Dusan M
asked on
Unable to perform AAA Radius authentication between Microsoft NPS and Cisco switch
Hello all,
I have a problem with my Radius authentication setup.
My client is cisco switch Catalyst 2960-24TT-L, server is Microsoft NPS.
I configured the switch as per below:
!
aaa new-model
!
aaa group server radius Q8ADS1
server 172.18.0.120 auth-port 1812 acct-port 1813
!
aaa authentication fail-message ^C
*** Authentication failed ***
^C
!
aaa authentication login default group Q8ADS1 local
aaa authorization exec default group radius local if-authenticated
aaa authorization commands 15 default local if-authenticated
!
radius-server dead-criteria time 10 tries 3
radius-server host 172.18.0.120 auth-port 1812 acct-port 1813 key xxxxx
!
end
The RADIUS NPS server is configured with Radius client switch and Netowrk Policy:
Grant Access, Condition: NAS IPv4 Address of the switch, Authentication: Unencrypted (PAP, SPAP) and
RADIUS attributes: Standard: Service-type - Administrative
Vendor Specific: shell:privl-lvl=15
The thing is, that when i'm trying to login and authenticate to the switch, I still get the output below:
*Mar 1 01:15:43.873: AAA/BIND(00000018): Bind i/f
*Mar 1 01:15:46.491: AAA/AUTHEN/LOGIN (00000018): Pick method list 'default'
*Mar 1 01:15:46.491: RADIUS/ENCODE(00000018): ask "Password: "
*Mar 1 01:15:46.491: RADIUS/ENCODE(00000018): send packet; GET_PASSWORD
*Mar 1 01:15:59.132: RADIUS/ENCODE(00000018):Or ig. component type = Exec
*Mar 1 01:15:59.132: RADIUS: AAA Unsupported Attr: interface [210] 4
*Mar 1 01:15:59.132: RADIUS: 74 74 [ tt]
*Mar 1 01:15:59.132: RADIUS(00000018): Config NAS IP: 0.0.0.0
*Mar 1 01:15:59.132: RADIUS(00000018): Config NAS IPv6: ::
*Mar 1 01:15:59.132: RADIUS/ENCODE(00000018): acct_session_id: 14
*Mar 1 01:15:59.132: RADIUS(00000018): sending
*Mar 1 01:15:59.132: RADIUS/ENCODE: Best Local IP-Address 172.18.0.11 for Radius-Server 172.18.0.120
*Mar 1 01:15:59.132: RADIUS(00000018): Send Access-Request to 172.18.0.120:1812 id 1645/21, len 78
*Mar 1 01:15:59.132: RADIUS: authenticator 38 CF 23 57 F1 F5 8A E8 - 8A 93 CB CE 4A 3B 89 66
*Mar 1 01:15:59.132: RADIUS: User-Name [1] 10 "a-murcod"
*Mar 1 01:15:59.132: RADIUS: User-Password [2] 18 *
*Mar 1 01:15:59.132: RADIUS: NAS-Port [5] 6 1
*Mar 1 01:15:59.132: RADIUS: NAS-Port-Id [87] 6 "tty1"
*Mar 1 01:15:59.132: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 1 01:15:59.132: RADIUS: Service-Type [6] 6 Login [1]
*Mar 1 01:15:59.132: RADIUS: NAS-IP-Address [4] 6 172.18.0.11
*Mar 1 01:15:59.132: RADIUS(00000018): Sending a IPv4 Radius Packet
*Mar 1 01:15:59.132: RADIUS(00000018): Started 5 sec timeout
*Mar 1 01:15:59.141: RADIUS: Received from id 1645/21 172.18.0.120:1812, Access-Reject, len 20 <<<<<<<<
*Mar 1 01:15:59.141: RADIUS: authenticator CD 2F 6A E9 25 0C 37 75 - 22 29 64 F9 23 10 E7 71
*Mar 1 01:15:59.141: RADIUS(00000018): Received from id 1645/21
And then I fail to authenticate.
The Radius is pingable from the switch, but when I try to log on, I am still receiving the "Access-Reject, len 20" message.
I think, this should be fixed by setting the correct attributes on the RADIUS server and client Switch, but which should I choose ?
Please help.
I have a problem with my Radius authentication setup.
My client is cisco switch Catalyst 2960-24TT-L, server is Microsoft NPS.
I configured the switch as per below:
!
aaa new-model
!
aaa group server radius Q8ADS1
server 172.18.0.120 auth-port 1812 acct-port 1813
!
aaa authentication fail-message ^C
*** Authentication failed ***
^C
!
aaa authentication login default group Q8ADS1 local
aaa authorization exec default group radius local if-authenticated
aaa authorization commands 15 default local if-authenticated
!
radius-server dead-criteria time 10 tries 3
radius-server host 172.18.0.120 auth-port 1812 acct-port 1813 key xxxxx
!
end
The RADIUS NPS server is configured with Radius client switch and Netowrk Policy:
Grant Access, Condition: NAS IPv4 Address of the switch, Authentication: Unencrypted (PAP, SPAP) and
RADIUS attributes: Standard: Service-type - Administrative
Vendor Specific: shell:privl-lvl=15
The thing is, that when i'm trying to login and authenticate to the switch, I still get the output below:
*Mar 1 01:15:43.873: AAA/BIND(00000018): Bind i/f
*Mar 1 01:15:46.491: AAA/AUTHEN/LOGIN (00000018): Pick method list 'default'
*Mar 1 01:15:46.491: RADIUS/ENCODE(00000018): ask "Password: "
*Mar 1 01:15:46.491: RADIUS/ENCODE(00000018): send packet; GET_PASSWORD
*Mar 1 01:15:59.132: RADIUS/ENCODE(00000018):Or
*Mar 1 01:15:59.132: RADIUS: AAA Unsupported Attr: interface [210] 4
*Mar 1 01:15:59.132: RADIUS: 74 74 [ tt]
*Mar 1 01:15:59.132: RADIUS(00000018): Config NAS IP: 0.0.0.0
*Mar 1 01:15:59.132: RADIUS(00000018): Config NAS IPv6: ::
*Mar 1 01:15:59.132: RADIUS/ENCODE(00000018): acct_session_id: 14
*Mar 1 01:15:59.132: RADIUS(00000018): sending
*Mar 1 01:15:59.132: RADIUS/ENCODE: Best Local IP-Address 172.18.0.11 for Radius-Server 172.18.0.120
*Mar 1 01:15:59.132: RADIUS(00000018): Send Access-Request to 172.18.0.120:1812 id 1645/21, len 78
*Mar 1 01:15:59.132: RADIUS: authenticator 38 CF 23 57 F1 F5 8A E8 - 8A 93 CB CE 4A 3B 89 66
*Mar 1 01:15:59.132: RADIUS: User-Name [1] 10 "a-murcod"
*Mar 1 01:15:59.132: RADIUS: User-Password [2] 18 *
*Mar 1 01:15:59.132: RADIUS: NAS-Port [5] 6 1
*Mar 1 01:15:59.132: RADIUS: NAS-Port-Id [87] 6 "tty1"
*Mar 1 01:15:59.132: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 1 01:15:59.132: RADIUS: Service-Type [6] 6 Login [1]
*Mar 1 01:15:59.132: RADIUS: NAS-IP-Address [4] 6 172.18.0.11
*Mar 1 01:15:59.132: RADIUS(00000018): Sending a IPv4 Radius Packet
*Mar 1 01:15:59.132: RADIUS(00000018): Started 5 sec timeout
*Mar 1 01:15:59.141: RADIUS: Received from id 1645/21 172.18.0.120:1812, Access-Reject, len 20 <<<<<<<<
*Mar 1 01:15:59.141: RADIUS: authenticator CD 2F 6A E9 25 0C 37 75 - 22 29 64 F9 23 10 E7 71
*Mar 1 01:15:59.141: RADIUS(00000018): Received from id 1645/21
And then I fail to authenticate.
The Radius is pingable from the switch, but when I try to log on, I am still receiving the "Access-Reject, len 20" message.
I think, this should be fixed by setting the correct attributes on the RADIUS server and client Switch, but which should I choose ?
Please help.
ASKER
Thank you,
I will check the eventlog once it will be enabled.
I will check the eventlog once it will be enabled.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
No, thank you.
There is some infarastructure problem in the network now, so we are still not able to check the eventlog.
I dont know when it will be possible.
Thank you anyway.
There is some infarastructure problem in the network now, so we are still not able to check the eventlog.
I dont know when it will be possible.
Thank you anyway.
Hints should help to solve the problem
Possible you have to enable NPS-logging before.