SG200 RADIUS Login Issue

Daywalker46322 · ‎05-28-2019

We have a mix of SG200-26 and SG220-26 small business switches. I am in the process of converting over the management logins for these switches to use our on premises RADIUS Server, a Windows Server 2016 NPS box. The SG220's are working fine, but the SG200's are not. Every attempt to log in just results in an unknown username or bad password.

I have added the "shell:priv-lvl=15" cisco-avpair vendor specific attribute to the NPS Server
Both the 220's and 200's have the correct IP address of the NPS server as well as the same authentication port (1812/udp)
I have added RADIUS as an Management Access Method for HTTP (220/200), Console (220) and SSH (220)
The NPS Server is dual-homed with one pure L2 interface on the management VLANs of the 200's and 220's

The really odd thing is that when I Wireshark this from the NPS, I see no Access-Request packets coming in from the 200's and there is no indication in the NPS log that the 200's are attempting to connect. It's as if RADIUS client is disabled on the 200's

Any suggestions?

balaji.bandi · ‎05-28-2019

1. First thing i would like to check is the NPS reachable to Switch ?

2. check logs why failing, both from Switch side and windows event

here is the guide for setup:

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-200-series-managed-switches/smb2605-radius-configuration-with-cisco-200-300-series-managed-switc.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Daywalker46322 · ‎05-28-2019

NPS is reachable from the switches; I am doing the switch configuration from the NPS.

The switch logs just say that a login attempt failed and there are no logs on the NPS.

Again, this is all for the 200's; the 220's are working fine.

balaji.bandi · ‎05-28-2019

i have noticed that it was working with 220 in the first instance of post, just want to sure reachabilioty available.

can you post what is the OS code running on 200 models ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Daywalker46322 · ‎05-28-2019

There is no mechanism to get to the "code" of the 200's; they're pure GUI-based switches. There's no SSH support or console access.

Not my favorite appliance; hence the reason we're replacing them with 220's, but I have to work with what I have on hand right now.

balaji.bandi · ‎05-28-2019

There is no mechanism to get to the "code" of the 200's; <-- sorry i meant to ask what Firmware version.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Daywalker46322 · ‎05-29-2019

The firmware on the 200's is 1.4.2.4.

As an additional test, I tried enabling RADIUS on our SG300-26, the Layer 3 variant of the SG200. This switch is also running firmware version 1.4.2.4, but the SG300 supports console, telnet and SSH access.

Same result. User is not authenticated, NPS shows no activity from the SG300's IP address and a Wireshark trace shows no incoming RADIUS packets from the SG300 to the NPS/RADIUS server.

balaji.bandi · ‎05-29-2019

To be honestly at the stage i can not be in a postion to suggest, since you mentioned you tried different device same firmware have issue.

if you get chance upgrade to one of teh device to new firmware and try ( i did not see any bugs reported the version you have issue)

or open a TAC case with SME support case.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Kraken2k · ‎05-06-2020

I had the same issue - the problem was the order of "Selected Methods" in "Security - Management Access Authentication". You need to have "Local" as the last one, because authentication methods after "Local" are ignored.

This might be confusing, because even screenshots in official cisco guides have those methods reversed (and thus making RADIUS method omitted). Hope this helps.

Reference (for SG250, but it works for SG200 the same way): https://www.cisco.com/assets/sol/sb/Switches_Emulators_v2_3_5_xx/help/250/index.html#page/tesla_250_olh/mng_acc_authen.html

PS: it's a shame that even in 2020 the only supported method for login via RADIUS login from cisco is PAP :( despite the configuration guides showing MS-CHAP-V2, this one is used for ppp only.

Daywalker46322 · ‎05-14-2020

I did as you suggested.

Same deal. Can't login with RADIUS, no packets being sent to the RADIUS Server. As a bonus, I also can't login with local accounts either; I have effectively locked myself out of this switch entirely. It does appear as though the switch ignores whatever the second, third, etc. entries are in the "Selected Methods" box.

Kraken2k · ‎05-14-2020

Hm, strange... when I had this lockout problem, I just cut off the connection between switch and RADIUS server, which (after connection to RADIUS timed out) made the local authentication possible again.

From the documentation: The authorization/authentication method used is determined by the order that the authentication methods are selected. If the first authentication method is not available, the next selected method is used. For example, if the selected authentication methods are RADIUS and Local, and all configured RADIUS servers are queried in priority order and do not reply, the user is authorized/authenticated locally.