Solved: Radius on switch Catalyst

emilianopozzessere · ‎12-05-2022

Hi, I have configured my switch Cisco Catalyst 2960 L ver.15.2(6) for login with Radius.

aaa group server radius GRP-TEST
server name Present
!
aaa authentication login TEST group GRP-TEST local
aaa authorization exec default local
aaa authorization exec TEST group GRP-TEST local

!

radius server Test
address ipv4 10.7.1.20 auth-port 1645 acct-port 1646
timeout 5
retransmit 2
key *********

The authentication works, but if I remove user from local database TEST, the authentication doesn't work.

Can you help me, please?

Best regards

amikat · ‎12-05-2022

Hi,

In my view the issue is not authentication (which is OK - Access-Accepted), but authorization. Configuring "aaa authorization exec default local" and removing the user from the local database the authorization will never be possible and the connection will fail. Will you please check with the "aaa authorization exec TEST group GRP-TEST local" configuration command only.

Best regards,

Antonin

View solution in original post

MHM Cisco World · ‎12-05-2022

can you more elaborate ?

emilianopozzessere · ‎12-05-2022

Hi, the problem is that if i delete my username from the local database i can't login to the switch anymore. I don't understand, why without local account it won't let me login, the local account should serve only as a backup. I also tried debugging radius and authentication.

Dec 5 13:01:06.008: AAA/BIND(00000027): Bind i/f
Dec 5 13:01:06.008: AAA/AUTHEN/LOGIN (00000027): Pick method list 'TEST'
Dec 5 13:01:06.008: RADIUS/ENCODE(00000027): ask "Password: "
Dec 5 13:01:06.008: RADIUS/ENCODE(00000027): send packet; GET_PASSWORD
Dec 5 13:01:06.009: RADIUS/ENCODE(00000027):Orig. component type = Exec
Dec 5 13:01:06.009: RADIUS: AAA Unsupported Attr: interface [221] 4 90897040
Dec 5 13:01:06.009: RADIUS/ENCODE(00000027): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Dec 5 13:01:06.009: RADIUS(00000027): Config NAS IP: 0.0.0.0
Dec 5 13:01:06.009: RADIUS(00000027): Config NAS IPv6: ::
Dec 5 13:01:06.009: RADIUS/ENCODE(00000027): acct_session_id: 29
Dec 5 13:01:06.009: RADIUS(00000027): sending
Dec 5 13:01:06.009: RADIUS/ENCODE: Best Local IP-Address 10.5.1.13 for Radius-Server 10.7.1.20
Dec 5 13:01:06.010: RADIUS(00000027): Send Access-Request to 10.7.1.20:1645 onvrf(0) id 1645/34, len 87
Dec 5 13:01:06.010: RADIUS: authenticator EF D1 C8 5E 85 CE B5 5E - CC BE 52 9E 5E 1A FF 1C
Dec 5 13:01:06.010: RADIUS: User-Name [1] 13 "epozzessere"
Dec 5 13:01:06.010: RADIUS: Reply-Message [18] 12
Dec 5 13:01:06.010: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Dec 5 13:01:06.010: RADIUS: User-Password [2] 18 *
Dec 5 13:01:06.010: RADIUS: NAS-Port [5] 6 2
Dec 5 13:01:06.010: RADIUS: NAS-Port-Id [87] 6 "tty2"
Dec 5 13:01:06.010: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Dec 5 13:01:06.010: RADIUS: NAS-IP-Address [4] 6 10.5.1.13
Dec 5 13:01:06.010: RADIUS(00000027): Sending a IPv4 Radius Packet
Dec 5 13:01:06.011: RADIUS(00000027): Started 5 sec timeout
Dec 5 13:01:06.017: RADIUS: Received from id 1645/34 10.7.1.20:1645, Access-Accept, len 102
Dec 5 13:01:06.017: RADIUS: authenticator C5 4B A7 90 B1 65 B9 4F - 5C 35 1B 88 15 6A 2A 6A
Dec 5 13:01:06.017: RADIUS: Framed-Protocol [7] 6 PPP [1]
Dec 5 13:01:06.017: RADIUS: Service-Type [6] 6 Administrative [6]
Dec 5 13:01:06.017: RADIUS: Class [25] 46
Dec 5 13:01:06.018: RADIUS: 3A C6 05 6D 00 00 01 37 00 01 02 00 0A 07 01 14 00 00 00 00 00 00 00 00 00 00 00 00 01 D9 00 D7 9A B1 38 4E 00 00 00 00 00 02 A3 E4 [ :m78N]
Dec 5 13:01:06.018: RADIUS: Vendor, Microsoft [26] 12
Dec 5 13:01:06.018: RADIUS: MS-Link-Util-Thresh[14] 6
Dec 5 13:01:06.018: RADIUS: 00 00 00 32 [ 2]
Dec 5 13:01:06.018: RADIUS: Vendor, Microsoft [26] 12
Dec 5 13:01:06.018: RADIUS: MS-Link-Drop-Time-L[15] 6
Dec 5 13:01:06.018: RADIUS: 00 00 00 78 [ x]
Dec 5 13:01:06.018: RADIUS(00000027): Received from id 1645/34

