RADIUS connection problem

tedauction · ‎07-31-2017

Hello, I am trying to establish connection with my Windows RADIUS server for wired dot1x authentication.

I am using the following command 'test aaa group radius server 10.5.1.89 00254593eb90 00254593eb90 legacy'. I have created a correct MAC address object in AD to authenticate against. However I keep on getting access reject messages. Can anyone tell what is happening by the output of the following logs ?

In particular, why is this log showing an asterisk where the password should be ? e.g.

Aug 1 16:15:26.046 NZST: RADIUS: User-Password [2] 18 *

Thank you kindly.

Here is my RADIUS related config on the switch:

aaa new-model
aaa authentication dot1x default group radius
aaa authorization exec default local if-authenticated
aaa authorization network default group radius

dot1x system-auth-control

radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 10 tries 3
radius-server host 10.5.1.89 auth-port 1812 acct-port 1813 key 7 104D000A0618

Here are the logs for failed authentication:

Aug 1 16:15:14: %SYS-5-CONFIG_I: Configured from console by myusername on vty0 (10.90.0.125)
Aug 1 16:15:26.043 NZST: AAA: parse name=<no string> idb type=-1 tty=-1
Aug 1 16:15:26.043 NZST: AAA/MEMORY: create_user (0x75C8BE8) user='00254593eb90 ' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN pri v=1 initial_task_id='0', vrf= (id=0)
Aug 1 16:15:26.043 NZST: RADIUS: Pick NAS IP for u=0x75C8BE8 tableid=0 cfg_addr =0.0.0.0
Aug 1 16:15:26.043 NZST: RADIUS(00000000): Config NAS IPv6: ::
Aug 1 16:15:26.043 NZST: RADIUS: ustruct sharecount=1
Aug 1 16:15:26.043 NZST: Radius: radius_port_info() success=0 radius_nas_port=1
Aug 1 16:15:26.043 NZST: RADIUS/ENCODE: Best Local IP-Address 192.168.8.66 for Radius-Server 10.5.1.89
Aug 1 16:15:26.043 NZST: RADIUS(00000000): Sending a IPv4 Radius Packet
Aug 1 16:15:26.046 NZST: RADIUS(00000000): Send Access-Request to 10.5.1.89:181 2 id 1645/17,len 70
Aug 1 16:15:26.046 NZST: RADIUS: authenticator DC EB 47 29 F6 B1 3E 45 - F5 53 F2 61 2A ED 0F 5F
Aug 1 16:15:26.046 NZST: RADIUS: NAS-IP-Address [4] 6 192.168.8.66
Aug 1 16:15:26.046 NZST: RADIUS: NAS-Port-Type [61] 6 Async [0]
Aug 1 16:15:26.046 NZST: RADIUS: User-Name [1] 14 "00254593eb90"
Aug 1 16:15:26.046 NZST: RADIUS: User-Password [2] 18 *
Aug 1 16:15:26.046 NZST: RADIUS: Service-Type [6] 6 Login [1]
Aug 1 16:15:26.046 NZST: RADIUS(00000000): Started 5 sec timeout
Aug 1 16:15:26.057 NZST: RADIUS: Received from id 1645/17 10.5.1.89:1812, Acces s-Reject, len 20
Aug 1 16:15:26.057 NZST: RADIUS: authenticator 7A 2C 45 CE AE 4C 27 9A - CB 3C 3E 9C 15 5E 3D 72
Aug 1 16:15:26.057 NZST: RADIUS: saved authorization data for user 75C8BE8 at 0
Aug 1 16:15:26.057 NZST: AAA/MEMORY: free_user (0x75C8BE8) user='00254593eb90' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

Deepak Kumar · ‎07-31-2017

Hi,

I am looking an error in radius configuration on your device:

"Aug 1 16:15:26.057 NZST: RADIUS: Received from id 1645/17 10.5.1.89:1812, Acces s-Reject, len 20"

What is Meaning::

Key in router does not match that of the server:

Solution: Please check Key on server and router. The key must be matched on both sides.

More Information about this error:

http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13862-radius-pppdebug.html

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

tedauction · ‎08-01-2017

Hello, thank you.

I have checked the key is identical on the RADIUS server and my Cisco switch. The problem must be something else.

I notice the output of the following command shows a successful transaction even though I received the message 'Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.'.

Does this simply refer to my switch having received a response regardless of whether authentication with the RADIUS server worked ?

mySwitch1#sh aaa servers

RADIUS: id 7, priority 1, host 10.5.1.89, auth-port 1812, acct-port 1813
State: current UP, duration 79s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 1, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 2873717399ms
Transaction: success 1, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 1m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 1 minutes ago: 1
low - 0 hours, 2 minutes ago: 0
average: 0

Deepak Kumar · ‎08-02-2017

Please past your switch configuration and Server screen shots. So we can identify your issue easily.

As your last log, this is an issue with NPS server user permission or configuration.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

tedauction · ‎08-02-2017

Hello, thank you for the assistance. Here is all of my 802.1x configuration. Does this look OK to you ? - I am wanting to authenticate a phone (via MAB) and a computer connected to the phone via AD computer account.

aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization exec default local if-authenticated
aaa authorization network default group radius
!
aaa session-id common
!
dot1x system-auth-control
!
interface GigabitEthernet1/0/16
description DOT1X_TEST
switchport access vlan 58
switchport mode access
switchport voice vlan 158
authentication event fail action next-method
authentication event server dead action authorize vlan 58
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 10
!
radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 10 tries 3
!
radius server SERVER1
address ipv4 10.5.1.89 auth-port 1812 acct-port 1813
key 7 00071A150754

lpassmore · ‎08-02-2017

Also check the RADIUS config. Do you get any logs in the RADIUS server?

Can you confirm that the RADIUS Object has 192.168.8.66 as the device address for the switch or permits any device?

tedauction · ‎08-02-2017

Hello, thanks guys, the problem turned out to be simply that I was missing the command 'authentication port-control auto' on the interface.