01-21-2025 01:39 PM - edited 01-21-2025 02:04 PM
Hi all
We implemented smart card authentication for our user accounts but can't get the smart card auth working on our Cisco Catalyst switches, using Windows NPS running RADIUS as AAA
We have been troubleshooting issues with Windows NPS server running RADIUS for weeks.
We have a POC switch that is not domain joined (10.10.1.8) and we want to use Radius authentication with our Microsoft NPS (10.25.2.116). We don't see any blocks on firewalls, etc. We have got smart card auth working when bypassing the NPS server, but when we throw it into the equation using aaa authorization and authentication commands on the switch, we get errors (event ID 6273, NULL SID as security ID and reason code 16 - Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."
Here are the debug outputs from the switch. Username and email address redacted. We notice a different on User-Name attribute, NAS-Port (1 for username/pass, 2 for smart card auth with userprincipalname, and differences in Nas-Port-Type and Service-Type)
Successful output when we use username and password authentication to connect to the switch:
Jan 21 2025 12:30:41.586 PST: RADIUS/ENCODE: Best Local IP-Address 10.10.1.8 for Radius-Server 10.25.2.116
Jan 21 2025 12:30:41.586 PST: RADIUS(000000AF): Send Access-Request to 10.25.2.116:1812 onvrf(0) id 1645/53, len 74
Jan 21 2025 12:30:41.586 PST: RADIUS: authenticator 3E 7E 70 FB 78 BA 2C 3D - 72 A1 D7 C7 80 BC 81 7C
Jan 21 2025 12:30:41.586 PST: RADIUS: User-Name [1] 12 "admin"
Jan 21 2025 12:30:41.586 PST: RADIUS: User-Password [2] 18 *
Jan 21 2025 12:30:41.586 PST: RADIUS: NAS-Port [5] 6 1
Jan 21 2025 12:30:41.586 PST: RADIUS: NAS-Port-Id [87] 6 "tty2"
Jan 21 2025 12:30:41.586 PST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jan 21 2025 12:30:41.586 PST: RADIUS: NAS-IP-Address [4] 6 10.10.1.8
Jan 21 2025 12:30:41.586 PST: RADIUS(000000AF): Sending a IPv4 Radius Packet
Jan 21 2025 12:30:41.586 PST: RADIUS(000000AF): Started 5 sec timeout
Jan 21 2025 12:30:42.278 PST: RADIUS: Received from id 1645/53 10.25.2.116:1812, Access-Accept, len 214
Jan 21 2025 12:30:42.278 PST: RADIUS: authenticator A1 9B 8E 7B 63 3C 6A EC - EC 5D F1 D3 C5 FC 4F 49
Jan 21 2025 12:30:42.278 PST: RADIUS: Message-Authenticato[80] 18
Jan 21 2025 12:30:42.278 PST: RADIUS: FC E9 A5 C5 E4 82 A9 3E 3F 2D 16 4E D6 F1 7D A3 [ >?-N}]
Jan 21 2025 12:30:42.278 PST: RADIUS: Service-Type [6] 6 Administrative [6]
Jan 21 2025 12:30:42.278 PST: RADIUS: Service-Type [6] 6 Login [1]
Jan 21 2025 12:30:42.281 PST: RADIUS: Class [25] 46
Jan 21 2025 12:30:42.281 PST: RADIUS: 47 75 05 7E 00 00 01 37 00 01 02 00 0A 19 02 74 00 00 00 00 00 00 00 00 00 00 00 00 01 DB 4B 5F 72 4D 91 E6 00 00 00 00 00 00 00 ED [ Gu~7tK_rM]
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Cisco [26] 45
Jan 21 2025 12:30:42.281 PST: RADIUS: Cisco AVpair [1] 39 "cisco-avpair=pki:cert-application=all"
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Cisco [26] 25
Jan 21 2025 12:30:42.281 PST: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Microsoft [26] 12
Jan 21 2025 12:30:42.281 PST: RADIUS: MS-Link-Util-Thresh[14] 6
Jan 21 2025 12:30:42.281 PST: RADIUS: 00 00 00 32 [ 2]
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Microsoft [26] 12
Jan 21 2025 12:30:42.281 PST: RADIUS: MS-Link-Drop-Time-L[15] 6
Jan 21 2025 12:30:42.281 PST: RADIUS: 00 00 00 78 [ x]
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Microsoft [26] 12
Jan 21 2025 12:30:42.281 PST: RADIUS: MS-MPPE-Enc-Policy [7] 6
Jan 21 2025 12:30:42.281 PST: RADIUS: 00 00 00 01
Jan 21 2025 12:30:42.281 PST: RADIUS: Vendor, Microsoft [26] 12
Jan 21 2025 12:30:42.281 PST: RADIUS: MS-MPPE-Enc-Type [8] 6
Failure output when trying to connect with smart card authentication:
Jan 21 2025 10:51:32.447 PST: RADIUS/ENCODE: Best Local IP-Address 10.10.1.8 for Radius-Server 10.25.2.116
Jan 21 2025 10:51:32.447 PST: RADIUS(00000081): Send Access-Request to 10.25.2.116:1812 onvrf(0) id 1645/37, len 99
Jan 21 2025 10:51:32.447 PST: RADIUS: authenticator A6 91 58 99 9B 74 FB 78 - 65 83 E8 E5 9F 37 A6 2D
Jan 21 2025 10:51:32.447 PST: RADIUS: User-Name [1] 31 "admin@company.com"
Jan 21 2025 10:51:32.447 PST: RADIUS: User-Password [2] 18 *
Jan 21 2025 10:51:32.447 PST: RADIUS: NAS-Port [5] 6 2
Jan 21 2025 10:51:32.447 PST: RADIUS: NAS-Port-Id [87] 6 "tty1"
Jan 21 2025 10:51:32.447 PST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jan 21 2025 10:51:32.447 PST: RADIUS: Service-Type [6] 6 Outbound [5]
Jan 21 2025 10:51:32.447 PST: RADIUS: NAS-IP-Address [4] 6 10.10.1.8
Jan 21 2025 10:51:32.447 PST: RADIUS(00000081): Sending a IPv4 Radius Packet
Jan 21 2025 10:51:32.447 PST: RADIUS(00000081): Started 5 sec timeout
Jan 21 2025 10:51:32.499 PST: RADIUS: Received from id 1645/37 10.25.2.116:1812, Access-Reject, len 38
Jan 21 2025 10:51:32.499 PST: RADIUS: authenticator 8F C7 6F 0C A0 2F 94 FC - 30 1C 3B 2B 58 F6 FC 43
Jan 21 2025 10:51:32.499 PST: RADIUS: Message-Authenticato[80] 18
Jan 21 2025 10:51:32.499 PST: RADIUS: 9F 17 DF BE 3A 20 8D 18 EF A9 29 67 86 25 C4 88 [ : )g?]
Jan 21 2025 10:51:32.503 PST: RADIUS(00000081): Received from id 1645/37
Jan 21 2025 10:51:32.503 PST: AAA/AUTHOR/EXEC(00000081): Authorization FAILED
Jan 21 2025 10:51:34.603 PST: SSH0: Session terminated normally
NPS server event 6273 output (Denied access to user)
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: admin
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\admin
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 10.10.1.8
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 2
RADIUS Client:
Client Friendly Name: us-nhq-lab-sw.domain.com
Client IP Address: 10.10.1.8
Authentication Details:
Connection Request Policy Name: POC Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: RADIUSSERVER.domain.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
crypto pki trustpoint has been configured with the issuing CA. Root CA not necessary I believe (?) but when we do add the root CA we see the same errors.
Please let me know if a full switch config is necessary. PLEASE assist us as we are going nowhere and are starting to give up on this project.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide