05-28-2019 10:57 AM
We have a mix of SG200-26 and SG220-26 small business switches. I am in the process of converting over the management logins for these switches to use our on premises RADIUS Server, a Windows Server 2016 NPS box. The SG220's are working fine, but the SG200's are not. Every attempt to log in just results in an unknown username or bad password.
The really odd thing is that when I Wireshark this from the NPS, I see no Access-Request packets coming in from the 200's and there is no indication in the NPS log that the 200's are attempting to connect. It's as if RADIUS client is disabled on the 200's
Any suggestions?
05-28-2019 11:23 AM
1. First thing i would like to check is the NPS reachable to Switch ?
2. check logs why failing, both from Switch side and windows event
here is the guide for setup:
05-28-2019 11:48 AM
NPS is reachable from the switches; I am doing the switch configuration from the NPS.
The switch logs just say that a login attempt failed and there are no logs on the NPS.
Again, this is all for the 200's; the 220's are working fine.
05-28-2019 12:22 PM
i have noticed that it was working with 220 in the first instance of post, just want to sure reachabilioty available.
can you post what is the OS code running on 200 models ?
05-28-2019 12:48 PM
There is no mechanism to get to the "code" of the 200's; they're pure GUI-based switches. There's no SSH support or console access.
Not my favorite appliance; hence the reason we're replacing them with 220's, but I have to work with what I have on hand right now.
05-28-2019 11:35 PM
There is no mechanism to get to the "code" of the 200's; <-- sorry i meant to ask what Firmware version.
05-29-2019 03:56 AM
The firmware on the 200's is 1.4.2.4.
As an additional test, I tried enabling RADIUS on our SG300-26, the Layer 3 variant of the SG200. This switch is also running firmware version 1.4.2.4, but the SG300 supports console, telnet and SSH access.
Same result. User is not authenticated, NPS shows no activity from the SG300's IP address and a Wireshark trace shows no incoming RADIUS packets from the SG300 to the NPS/RADIUS server.
05-29-2019 11:43 AM
To be honestly at the stage i can not be in a postion to suggest, since you mentioned you tried different device same firmware have issue.
if you get chance upgrade to one of teh device to new firmware and try ( i did not see any bugs reported the version you have issue)
or open a TAC case with SME support case.
05-06-2020 06:59 AM - edited 05-06-2020 07:05 AM
I had the same issue - the problem was the order of "Selected Methods" in "Security - Management Access Authentication". You need to have "Local" as the last one, because authentication methods after "Local" are ignored.
This might be confusing, because even screenshots in official cisco guides have those methods reversed (and thus making RADIUS method omitted). Hope this helps.
Reference (for SG250, but it works for SG200 the same way): https://www.cisco.com/assets/sol/sb/Switches_Emulators_v2_3_5_xx/help/250/index.html#page/tesla_250_olh/mng_acc_authen.html
PS: it's a shame that even in 2020 the only supported method for login via RADIUS login from cisco is PAP :( despite the configuration guides showing MS-CHAP-V2, this one is used for ppp only.
05-14-2020 03:54 AM
I did as you suggested.
Same deal. Can't login with RADIUS, no packets being sent to the RADIUS Server. As a bonus, I also can't login with local accounts either; I have effectively locked myself out of this switch entirely. It does appear as though the switch ignores whatever the second, third, etc. entries are in the "Selected Methods" box.
05-14-2020 04:33 AM
Hm, strange... when I had this lockout problem, I just cut off the connection between switch and RADIUS server, which (after connection to RADIUS timed out) made the local authentication possible again.
From the documentation: The authorization/authentication method used is determined by the order that the authentication methods are selected. If the first authentication method is not available, the next selected method is used. For example, if the selected authentication methods are RADIUS and Local, and all configured RADIUS servers are queried in priority order and do not reply, the user is authorized/authenticated locally.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide