05-04-2020 10:03 AM - edited 07-05-2021 12:01 PM
Hi All-
I am working on my first 9800 implementation and set up a 9800-C in the lab. I am having issues using radius to log in to the controller.
I can log in via WEB GUI using radius credentials, I am using ISE as the radius server. I see good radius transactions and the av-pair (shell:priv-lvl=15) is returned from ISE when I log in via web GUI.
When I try to log in via CLI, no request is sent to the radius server. aaa / RADIUS debug shows:
AAA/AUTHEN/LOGIN (000044CE): Pick method list ' Permanent Local'
and there is no transaction in the RADIUS log.
Current config is:
c9800-test-1.stp#show run aaa ! aaa authentication login authentication_login local group ise_radius_grp aaa authentication dot1x authentication_dot1x group ise_radius_grp aaa authorization exec authentication_login local group ise_radius_grp username admin privilege 15 secret 9 $x$012345abcde# ! aaa server radius dynamic-author client 10.28.16.77 server-key 7 012345abcde client 10.18.16.77 server-key 7 012345abcde ! radius server isepsn1 address ipv4 10.1.2.3 auth-port 1645 acct-port 1646 key 7 012345abcde ! radius server isepsn2 address ipv4 10.1.2.4 auth-port 1645 acct-port 1646 key 7 012345abcde ! radius-server load-balance method least-outstanding ! aaa group server radius ise_radius_grp server name isepsn1 server name isepsn2 ! aaa local authentication authentication_login authorization authentication_login aaa new-model aaa session-id common
Also, on the console, I am always automatically logged in.
What did I miss? Thanks in advance.
Wes
05-04-2020 10:54 AM
what about the VTY lines?
paolo-9800(config)#line vty 0 15 paolo-9800(config-line)#login authentication radAutheMethod
paolo-9800(config-line)#authorization exec radAuthzMethod
You can check this document.
05-06-2020 12:11 AM
Your aaa methods do not match that defined under vty lines (you are missing deffinition of radAutheMethod/radAuthzMethod:
!
aaa authentication login authentication_login local group ise_radius_grp aaa authentication dot1x authentication_dot1x group ise_radius_grp aaa authorization exec authentication_login local group ise_radius_grp
!
line vty 0 15
login authentication radAutheMethod
authorization exec radAuthzMethod
HTH
-Jesus
*** Please Rate Helpful Responses ***
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: