cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
97
Views
0
Helpful
0
Replies

Smart card authentication to Cisco Catalyst switch using NPS/RADIUS

Hi all

We implemented smart card authentication for our user accounts but can't get the smart card auth working on our Cisco Catalyst switches, using Windows NPS running RADIUS as AAA

We have been troubleshooting issues with Windows NPS server running RADIUS for weeks.

We have a POC switch that is not domain joined (10.10.1.8) and we want to use Radius authentication with our Microsoft NPS (10.25.2.116). We don't see any blocks on firewalls, etc. We have got smart card auth working when bypassing the NPS server, but when we throw it into the equation using aaa authorization and authentication commands on the switch, we get errors (event ID 6273, NULL SID as security ID and reason code 16 - Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

Here are the debug outputs from the switch. Username and email address redacted. We notice a different on User-Name attribute, NAS-Port (1 for username/pass, 2 for smart card auth with userprincipalname, and differences in Nas-Port-Type and Service-Type)

Successful output when we use username and password authentication to connect to the switch:

 

 

 

 

 

 

 

Jan 21 2025 12:30:41.586 PST: RADIUS/ENCODE: Best Local IP-Address 10.10.1.8 for Radius-Server 10.25.2.116
Jan 21 2025 12:30:41.586 PST: RADIUS(000000AF): Send Access-Request to 10.25.2.116:1812 onvrf(0) id 1645/53, len 74
Jan 21 2025 12:30:41.586 PST: RADIUS: authenticator 3E 7E 70 FB 78 BA 2C 3D - 72 A1 D7 C7 80 BC 81 7C
Jan 21 2025 12:30:41.586 PST: RADIUS: User-Name [1] 12 "admin"
Jan 21 2025 12:30:41.586 PST: RADIUS: User-Password [2] 18 *
Jan 21 2025 12:30:41.586 PST: RADIUS: NAS-Port [5] 6 1
Jan 21 2025 12:30:41.586 PST: RADIUS: NAS-Port-Id [87] 6 "tty2"
Jan 21 2025 12:30:41.586 PST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jan 21 2025 12:30:41.586 PST: RADIUS: NAS-IP-Address [4] 6 10.10.1.8
Jan 21 2025 12:30:41.586 PST: RADIUS(000000AF): Sending a IPv4 Radius Packet
Jan 21 2025 12:30:41.586 PST: RADIUS(000000AF): Started 5 sec timeout
Jan 21 2025 12:30:42.278 PST: RADIUS: Received from id 1645/53 10.25.2.116:1812, Access-Accept, len 214
Jan 21 2025 12:30:42.278 PST: RADIUS: authenticator A1 9B 8E 7B 63 3C 6A EC - EC 5D F1 D3 C5 FC 4F 49
Jan 21 2025 12:30:42.278 PST: RADIUS: Message-Authenticato[80] 18
Jan 21 2025 12:30:42.278 PST: RADIUS: FC E9 A5 C5 E4 82 A9 3E 3F 2D 16 4E D6 F1 7D A3 [ >?-N}]
Jan 21 2025 12:30:42.278 PST: RADIUS: Service-Type [6] 6 Administrative [6]
Jan 21 2025 12:30:42.278 PST: RADIUS: Service-Type [6] 6 Login [1]
Jan 21 2025 12:30:42.281 PST: RADIUS: Class [25] 46
Jan 21 2025 12:30:42.281 PST: RADIUS: 47 75 05 7E 00 00 01 37 00 01 02 00 0A 19 02 74 00 00 00 00 00 00 00 00 00 00 00 00 01 DB 4B 5F 72 4D 91 E6 00 00 00 00 00 00 00 ED [ Gu~7tK_rM]
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Cisco [26] 45
Jan 21 2025 12:30:42.281 PST: RADIUS: Cisco AVpair [1] 39 "cisco-avpair=pki:cert-application=all"
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Cisco [26] 25
Jan 21 2025 12:30:42.281 PST: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Microsoft [26] 12
Jan 21 2025 12:30:42.281 PST: RADIUS: MS-Link-Util-Thresh[14] 6
Jan 21 2025 12:30:42.281 PST: RADIUS: 00 00 00 32 [ 2]
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Microsoft [26] 12
Jan 21 2025 12:30:42.281 PST: RADIUS: MS-Link-Drop-Time-L[15] 6
Jan 21 2025 12:30:42.281 PST: RADIUS: 00 00 00 78 [ x]
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Microsoft [26] 12
Jan 21 2025 12:30:42.281 PST: RADIUS: MS-MPPE-Enc-Policy [7] 6
Jan 21 2025 12:30:42.281 PST: RADIUS: 00 00 00 01
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Microsoft [26] 12
Jan 21 2025 12:30:42.281 PST: RADIUS: MS-MPPE-Enc-Type [8] 6

 

 

 

 

 

 

 

 Failure output when trying to connect with smart card authentication:

 

 

 

 

 

 

 

Jan 21 2025 10:51:32.447 PST: RADIUS/ENCODE: Best Local IP-Address 10.10.1.8 for Radius-Server 10.25.2.116
Jan 21 2025 10:51:32.447 PST: RADIUS(00000081): Send Access-Request to 10.25.2.116:1812 onvrf(0) id 1645/37, len 99
Jan 21 2025 10:51:32.447 PST: RADIUS:  authenticator A6 91 58 99 9B 74 FB 78 - 65 83 E8 E5 9F 37 A6 2D
Jan 21 2025 10:51:32.447 PST: RADIUS:  User-Name           [1]   31  "admin@company.com"
Jan 21 2025 10:51:32.447 PST: RADIUS:  User-Password       [2]   18  *
Jan 21 2025 10:51:32.447 PST: RADIUS:  NAS-Port            [5]   6   2                        
Jan 21 2025 10:51:32.447 PST: RADIUS:  NAS-Port-Id         [87]  6   "tty1"
Jan 21 2025 10:51:32.447 PST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jan 21 2025 10:51:32.447 PST: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
Jan 21 2025 10:51:32.447 PST: RADIUS:  NAS-IP-Address      [4]   6   10.10.1.8                 
Jan 21 2025 10:51:32.447 PST: RADIUS(00000081): Sending a IPv4 Radius Packet
Jan 21 2025 10:51:32.447 PST: RADIUS(00000081): Started 5 sec timeout
Jan 21 2025 10:51:32.499 PST: RADIUS: Received from id 1645/37 10.25.2.116:1812, Access-Reject, len 38
Jan 21 2025 10:51:32.499 PST: RADIUS:  authenticator 8F C7 6F 0C A0 2F 94 FC - 30 1C 3B 2B 58 F6 FC 43
Jan 21 2025 10:51:32.499 PST: RADIUS:  Message-Authenticato[80]  18  
Jan 21 2025 10:51:32.499 PST: RADIUS:   9F 17 DF BE 3A 20 8D 18 EF A9 29 67 86 25 C4 88             [ : )g?]
Jan 21 2025 10:51:32.503 PST: RADIUS(00000081): Received from id 1645/37
Jan 21 2025 10:51:32.503 PST: AAA/AUTHOR/EXEC(00000081): Authorization FAILED
Jan 21 2025 10:51:34.603 PST: SSH0: Session terminated normally

 

 

 

 

 

 

 

NPS server event 6273 output (Denied access to user)

 

 

 

 

 

 

 

 

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
  Security ID:      NULL SID
  Account Name:      admin
  Account Domain:      DOMAIN
  Fully Qualified Account Name:  DOMAIN\admin

Client Machine:
  Security ID:      NULL SID
  Account Name:      -
  Fully Qualified Account Name:  -
  Called Station Identifier:    -
  Calling Station Identifier:    -

NAS:
  NAS IPv4 Address:    10.10.1.8
  NAS IPv6 Address:    -
  NAS Identifier:      -
  NAS Port-Type:      Virtual
  NAS Port:      2

RADIUS Client:
  Client Friendly Name:    us-nhq-lab-sw.domain.com
  Client IP Address:      10.10.1.8

Authentication Details:
  Connection Request Policy Name:  POC Use Windows authentication for all users
  Network Policy Name:    -
  Authentication Provider:    Windows
  Authentication Server:    RADIUSSERVER.domain.com
  Authentication Type:    PAP
  EAP Type:      -
  Account Session Identifier:    -
  Logging Results:      Accounting information was written to the local log file.
  Reason Code:      16
  Reason:        Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
 

 

 

 

 

 

 

 

crypto pki trustpoint has been configured with the issuing CA. Root CA not necessary I believe (?) but when we do add the root CA we see the same errors.

Please let me know if a full switch config is necessary. PLEASE assist us as we are going nowhere and are starting to give up on this project.

Thanks

0 Replies 0
Review Cisco Networking for a $25 gift card