Unable to perform AAA Radius authentication between Microsoft NPS and Cisco switch

Hello all,

I have a problem with my Radius authentication setup.
My client is cisco switch Catalyst 2960-24TT-L, server is Microsoft NPS.

I configured the switch as per below:

!
aaa new-model
!
aaa group server radius Q8ADS1
 server 172.18.0.120 auth-port 1812 acct-port 1813
!
aaa authentication fail-message ^C
*** Authentication failed ***
^C
!
aaa authentication login default group Q8ADS1 local
aaa authorization exec default group radius local if-authenticated
aaa authorization commands 15 default local if-authenticated
!
radius-server dead-criteria time 10 tries 3
radius-server host 172.18.0.120 auth-port 1812 acct-port 1813 key xxxxx
!
end



The RADIUS NPS server is configured with Radius client switch  and Netowrk Policy:

Grant Access, Condition: NAS IPv4 Address of the switch, Authentication: Unencrypted (PAP, SPAP)  and
RADIUS attributes: Standard: Service-type - Administrative
                                  Vendor Specific: shell:privl-lvl=15      

The thing is, that when i'm trying to login and authenticate to the switch, I still get the output below:


*Mar  1 01:15:43.873: AAA/BIND(00000018): Bind i/f
*Mar  1 01:15:46.491: AAA/AUTHEN/LOGIN (00000018): Pick method list 'default'
*Mar  1 01:15:46.491: RADIUS/ENCODE(00000018): ask "Password: "
*Mar  1 01:15:46.491: RADIUS/ENCODE(00000018): send packet; GET_PASSWORD
*Mar  1 01:15:59.132: RADIUS/ENCODE(00000018):Orig. component type = Exec
*Mar  1 01:15:59.132: RADIUS:  AAA Unsupported Attr: interface         [210] 4
*Mar  1 01:15:59.132: RADIUS:   74 74                [ tt]
*Mar  1 01:15:59.132: RADIUS(00000018): Config NAS IP: 0.0.0.0
*Mar  1 01:15:59.132: RADIUS(00000018): Config NAS IPv6: ::
*Mar  1 01:15:59.132: RADIUS/ENCODE(00000018): acct_session_id: 14
*Mar  1 01:15:59.132: RADIUS(00000018): sending
*Mar  1 01:15:59.132: RADIUS/ENCODE: Best Local IP-Address 172.18.0.11 for Radius-Server 172.18.0.120
*Mar  1 01:15:59.132: RADIUS(00000018): Send Access-Request to 172.18.0.120:1812 id 1645/21, len 78
*Mar  1 01:15:59.132: RADIUS:  authenticator 38 CF 23 57 F1 F5 8A E8 - 8A 93 CB CE 4A 3B 89 66
*Mar  1 01:15:59.132: RADIUS:  User-Name           [1]   10  "a-murcod"
*Mar  1 01:15:59.132: RADIUS:  User-Password       [2]   18  *
*Mar  1 01:15:59.132: RADIUS:  NAS-Port            [5]   6   1
*Mar  1 01:15:59.132: RADIUS:  NAS-Port-Id         [87]  6   "tty1"
*Mar  1 01:15:59.132: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Mar  1 01:15:59.132: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Mar  1 01:15:59.132: RADIUS:  NAS-IP-Address      [4]   6   172.18.0.11
*Mar  1 01:15:59.132: RADIUS(00000018): Sending a IPv4 Radius Packet
*Mar  1 01:15:59.132: RADIUS(00000018): Started 5 sec timeout
*Mar  1 01:15:59.141: RADIUS: Received from id 1645/21 172.18.0.120:1812, Access-Reject, len 20   <<<<<<<<
*Mar  1 01:15:59.141: RADIUS:  authenticator CD 2F 6A E9 25 0C 37 75 - 22 29 64 F9 23 10 E7 71
*Mar  1 01:15:59.141: RADIUS(00000018): Received from id 1645/21


And then I fail to authenticate.

The Radius is pingable from the switch, but when I try to log on, I am still receiving the "Access-Reject, len 20"  message.

I think, this should be fixed by setting the correct attributes on the RADIUS server and client Switch, but which should I choose ?


Please help.
Dusan MNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dirk KotteSECommented:
please post the "access denied" details from NPS eventlog.
Possible you have to enable NPS-logging before.
0
Dusan MNetwork EngineerAuthor Commented:
Thank you,

I will check the eventlog once it will be enabled.
0
Dirk KotteSECommented:
do you need additional help?
mostly the NPS eventlog contains enough details to find the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dusan MNetwork EngineerAuthor Commented:
No, thank you.

There is some infarastructure problem in the network now, so we are still not able to check the eventlog.
I dont know when it will be possible.

Thank you anyway.
0
Dirk KotteSECommented:
Hints should help to solve the problem
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.