Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1070
Views
30
Helpful
8
Replies

c9800-40 v17.6.4 and Windows Server 2012 Radius Server

Go to solution
lcaruso
Level 6
Level 6

‎11-22-2022 06:42 AM

In prepping 9800s for production, I cannot get 9800-40 running 17.6.4 to interoperate with the radius server on Windows 2012. I suspect the issue is on the Windows side but so far I have not found a debug command that can show me the reasons why the authentication fails. Any suggestions are appreciated. The Windows 2012 radius server works fine for 802.1X on a WLC5508. 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to lcaruso

‎11-22-2022 07:53 AM

Without logs, you will not be able to understand what is not working.  You should still see auth fails in the system logs, but again, I have never seen a Windows Server with logging turned off.  What you posted in regards to the controller radius config is the basic, which doesn't help.  You need to look at the policies you have defined on the radius server, that is where the issue is.

-Scott
*** Please rate helpful posts ***

View solution in original post

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to lcaruso

‎11-22-2022 12:54 PM

There are a lot of blogs and videos on setting up Windows NPS for 802.1x radius.  Just search and take a look at a few.  You have to add the new devices as a radius client to start with, but again, you need the logs to see where things fail.

Cisco 9800 802.1X/EAP User Authentication with Windows RADIUS (NPS) – How I WI-FI (howiwifi.com)

-Scott
*** Please rate helpful posts ***

View solution in original post

8 Replies 8

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎11-22-2022 06:50 AM

Wow that is an old server.  So you believe the issue is with compatibility?  Can you please add information on what your are trying to do, how you have it setup and what is the issue?  Also the logs from the radius server and or any logs on the controller would help.  There is no way to help you with the limited information you provided.

-Scott
*** Please rate helpful posts ***

Go to solution
lcaruso
Level 6
Level 6
In response to Scott Fella

‎11-22-2022 07:08 AM

The two methods I have attempted so far are the test aaa server method which is a wireless forum post you commented upon and this https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

So far I have avoided importing config conversion commands and was trying to prove it works before I move onto 802.1X authentication setup. 

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Scott Fella

‎11-22-2022 07:10 AM

I do not control the Windows servers and they have radius logging turned off. That was the first thing I asked for. 

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to lcaruso

‎11-22-2022 07:53 AM

Without logs, you will not be able to understand what is not working.  You should still see auth fails in the system logs, but again, I have never seen a Windows Server with logging turned off.  What you posted in regards to the controller radius config is the basic, which doesn't help.  You need to look at the policies you have defined on the radius server, that is where the issue is.

-Scott
*** Please rate helpful posts ***

Go to solution
lcaruso
Level 6
Level 6
In response to Scott Fella

‎11-22-2022 07:57 AM

Agreed, the problem has to be on the Windows side. If you or anyone has a good guide on how to setup the Windows side for Cisco authentication, please share it here. Thanks. 

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to lcaruso

‎11-22-2022 12:54 PM

There are a lot of blogs and videos on setting up Windows NPS for 802.1x radius.  Just search and take a look at a few.  You have to add the new devices as a radius client to start with, but again, you need the logs to see where things fail.

Cisco 9800 802.1X/EAP User Authentication with Windows RADIUS (NPS) – How I WI-FI (howiwifi.com)

-Scott
*** Please rate helpful posts ***

Go to solution
lcaruso
Level 6
Level 6
In response to Scott Fella

‎11-22-2022 07:17 AM

Here is the current setup and debugging cmds

radius server msRad1
address ipv4 <> auth-port 1812 acct-port 1813
key 6 <>

!
radius server msRad2
address ipv4 <> auth-port 1812 acct-port 1813
key 6 <>
!

radius-server attribute wireless accounting mac-delimiter hyphen
radius-server attribute wireless accounting username-delimiter hyphen
radius-server attribute wireless accounting username-case lower
radius-server attribute wireless accounting call-station-id macaddress
radius-server attribute wireless accounting callStationIdCase lower
radius-server attribute wireless authentication callStationIdCase lower
radius-server attribute wireless authentication mac-delimiter hyphen
radius-server attribute wireless authentication call-station-id ap-macaddress-ssid

aaa new-model
!
!
aaa group server radius msRadGrp
server name msRad1
server name msRad2
ip radius source-interface Vlan20
deadtime 5
!

aaa authentication login RadAuthMethod local group msRadGrp
aaa authorization exec RadAuthzMethod local group msRadGrp

w-c9800-40#show deb
General OS:
AAA Authentication debugging is on
AAA Radius debugs debugging is on
AAA Testing debugs debugging is on
IOSXE Conditional Debug Configs:

 

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎11-22-2022 06:52 AM

What you can do is take your 5508 configuration and import it to the convertor and look at the configuration output.  Compare that output to what you have configured, maybe there is a bit that has been turned on or off.

WLC Config Converter (AireOS, IOS-XE) - Cisco Community

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card