Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
3
Replies

Unique 2960x AAA issue

DJackson0323903
Level 1
Level 1

‎01-31-2023 09:10 AM

Hello all,

I have a very unique issue. I have recently upgraded the code on a WS-C2960X-48LPD-L to 15.2(7)E7, and AAA is configured, but not working. In fact, it hasn't worked on ANY of my 2960X switches, with code 15.2(7)E6 and above. The issue I am having, is that I have a Meraki MR42, that I am trying to create a Secure SSID, so that users can AUTHC with ISE 2.4s RADIUS function.

The AP can ping the ISE servers, but when I configured the AP to AUTHC guests through the ISE portal, it does not send any RADIUS packets to the server. Furthermore, running the command "show AAA servers detailed" only yields a carriage return on the NAD. An ACL is configured, and the NAD is configured in ISE, but does not communicate with ISE. The question I have is, in order for the MR42 to be able to establish the Secure SSID messages between the client and ISE, AAA must be working on the NAD itself as well correct? The MR42 should pass the request to the NAD, and then the NAD and ISE begins the negotiation, approves/denies the device and sends that query back to the MR42. This negotiation is not happening. I have run debugs on AAA, tried to do a MAB bypass on the AP and not able to get a response. 

Last anomaly is that other switches that we have, such as the 2960S-24PS-L series, 3560s, 3650s, 3750s and 3850s, basically any other switch that is NOT a 2960X, AAA works just fine. Has anyone else run into this issue? The licenses are basic and all the same, but this only happens on all the 2960X devices we have deployed in the campus. Below is a general AAA configuration that is configured on this lab switch. The result is what I am seeing. Any help would be appreciated. Thank you.

 

Switch#sh run | s aaa
aaa new-model
aaa group server radius RadiusServers
server x.x.x.x
server x.x.x.x auth-port 1812 acct-port 1813
aaa group server radius ISE-Server
server name ISE-Primary
server name ISE-Secondary
aaa authentication login default group RadiusServers group ISE-Servers local
aaa authentication dot1x default group ISE-Server
aaa authorization network default group ISE-Server
aaa accounting dot1x default start-stop group ISE-Server
aaa server radius dynamic-author
client x.x.x.x server-key n.n.n.n
client x.x.x.x server-key n.n.n.n

Switch#sh aaa servers detail
Switch#

Switch# sh ver 

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 54 WS-C2960X-48LPD-L 15.2(7)E7 C2960X-UNIVERSALK9-M

Labels:
0 Helpful
3 Replies 3

MHM Cisco World
VIP
VIP

‎01-31-2023 09:15 AM

server x.x.x.x <<-first try 1812,1813 then use 1645,1646 
server x.x.x.x auth-port 1812 acct-port 1813 <<- change the port to 1645,1646

0 Helpful

DJackson0323903
Level 1
Level 1
In response to MHM Cisco World

‎01-31-2023 09:20 AM

Hey thanks for replying. Yeah I set it up as the legacy 1645-46, and still same thing. Debugs still show no packets going across. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to DJackson0323903

‎01-31-2023 09:32 AM

radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias{hostname | ip-address}] <<- this command missing 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card