12-05-2022 05:30 AM
Hi, I have configured my switch Cisco Catalyst 2960 L ver.15.2(6) for login with Radius.
aaa group server radius GRP-TEST
server name Present
!
aaa authentication login TEST group GRP-TEST local
aaa authorization exec default local
aaa authorization exec TEST group GRP-TEST local
!
radius server Test
address ipv4 10.7.1.20 auth-port 1645 acct-port 1646
timeout 5
retransmit 2
key *********
The authentication works, but if I remove user from local database TEST, the authentication doesn't work.
Can you help me, please?
Best regards
Solved! Go to Solution.
12-05-2022 08:43 AM
Hi,
In my view the issue is not authentication (which is OK - Access-Accepted), but authorization. Configuring "aaa authorization exec default local" and removing the user from the local database the authorization will never be possible and the connection will fail. Will you please check with the "aaa authorization exec TEST group GRP-TEST local" configuration command only.
Best regards,
Antonin
12-05-2022 05:43 AM
can you more elaborate ?
12-05-2022 06:08 AM
Hi, the problem is that if i delete my username from the local database i can't login to the switch anymore. I don't understand, why without local account it won't let me login, the local account should serve only as a backup. I also tried debugging radius and authentication.
Dec 5 13:01:06.008: AAA/BIND(00000027): Bind i/f
Dec 5 13:01:06.008: AAA/AUTHEN/LOGIN (00000027): Pick method list 'TEST'
Dec 5 13:01:06.008: RADIUS/ENCODE(00000027): ask "Password: "
Dec 5 13:01:06.008: RADIUS/ENCODE(00000027): send packet; GET_PASSWORD
Dec 5 13:01:06.009: RADIUS/ENCODE(00000027):Orig. component type = Exec
Dec 5 13:01:06.009: RADIUS: AAA Unsupported Attr: interface [221] 4 90897040
Dec 5 13:01:06.009: RADIUS/ENCODE(00000027): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Dec 5 13:01:06.009: RADIUS(00000027): Config NAS IP: 0.0.0.0
Dec 5 13:01:06.009: RADIUS(00000027): Config NAS IPv6: ::
Dec 5 13:01:06.009: RADIUS/ENCODE(00000027): acct_session_id: 29
Dec 5 13:01:06.009: RADIUS(00000027): sending
Dec 5 13:01:06.009: RADIUS/ENCODE: Best Local IP-Address 10.5.1.13 for Radius-Server 10.7.1.20
Dec 5 13:01:06.010: RADIUS(00000027): Send Access-Request to 10.7.1.20:1645 onvrf(0) id 1645/34, len 87
Dec 5 13:01:06.010: RADIUS: authenticator EF D1 C8 5E 85 CE B5 5E - CC BE 52 9E 5E 1A FF 1C
Dec 5 13:01:06.010: RADIUS: User-Name [1] 13 "epozzessere"
Dec 5 13:01:06.010: RADIUS: Reply-Message [18] 12
Dec 5 13:01:06.010: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Dec 5 13:01:06.010: RADIUS: User-Password [2] 18 *
Dec 5 13:01:06.010: RADIUS: NAS-Port [5] 6 2
Dec 5 13:01:06.010: RADIUS: NAS-Port-Id [87] 6 "tty2"
Dec 5 13:01:06.010: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Dec 5 13:01:06.010: RADIUS: NAS-IP-Address [4] 6 10.5.1.13
Dec 5 13:01:06.010: RADIUS(00000027): Sending a IPv4 Radius Packet
Dec 5 13:01:06.011: RADIUS(00000027): Started 5 sec timeout
Dec 5 13:01:06.017: RADIUS: Received from id 1645/34 10.7.1.20:1645, Access-Accept, len 102
Dec 5 13:01:06.017: RADIUS: authenticator C5 4B A7 90 B1 65 B9 4F - 5C 35 1B 88 15 6A 2A 6A
Dec 5 13:01:06.017: RADIUS: Framed-Protocol [7] 6 PPP [1]
Dec 5 13:01:06.017: RADIUS: Service-Type [6] 6 Administrative [6]
Dec 5 13:01:06.017: RADIUS: Class [25] 46
Dec 5 13:01:06.018: RADIUS: 3A C6 05 6D 00 00 01 37 00 01 02 00 0A 07 01 14 00 00 00 00 00 00 00 00 00 00 00 00 01 D9 00 D7 9A B1 38 4E 00 00 00 00 00 02 A3 E4 [ :m78N]
Dec 5 13:01:06.018: RADIUS: Vendor, Microsoft [26] 12
Dec 5 13:01:06.018: RADIUS: MS-Link-Util-Thresh[14] 6
Dec 5 13:01:06.018: RADIUS: 00 00 00 32 [ 2]
Dec 5 13:01:06.018: RADIUS: Vendor, Microsoft [26] 12
Dec 5 13:01:06.018: RADIUS: MS-Link-Drop-Time-L[15] 6
Dec 5 13:01:06.018: RADIUS: 00 00 00 78 [ x]
Dec 5 13:01:06.018: RADIUS(00000027): Received from id 1645/34
12-05-2022 06:15 AM
is this for device administratio or 802.1x ?
aaa group server radius GRP-TEST
server name Present ( do you have Present radius configured)
I believe you need to change this to :
aaa group server radius GRP-TEST
server name Test
12-05-2022 06:19 AM
Hi, it's for administration.
Yes sorry, i change the name with Test, but really Present, it's correct
12-05-2022 06:28 AM
under vty do you config
login authentication TEST <<-- this need to make VTY ask server for password
NOTE:- use AAA server only for the VTY for console use always local.
12-05-2022 08:12 AM - edited 12-05-2022 08:15 AM
As i guess you need under vty line below command.
login authentication
12-05-2022 08:14 AM
NOTE:- use AAA server only for the VTY for console use always local.
If you lose connection to aaa server you can still access via console using local user/password
12-05-2022 06:31 AM
Can you post the after changing information - new config
what Radius server ? ISE / ACS / NPAS ?
what is the user source ? LDAP or Locally on Radius ?
12-05-2022 06:34 AM
this must be match
if you change one you need to change other.
aaa group server radius GRP-TEST
server name Present
!
radius server Present
12-05-2022 08:08 AM
Hi, this is full configuration
preto-sw13-NetworkReale#show running-config
Building configuration...
Current configuration : 4707 bytes
!
! Last configuration change at 16:11:50 met Mon Dec 5 2022 by epozzessere
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname preto-sw13-NetworkReale
!
username epozzessere secret 5 $1$sR9d$ogsT.nmjY3T2aWasU3R3n/
aaa new-model
!
aaa group server radius GRP-PRESENT
server name Present
!
aaa authentication login default group GRP-PRESENT local
aaa authorization exec default local
!
aaa session-id common
clock timezone met 1 0
clock summer-time MET+1 recurring last Sun Mar 2:00 last Sun Oct 3:00
ip domain-name it-present.com
ip name-server 10.7.1.70
ip name-server 10.7.1.20
!
authentication mac-move permit
!
lldp run
!
ip ssh source-interface Vlan1
ip ssh version 2
!
no radius-server vsa send authentication
!
radius server Present
address ipv4 10.7.1.20 auth-port 1645 acct-port 1646
timeout 10
retransmit 3
key ************
!
!
line con 0
line vty 0 4
exec-timeout 60 0
transport preferred ssh
transport input all
line vty 5 15
exec-timeout 60 0
transport preferred ssh
transport input all
!
end
12-05-2022 08:59 AM - edited 12-05-2022 09:00 AM
Rather making complicated when not working, i prefer to test single Radius server (then add more in group)
test example :
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key XXXXXXXX
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
!
Note : we expected users created in Radius (by the way what radius server ?)
12-05-2022 08:43 AM
Hi,
In my view the issue is not authentication (which is OK - Access-Accepted), but authorization. Configuring "aaa authorization exec default local" and removing the user from the local database the authorization will never be possible and the connection will fail. Will you please check with the "aaa authorization exec TEST group GRP-TEST local" configuration command only.
Best regards,
Antonin
12-06-2022 06:12 AM
Thanks Amikat, you were right, I had not configured the group Radius in authorization, now it's work
12-05-2022 08:53 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: