asked on
Unable to perform AAA Radius authentication between Microsoft NPS and Cisco switch
Hello all,
I have a problem with my Radius authentication setup.
My client is cisco switch Catalyst 2960-24TT-L, server is Microsoft NPS.
I configured the switch as per below:
!
aaa new-model
!
aaa group server radius Q8ADS1
server 172.18.0.120 auth-port 1812 acct-port 1813
!
aaa authentication fail-message ^C
*** Authentication failed ***
^C
!
aaa authentication login default group Q8ADS1 local
aaa authorization exec default group radius local if-authenticated
aaa authorization commands 15 default local if-authenticated
!
radius-server dead-criteria time 10 tries 3
radius-server host 172.18.0.120 auth-port 1812 acct-port 1813 key xxxxx
!
end
The RADIUS NPS server is configured with Radius client switch and Netowrk Policy:
Grant Access, Condition: NAS IPv4 Address of the switch, Authentication: Unencrypted (PAP, SPAP) and
RADIUS attributes: Standard: Service-type - Administrative
Vendor Specific: shell:privl-lvl=15
The thing is, that when i'm trying to login and authenticate to the switch, I still get the output below:
*Mar 1 01:15:43.873: AAA/BIND(00000018): Bind i/f
*Mar 1 01:15:46.491: AAA/AUTHEN/LOGIN (00000018): Pick method list 'default'
*Mar 1 01:15:46.491: RADIUS/ENCODE(00000018): ask "Password: "
*Mar 1 01:15:46.491: RADIUS/ENCODE(00000018): send packet; GET_PASSWORD
*Mar 1 01:15:59.132: RADIUS/ENCODE(00000018):Or
*Mar 1 01:15:59.132: RADIUS: AAA Unsupported Attr: interface [210] 4
*Mar 1 01:15:59.132: RADIUS: 74 74 [ tt]
*Mar 1 01:15:59.132: RADIUS(00000018): Config NAS IP: 0.0.0.0
*Mar 1 01:15:59.132: RADIUS(00000018): Config NAS IPv6: ::
*Mar 1 01:15:59.132: RADIUS/ENCODE(00000018): acct_session_id: 14
*Mar 1 01:15:59.132: RADIUS(00000018): sending
*Mar 1 01:15:59.132: RADIUS/ENCODE: Best Local IP-Address 172.18.0.11 for Radius-Server 172.18.0.120
*Mar 1 01:15:59.132: RADIUS(00000018): Send Access-Request to 172.18.0.120:1812 id 1645/21, len 78
*Mar 1 01:15:59.132: RADIUS: authenticator 38 CF 23 57 F1 F5 8A E8 - 8A 93 CB CE 4A 3B 89 66
*Mar 1 01:15:59.132: RADIUS: User-Name [1] 10 "a-murcod"
*Mar 1 01:15:59.132: RADIUS: User-Password [2] 18 *
*Mar 1 01:15:59.132: RADIUS: NAS-Port [5] 6 1
*Mar 1 01:15:59.132: RADIUS: NAS-Port-Id [87] 6 "tty1"
*Mar 1 01:15:59.132: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 1 01:15:59.132: RADIUS: Service-Type [6] 6 Login [1]
*Mar 1 01:15:59.132: RADIUS: NAS-IP-Address [4] 6 172.18.0.11
*Mar 1 01:15:59.132: RADIUS(00000018): Sending a IPv4 Radius Packet
*Mar 1 01:15:59.132: RADIUS(00000018): Started 5 sec timeout
*Mar 1 01:15:59.141: RADIUS: Received from id 1645/21 172.18.0.120:1812, Access-Reject, len 20 <<<<<<<<
*Mar 1 01:15:59.141: RADIUS: authenticator CD 2F 6A E9 25 0C 37 75 - 22 29 64 F9 23 10 E7 71
*Mar 1 01:15:59.141: RADIUS(00000018): Received from id 1645/21
And then I fail to authenticate.
The Radius is pingable from the switch, but when I try to log on, I am still receiving the "Access-Reject, len 20" message.
I think, this should be fixed by setting the correct attributes on the RADIUS server and client Switch, but which should I choose ?
Please help.
I have a problem with my Radius authentication setup.
My client is cisco switch Catalyst 2960-24TT-L, server is Microsoft NPS.
I configured the switch as per below:
!
aaa new-model
!
aaa group server radius Q8ADS1
server 172.18.0.120 auth-port 1812 acct-port 1813
!
aaa authentication fail-message ^C
*** Authentication failed ***
^C
!
aaa authentication login default group Q8ADS1 local
aaa authorization exec default group radius local if-authenticated
aaa authorization commands 15 default local if-authenticated
!
radius-server dead-criteria time 10 tries 3
radius-server host 172.18.0.120 auth-port 1812 acct-port 1813 key xxxxx
!
end
The RADIUS NPS server is configured with Radius client switch and Netowrk Policy:
Grant Access, Condition: NAS IPv4 Address of the switch, Authentication: Unencrypted (PAP, SPAP) and
RADIUS attributes: Standard: Service-type - Administrative
Vendor Specific: shell:privl-lvl=15
The thing is, that when i'm trying to login and authenticate to the switch, I still get the output below:
*Mar 1 01:15:43.873: AAA/BIND(00000018): Bind i/f
*Mar 1 01:15:46.491: AAA/AUTHEN/LOGIN (00000018): Pick method list 'default'
*Mar 1 01:15:46.491: RADIUS/ENCODE(00000018): ask "Password: "
*Mar 1 01:15:46.491: RADIUS/ENCODE(00000018): send packet; GET_PASSWORD
*Mar 1 01:15:59.132: RADIUS/ENCODE(00000018):Or
*Mar 1 01:15:59.132: RADIUS: AAA Unsupported Attr: interface [210] 4
*Mar 1 01:15:59.132: RADIUS: 74 74 [ tt]
*Mar 1 01:15:59.132: RADIUS(00000018): Config NAS IP: 0.0.0.0
*Mar 1 01:15:59.132: RADIUS(00000018): Config NAS IPv6: ::
*Mar 1 01:15:59.132: RADIUS/ENCODE(00000018): acct_session_id: 14
*Mar 1 01:15:59.132: RADIUS(00000018): sending
*Mar 1 01:15:59.132: RADIUS/ENCODE: Best Local IP-Address 172.18.0.11 for Radius-Server 172.18.0.120
*Mar 1 01:15:59.132: RADIUS(00000018): Send Access-Request to 172.18.0.120:1812 id 1645/21, len 78
*Mar 1 01:15:59.132: RADIUS: authenticator 38 CF 23 57 F1 F5 8A E8 - 8A 93 CB CE 4A 3B 89 66
*Mar 1 01:15:59.132: RADIUS: User-Name [1] 10 "a-murcod"
*Mar 1 01:15:59.132: RADIUS: User-Password [2] 18 *
*Mar 1 01:15:59.132: RADIUS: NAS-Port [5] 6 1
*Mar 1 01:15:59.132: RADIUS: NAS-Port-Id [87] 6 "tty1"
*Mar 1 01:15:59.132: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 1 01:15:59.132: RADIUS: Service-Type [6] 6 Login [1]
*Mar 1 01:15:59.132: RADIUS: NAS-IP-Address [4] 6 172.18.0.11
*Mar 1 01:15:59.132: RADIUS(00000018): Sending a IPv4 Radius Packet
*Mar 1 01:15:59.132: RADIUS(00000018): Started 5 sec timeout
*Mar 1 01:15:59.141: RADIUS: Received from id 1645/21 172.18.0.120:1812, Access-Reject, len 20 <<<<<<<<
*Mar 1 01:15:59.141: RADIUS: authenticator CD 2F 6A E9 25 0C 37 75 - 22 29 64 F9 23 10 E7 71
*Mar 1 01:15:59.141: RADIUS(00000018): Received from id 1645/21
And then I fail to authenticate.
The Radius is pingable from the switch, but when I try to log on, I am still receiving the "Access-Reject, len 20" message.
I think, this should be fixed by setting the correct attributes on the RADIUS server and client Switch, but which should I choose ?
Please help.
CiscoMicrosoft Server OS
Last Comment
Dirk Kotte