- Bronze, 100 points or more
I have set up a router and a switch for AAA using an RSA RADIUS server. Both are RSA "Agent Hosts" with identical setups. Router (2621XM/EntServ Version 12.4(18)) and switch (3560-24PS/IPBase-12.2(25)SEB2) have identical AAA configs, and RADIUS/RSA is fine as far as the PASSCODE being accepted. But the switch doesn't let me in:
% Authorization failed.
When I do "deb radius authentication" on each, the outputs are the same up to the last 2 lines. The router that works says:
000055: .Jan 16 12:22:51 EST: RADIUS(00000005): Received from id 1645/3
000056: .Jan 16 12:22:51 EST: RADIUS/DECODE: Reply-Message fragments, 19, total 19 bytes
But the switch says:
000284: Jan 16 12:20:47 EST: RADIUS: saved authorization data for user 3030220 at 3034440
000285: Jan 16 12:20:47 EST: RADIUS: no appropriate authorization type for user.
The only other difference I can think of is that I use ssh to the router and telent for the switch (IPBase apparently no habla "crypto", I could use a different IOS I think.
Any clue? TIA
If I were you, I would "disable" authorization
on the catalyst 3560. I haven an identical
setup like yours on mine Catalyst 2960 and it
works just fine. See below:
[[email protected] root]# telnet 192.168.0.5
Connected to 192.168.0.5 (192.168.0.5).
Escape character is '^]'.
User Access Verification
Enter your new PIN, containing 4 to 8 digits,
to cancel the New PIN procedure:
Please re-enter new PIN:
Wait for the code on your card to change, then log in with the new PIN
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25)SEE4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Mon 16-Jul-07 02:53 by myl
Image text-base: 0x00003000, data-base: 0x00CC0000
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE1, RELEASE SOFTWARE (fc1)
C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes
System returned to ROM by power-on
System restarted at 23:20:30 GMT Wed Dec 26 2007
System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
If you require further assistance please contact us by sending email to
cisco WS-C2960G-24TC-L (PowerPC405) processor (revision B0) with 61440K/4088K bytes of memory.
Processor board ID FOC1036X0F1
Last reset from power-on
2 Virtual Ethernet interfaces
24 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:19:55:1B:D6:00
Motherboard assembly number : 73-10015-05
Power supply part number : 341-0098-02
Motherboard serial number : FOC10352NF2
Power supply serial number : AZS103402ZF
Model revision number : B0
Motherboard revision number : B0
Model number : WS-C2960G-24TC-L
System serial number : FOC1036X0F1
Top Assembly Part Number : 800-26673-02
Top Assembly Revision Number : C0
Version ID : V02
CLEI Code Number : COM3G00BRA
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 24 WS-C2960G-24TC-L 12.2(25)SEE4 C2960-LANBASEK9-M
Configuration register is 0xF
C2960#sh run | inc aaa
aaa authentication login test group radius local
aaa authentication login test1 group tacacs+ local
aaa authentication login notac local
aaa authentication dot1x default group radius
aaa session-id common