Rayneedssomehelp
asked on
No radius logs ACS 5.2
Hello all!
I have a testbed set up for 802.1x authentication between an ACS 5.2 server with the radius
protocol enabled..."Identity stores", "Resource network devices" and "Shared secret key".
The 3750 has the "bare bones" configs...AAA new model, shared key and the radius server
IP address.
The switch interface is configured for monitor mode..."authentication open".
I am able to ping the ACS from the switch, but when I connect a PC to the switch port
it shuts down!! Also, there are no radius logs ont the ACS to evaluate the issue.
It seems to be ovious that the switch and ACS are not communicating.
What do I need to do get the ACS radius server to generate radius logs?
I will work on the authentication issue later down the road. For now I just want the switch
and the ACS 5.2 server to communicate.
Thanks in advance!
Ray
I have a testbed set up for 802.1x authentication between an ACS 5.2 server with the radius
protocol enabled..."Identity stores", "Resource network devices" and "Shared secret key".
The 3750 has the "bare bones" configs...AAA new model, shared key and the radius server
IP address.
The switch interface is configured for monitor mode..."authentication open".
I am able to ping the ACS from the switch, but when I connect a PC to the switch port
it shuts down!! Also, there are no radius logs ont the ACS to evaluate the issue.
It seems to be ovious that the switch and ACS are not communicating.
What do I need to do get the ACS radius server to generate radius logs?
I will work on the authentication issue later down the road. For now I just want the switch
and the ACS 5.2 server to communicate.
Thanks in advance!
Ray
Craig Beck
Can you post a switch config?
ASKER
Hello,
The configs on the switch were configured by one of the techs here. There is a lot of junk
on it that does not need to be on it, such as the load balancing configs. I did not want to make any changes to the configs until I checked with the experts first.
As I stated, right now I am more concerned with just getting the ACS radius server
to communicate with the switch, so that I can view the radius logs.
I do understand that in order for the authentication to be successful I need the ACS
configured properly also. That being said, I would like to take one step at a time
to try and resolve our issues with the deployment. First:ACS\switch radius communcation!
Second:Authentication.
aaa new-model
!
!
aaa group server radius radus-pri
!
aaa group server radius radius-log
server xxx.xxx.xxx.xxx
server xxx.xxx.xxx.xxx
!
aaa group server radius radius-pri
server xxx.xxx.xxx.xxx
!
aaa group server radius raqdius-sec
server xxx.xxx.xxx.xxx
aaa authentication login default group tacacs+ local
aaa authentication login list-name group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius-pri group radius-sec
aaa authorization network default group radius-pri group radius-sec
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
dot1x system-auth-control
interface GigabitEthernet3/0/11
switchport access vlan xxx
switchport mode access
switchport nonegotiate
authentication open
dot1x pae authenticator
spanning-tree portfast
Thanks,
Ray
The configs on the switch were configured by one of the techs here. There is a lot of junk
on it that does not need to be on it, such as the load balancing configs. I did not want to make any changes to the configs until I checked with the experts first.
As I stated, right now I am more concerned with just getting the ACS radius server
to communicate with the switch, so that I can view the radius logs.
I do understand that in order for the authentication to be successful I need the ACS
configured properly also. That being said, I would like to take one step at a time
to try and resolve our issues with the deployment. First:ACS\switch radius communcation!
Second:Authentication.
aaa new-model
!
!
aaa group server radius radus-pri
!
aaa group server radius radius-log
server xxx.xxx.xxx.xxx
server xxx.xxx.xxx.xxx
!
aaa group server radius radius-pri
server xxx.xxx.xxx.xxx
!
aaa group server radius raqdius-sec
server xxx.xxx.xxx.xxx
aaa authentication login default group tacacs+ local
aaa authentication login list-name group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius-pri group radius-sec
aaa authorization network default group radius-pri group radius-sec
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
dot1x system-auth-control
interface GigabitEthernet3/0/11
switchport access vlan xxx
switchport mode access
switchport nonegotiate
authentication open
dot1x pae authenticator
spanning-tree portfast
Thanks,
Ray
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gentlemen,
I am trying to clean up the 802.1X\radius configs on the switch.
for example, we are only using one ACS server as a testbed. Those configs for primary
and secondary radius servers may be causing some problems.
I add the radius-server host 1.2.3.4 auth-port 1645 acct-port 1646 key <SHAREDSECRET>
command. At first I received an error message about using the name in place of the IP
address in the syntax...although it appeared to accept the command regardless.
Anyway, I still don't see any radius logs on the ACS.
Ray
I am trying to clean up the 802.1X\radius configs on the switch.
for example, we are only using one ACS server as a testbed. Those configs for primary
and secondary radius servers may be causing some problems.
I add the radius-server host 1.2.3.4 auth-port 1645 acct-port 1646 key <SHAREDSECRET>
command. At first I received an error message about using the name in place of the IP
address in the syntax...although it appeared to accept the command regardless.
Anyway, I still don't see any radius logs on the ACS.
Ray
At the switch, try this command...
test aaa group radius server x.x.x.x <user> <pass> legacy