We help IT Professionals succeed at work.
Get Started

Unable to perform AAA Radius authentication between Microsoft NPS and Cisco switch

Dusan M
Dusan M asked
on
457 Views
Last Modified: 2018-04-13
Hello all,

I have a problem with my Radius authentication setup.
My client is cisco switch Catalyst 2960-24TT-L, server is Microsoft NPS.

I configured the switch as per below:

!
aaa new-model
!
aaa group server radius Q8ADS1
 server 172.18.0.120 auth-port 1812 acct-port 1813
!
aaa authentication fail-message ^C
*** Authentication failed ***
^C
!
aaa authentication login default group Q8ADS1 local
aaa authorization exec default group radius local if-authenticated
aaa authorization commands 15 default local if-authenticated
!
radius-server dead-criteria time 10 tries 3
radius-server host 172.18.0.120 auth-port 1812 acct-port 1813 key xxxxx
!
end



The RADIUS NPS server is configured with Radius client switch  and Netowrk Policy:

Grant Access, Condition: NAS IPv4 Address of the switch, Authentication: Unencrypted (PAP, SPAP)  and
RADIUS attributes: Standard: Service-type - Administrative
                                  Vendor Specific: shell:privl-lvl=15      

The thing is, that when i'm trying to login and authenticate to the switch, I still get the output below:


*Mar  1 01:15:43.873: AAA/BIND(00000018): Bind i/f
*Mar  1 01:15:46.491: AAA/AUTHEN/LOGIN (00000018): Pick method list 'default'
*Mar  1 01:15:46.491: RADIUS/ENCODE(00000018): ask "Password: "
*Mar  1 01:15:46.491: RADIUS/ENCODE(00000018): send packet; GET_PASSWORD
*Mar  1 01:15:59.132: RADIUS/ENCODE(00000018):Orig. component type = Exec
*Mar  1 01:15:59.132: RADIUS:  AAA Unsupported Attr: interface         [210] 4
*Mar  1 01:15:59.132: RADIUS:   74 74                [ tt]
*Mar  1 01:15:59.132: RADIUS(00000018): Config NAS IP: 0.0.0.0
*Mar  1 01:15:59.132: RADIUS(00000018): Config NAS IPv6: ::
*Mar  1 01:15:59.132: RADIUS/ENCODE(00000018): acct_session_id: 14
*Mar  1 01:15:59.132: RADIUS(00000018): sending
*Mar  1 01:15:59.132: RADIUS/ENCODE: Best Local IP-Address 172.18.0.11 for Radius-Server 172.18.0.120
*Mar  1 01:15:59.132: RADIUS(00000018): Send Access-Request to 172.18.0.120:1812 id 1645/21, len 78
*Mar  1 01:15:59.132: RADIUS:  authenticator 38 CF 23 57 F1 F5 8A E8 - 8A 93 CB CE 4A 3B 89 66
*Mar  1 01:15:59.132: RADIUS:  User-Name           [1]   10  "a-murcod"
*Mar  1 01:15:59.132: RADIUS:  User-Password       [2]   18  *
*Mar  1 01:15:59.132: RADIUS:  NAS-Port            [5]   6   1
*Mar  1 01:15:59.132: RADIUS:  NAS-Port-Id         [87]  6   "tty1"
*Mar  1 01:15:59.132: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Mar  1 01:15:59.132: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Mar  1 01:15:59.132: RADIUS:  NAS-IP-Address      [4]   6   172.18.0.11
*Mar  1 01:15:59.132: RADIUS(00000018): Sending a IPv4 Radius Packet
*Mar  1 01:15:59.132: RADIUS(00000018): Started 5 sec timeout
*Mar  1 01:15:59.141: RADIUS: Received from id 1645/21 172.18.0.120:1812, Access-Reject, len 20   <<<<<<<<
*Mar  1 01:15:59.141: RADIUS:  authenticator CD 2F 6A E9 25 0C 37 75 - 22 29 64 F9 23 10 E7 71
*Mar  1 01:15:59.141: RADIUS(00000018): Received from id 1645/21


And then I fail to authenticate.

The Radius is pingable from the switch, but when I try to log on, I am still receiving the "Access-Reject, len 20"  message.

I think, this should be fixed by setting the correct attributes on the RADIUS server and client Switch, but which should I choose ?


Please help.
Comment
Watch Question
CERTIFIED EXPERT
Commented:
This problem has been solved!
Unlock 1 Answer and 5 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE