cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
890
Views
10
Helpful
27
Replies

RADIUS Clients Access Denied

RaulSambula40179
Beginner
Beginner

Some RADIUS Clients are authenticating Network 137......

Clients not authenticating Network 132....

 

raul.sambula.ctr@us.af.mil

1 Accepted Solution

Accepted Solutions

radius-server timeout <<- can you change this timeout

the retransmit meaning and all you mention before about many hop to Server, lead me to think that there is issue with SW-Server timeout, and debug show us that, 
so please make timeout long enough.  

View solution in original post

27 Replies 27

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

I dont get it ?

Different network than RADIUS Server. RADIUS Server is in network 137. But I'm able to ping from Network 132; however Clients from that network got Access Denied.

 

raul_sambula@yahoo.com

the client not direct connect to radius server, 
the SW or Router is connect to radius, the Q what service you run here ?

Hello,

post a diagram of your topology showing what devices are involved, and how the devices are connected.

 

this is connectivity issue between SW and AAA server, 
do this 
ping <AAA IP > source <VLAN IP> 
check if the ping is OK if not, I think you need 
1- specify the source of AAA packet in SW 
2- config default GW in SW 
or
3- config static route for server. 

last point, how you config two link to Server via vlan 99 and in same time each vlan have different subnet. ?

RaulSambula40179
Beginner
Beginner

I'm able to ping from source to Server. Both subnets belong to the same domain.

And same radius group

can I see the success ping ? what commend you use ?

ping from Sw 137...
ping 137....
Type escape sequence...
sending 5, 100-byte ICMP Echos to .... timeout is 2s
success rate is 100 percent (5/5).... 1/1/1 ms

ping from Sw 132

ping 132....

same result difference is at the end 76/76/77 ms

 

Yes but I suggest to use source with ping, 
this source is same IP you add in AAA server. 
this make us sure that there is connection between specific VLAN and server 

Yes. VLan99 is the management VLan and when I ssh to it, I use that source IP

I make small lab,
the tacacs server add SW VLAN 99 SVI IP  as device IP 
now you can see that ping from SW to server is success 
but ping with source vlan 99 is failed !!
so check 
are the SW is L3 SW via ip routing command ?
are the SW is use separate Router for inter-vlan ?

Screenshot (212).png

ping from source VLan99 was a success.

SW are C9300s so they're L3. We're not using ip routing for RADIUS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers