24 hours:
             high - 0 hours, 5 minutes ago: 1
             low  - 0 hours, 4 minutes ago: 0
             average: 0

The part of the config that we have seen looks reasonable. I wonder if there is something in the parts that we have not seen that impacts radius authentication.

Can you do the test again and then check the logs on the radius server? Is it seeing the request? Does it indicate any kind of error about this request?

Can you verify that the configuration on the radius server for this client is correct? Is there any possibility that the source address used for the radius request is not the IP address configured on the server for this client?

HTH

Rick

So while I was writing my response the original poster provided information from the server. The output does seem to indicate that the server does recognize the requests coming from the correct source address. It is good to know that. I am interested in this part of the output

     Authen: request 2, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 1, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 2110481461ms
             Transaction: success 2, failure 0

so the server recognized 2 requests and apparently sees both as successes. So what is the 1 reject?

And if the server thinks the requests were successes then why does the client say the request did not work?

HTH

Rick

The problem was with the windows server.

Another question if the server goes down with the configuration that I share I shouldn't have any issues authenticating locally, right?

It depends on which of your AuthC AAA methods you hit. If you are using the default method, then yes in the event that the RADIUS server is unreachable the switch will fallback to using the local user database.

If you are using the 'local_auth' AAA method then the authentication will hang as you have not specified a fallback.

cheers,

Seb.

This is what I have in my config:

aaa authentication fail-message ^CCCCCCAuthentication Failed; Try again. ^C

aaa authentication login default group radius local

aaa authentication login local_auth group radius

aaa authorization exec default group radius local

aaa authorization network default local

Is that enough or Do I need to do additional changes?

As Sub has identified there is an issue with this command

aaa authentication login local_auth group radius

the name of this method suggests that it is to provide local authentication. But the method specifies radius and does not have any provision for local authentication. We do not know if you are actually using this method. But if you are using it then it is probably not providing the functionality that you wanted.

I would also make a suggestion about your authorization command

aaa authorization exec default group radius local

I have had success using the parameter if-authenticated as a fall back for authorization.

HTH

Rick