balaji.bandi · ‎12-05-2022

is this for device administratio or 802.1x ?

aaa group server radius GRP-TEST
server name Present ( do you have Present radius configured)

I believe you need to change this to :

aaa group server radius GRP-TEST
server name Test

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

emilianopozzessere · ‎12-05-2022

Hi, it's for administration.

Yes sorry, i change the name with Test, but really Present, it's correct

MHM Cisco World · ‎12-05-2022

under vty do you config
login authentication TEST <<-- this need to make VTY ask server for password

NOTE:- use AAA server only for the VTY for console use always local.

MHM Cisco World · ‎12-05-2022

As i guess you need under vty line below command.

login authentication

MHM Cisco World · ‎12-05-2022

NOTE:- use AAA server only for the VTY for console use always local.

If you lose connection to aaa server you can still access via console using local user/password

balaji.bandi · ‎12-05-2022

Can you post the after changing information - new config

what Radius server ? ISE / ACS / NPAS ?

what is the user source ? LDAP or Locally on Radius ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-05-2022

this must be match
if you change one you need to change other.
aaa group server radius GRP-TEST
server name Present
!

radius server Present

emilianopozzessere · ‎12-05-2022

Hi, this is full configuration

preto-sw13-NetworkReale#show running-config
Building configuration...

Current configuration : 4707 bytes
!
! Last configuration change at 16:11:50 met Mon Dec 5 2022 by epozzessere
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname preto-sw13-NetworkReale
!
username epozzessere secret 5 $1$sR9d$ogsT.nmjY3T2aWasU3R3n/
aaa new-model
!
aaa group server radius GRP-PRESENT
server name Present
!
aaa authentication login default group GRP-PRESENT local
aaa authorization exec default local
!
aaa session-id common
clock timezone met 1 0
clock summer-time MET+1 recurring last Sun Mar 2:00 last Sun Oct 3:00

ip domain-name it-present.com
ip name-server 10.7.1.70
ip name-server 10.7.1.20
!
authentication mac-move permit
!
lldp run
!
ip ssh source-interface Vlan1
ip ssh version 2
!
no radius-server vsa send authentication
!
radius server Present
address ipv4 10.7.1.20 auth-port 1645 acct-port 1646
timeout 10
retransmit 3
key ************
!
!
line con 0
line vty 0 4
exec-timeout 60 0
transport preferred ssh
transport input all
line vty 5 15
exec-timeout 60 0
transport preferred ssh
transport input all
!
end

balaji.bandi · ‎12-05-2022

Rather making complicated when not working, i prefer to test single Radius server (then add more in group)

test example :

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key XXXXXXXX

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
!

Note : we expected users created in Radius (by the way what radius server ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amikat · ‎12-05-2022

Hi,

In my view the issue is not authentication (which is OK - Access-Accepted), but authorization. Configuring "aaa authorization exec default local" and removing the user from the local database the authorization will never be possible and the connection will fail. Will you please check with the "aaa authorization exec TEST group GRP-TEST local" configuration command only.

Best regards,

Antonin

emilianopozzessere · ‎12-06-2022

Thanks Amikat, you were right, I had not configured the group Radius in authorization, now it's work

MHM Cisco World · ‎12-05-2022

@emilianopozzessere

I will make lab and send you result.

Soon tonight.

Thanks.