12-20-2018 07:30 AM - edited 03-08-2019 04:51 PM
I'm trying to setup radius authentication on my WS-C2960X-48FPS-L switch I setup the following values:
aaa authentication fail-message ^CCCCCCAuthentication Failed; Try again. ^C
aaa authentication login default group radius local
aaa authentication login local_auth group radius
aaa authorization exec default group radius local
aaa authorization network default local
radius server RAD01-PRD-BIG
address ipv4 172.20.60.85 auth-port 1645 acct-port 1646
key 7 062F311559061B275C05353B2D
but when I try to test the connectivity using this command:
test aaa group radius server 172.20.60.85 (DOMAINUSER) (PASSWORD) legacy
It shows this message:
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.
I check the key and the server and for other devices works fine but I don't know if I missing something in the config. Any help will be well received
Thanks
Solved! Go to Solution.
12-22-2018 01:59 PM
If you want to ensure you have a fallback, on any method just add the 'local' keyword to the end of any AAA method. This will ensure the local user database is used should any of the preceding user data stores are unreachable.
cheers,
Seb.
12-20-2018 07:33 AM - edited 12-20-2018 07:41 AM
Hello
did you apply the key already encrypted - if so reapply it in plain text.
Also do you have reachability to the radius server?
12-20-2018 07:52 AM
Hi,
I applied the key as plain text also I'm able to ping the RADIUS server from the switch
Thanks
12-20-2018 08:11 AM
Hello
But can you connect on those specific ports
Have you tried has @Seb Rupik stated use uuse the newer radius’s ports udp/1812-1813
12-20-2018 08:21 AM
I tried both 1045 - 1046 and 1812 and 1813 also I check on the server if those are allow and yes both are.
12-20-2018 07:42 AM
You have the legacy RAIDUS ports (1645 / 1646) configured. Are you sure the server is configured to listen on those ports and its firewall permits it?
Cheers,
Seb.
12-20-2018 08:17 AM - edited 12-20-2018 08:20 AM
Both devices (RADIUS and switch live in the same IP segment)
Also I test ports connectivity using traceroute on the switch and it goes tru:
Tracing the route to RAD01-PRD-BIG (172.20.60.85)
VRF info: (vrf in name/id, vrf out name/id)
1 * *
RAD01-PRD-BIG (172.20.60.85) 0 msec
12-20-2018 10:45 AM
I also check this:
RADIUS: id 6, priority 1, host 172.20.60.85, auth-port 1645, acct-port 1646
State: current UP, duration 348s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 2, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 1, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 2110481461ms
Transaction: success 2, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 5m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 5 minutes ago: 1
low - 0 hours, 4 minutes ago: 0
average: 0
12-20-2018 09:26 AM
12-20-2018 10:52 AM
The part of the config that we have seen looks reasonable. I wonder if there is something in the parts that we have not seen that impacts radius authentication.
Can you do the test again and then check the logs on the radius server? Is it seeing the request? Does it indicate any kind of error about this request?
Can you verify that the configuration on the radius server for this client is correct? Is there any possibility that the source address used for the radius request is not the IP address configured on the server for this client?
HTH
Rick
12-20-2018 11:00 AM - edited 12-21-2018 06:37 AM
So while I was writing my response the original poster provided information from the server. The output does seem to indicate that the server does recognize the requests coming from the correct source address. It is good to know that. I am interested in this part of the output
Authen: request 2, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 1, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 2110481461ms
Transaction: success 2, failure 0
so the server recognized 2 requests and apparently sees both as successes. So what is the 1 reject?
And if the server thinks the requests were successes then why does the client say the request did not work?
HTH
Rick
12-20-2018 02:56 PM
The problem was with the windows server.
Another question if the server goes down with the configuration that I share I shouldn't have any issues authenticating locally, right?
12-20-2018 03:06 PM
It depends on which of your AuthC AAA methods you hit. If you are using the default method, then yes in the event that the RADIUS server is unreachable the switch will fallback to using the local user database.
If you are using the 'local_auth' AAA method then the authentication will hang as you have not specified a fallback.
cheers,
Seb.
12-21-2018 06:26 AM
This is what I have in my config:
aaa authentication fail-message ^CCCCCCAuthentication Failed; Try again. ^C
aaa authentication login default group radius local
aaa authentication login local_auth group radius
aaa authorization exec default group radius local
aaa authorization network default local
Is that enough or Do I need to do additional changes?
12-21-2018 06:44 AM
As Sub has identified there is an issue with this command
aaa authentication login local_auth group radius
the name of this method suggests that it is to provide local authentication. But the method specifies radius and does not have any provision for local authentication. We do not know if you are actually using this method. But if you are using it then it is probably not providing the functionality that you wanted.
I would also make a suggestion about your authorization command
aaa authorization exec default group radius local
I have had success using the parameter if-authenticated as a fall back for authorization.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide