Link to home
Create AccountLog in
Avatar of Dusan M
Dusan MFlag for Czechia

asked on

Unable to perform AAA Radius authentication between Microsoft NPS and Cisco switch

Hello all,

I have a problem with my Radius authentication setup.
My client is cisco switch Catalyst 2960-24TT-L, server is Microsoft NPS.

I configured the switch as per below:

!
aaa new-model
!
aaa group server radius Q8ADS1
 server 172.18.0.120 auth-port 1812 acct-port 1813
!
aaa authentication fail-message ^C
*** Authentication failed ***
^C
!
aaa authentication login default group Q8ADS1 local
aaa authorization exec default group radius local if-authenticated
aaa authorization commands 15 default local if-authenticated
!
radius-server dead-criteria time 10 tries 3
radius-server host 172.18.0.120 auth-port 1812 acct-port 1813 key xxxxx
!
end



The RADIUS NPS server is configured with Radius client switch  and Netowrk Policy:

Grant Access, Condition: NAS IPv4 Address of the switch, Authentication: Unencrypted (PAP, SPAP)  and
RADIUS attributes: Standard: Service-type - Administrative
                                  Vendor Specific: shell:privl-lvl=15      

The thing is, that when i'm trying to login and authenticate to the switch, I still get the output below:


*Mar  1 01:15:43.873: AAA/BIND(00000018): Bind i/f
*Mar  1 01:15:46.491: AAA/AUTHEN/LOGIN (00000018): Pick method list 'default'
*Mar  1 01:15:46.491: RADIUS/ENCODE(00000018): ask "Password: "
*Mar  1 01:15:46.491: RADIUS/ENCODE(00000018): send packet; GET_PASSWORD
*Mar  1 01:15:59.132: RADIUS/ENCODE(00000018):Orig. component type = Exec
*Mar  1 01:15:59.132: RADIUS:  AAA Unsupported Attr: interface         [210] 4
*Mar  1 01:15:59.132: RADIUS:   74 74                [ tt]
*Mar  1 01:15:59.132: RADIUS(00000018): Config NAS IP: 0.0.0.0
*Mar  1 01:15:59.132: RADIUS(00000018): Config NAS IPv6: ::
*Mar  1 01:15:59.132: RADIUS/ENCODE(00000018): acct_session_id: 14
*Mar  1 01:15:59.132: RADIUS(00000018): sending
*Mar  1 01:15:59.132: RADIUS/ENCODE: Best Local IP-Address 172.18.0.11 for Radius-Server 172.18.0.120
*Mar  1 01:15:59.132: RADIUS(00000018): Send Access-Request to 172.18.0.120:1812 id 1645/21, len 78
*Mar  1 01:15:59.132: RADIUS:  authenticator 38 CF 23 57 F1 F5 8A E8 - 8A 93 CB CE 4A 3B 89 66
*Mar  1 01:15:59.132: RADIUS:  User-Name           [1]   10  "a-murcod"
*Mar  1 01:15:59.132: RADIUS:  User-Password       [2]   18  *
*Mar  1 01:15:59.132: RADIUS:  NAS-Port            [5]   6   1
*Mar  1 01:15:59.132: RADIUS:  NAS-Port-Id         [87]  6   "tty1"
*Mar  1 01:15:59.132: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Mar  1 01:15:59.132: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Mar  1 01:15:59.132: RADIUS:  NAS-IP-Address      [4]   6   172.18.0.11
*Mar  1 01:15:59.132: RADIUS(00000018): Sending a IPv4 Radius Packet
*Mar  1 01:15:59.132: RADIUS(00000018): Started 5 sec timeout
*Mar  1 01:15:59.141: RADIUS: Received from id 1645/21 172.18.0.120:1812, Access-Reject, len 20   <<<<<<<<
*Mar  1 01:15:59.141: RADIUS:  authenticator CD 2F 6A E9 25 0C 37 75 - 22 29 64 F9 23 10 E7 71
*Mar  1 01:15:59.141: RADIUS(00000018): Received from id 1645/21


And then I fail to authenticate.

The Radius is pingable from the switch, but when I try to log on, I am still receiving the "Access-Reject, len 20"  message.

I think, this should be fixed by setting the correct attributes on the RADIUS server and client Switch, but which should I choose ?


Please help.
Avatar of Dirk Kotte
Dirk Kotte
Flag of Germany image

please post the "access denied" details from NPS eventlog.
Possible you have to enable NPS-logging before.
Avatar of Dusan M

ASKER

Thank you,

I will check the eventlog once it will be enabled.
ASKER CERTIFIED SOLUTION
Avatar of Dirk Kotte
Dirk Kotte
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Dusan M

ASKER

No, thank you.

There is some infarastructure problem in the network now, so we are still not able to check the eventlog.
I dont know when it will be possible.

Thank you anyway.
Hints should help to solve the problem