Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
10
Helpful
6
Replies

No Remote Access After Enabling AAA Radius

Go to solution
tbrooks25
Level 1
Level 1

‎07-11-2008 07:28 AM - edited ‎03-10-2019 03:58 PM

Hello,

I can't seem to access our catalyst 4006 after enabling AAA for radius. I have setup IAS on our domain controller and setup a the catalyst as a Radius client as well as configured a remote access policy that points to an AD group to allow switch access. When I try to login to the catalyst with my user information in AD, it seems to hang after I type in my password, asks for the password again then says access denied. This happens both on the console and via a telnet session. I have included my AAA configuration below.

What am I missing?

Tim

(Cisco IOS Software, v 12.2(25)EWA14)

aaa new-model

!

radius-server host 10.100.x.x auth-port 1812 acct-port 1813 key xxxxxxxxxx

radius-server source-ports 1645-1646

!

aaa group server radius Radius-Servers

server 10.100.x.x auth-port 1812 acct-port 1813

!

aaa authentication login default group Radius-Servers local line

aaa authentication enable default group Radius-Servers enable

aaa authentication dot1x default group Radius-Servers

aaa authorization exec default group Radius-Servers if-authenticated

aaa authorization network default group Radius-Servers

aaa accounting dot1x default start-stop group Radius-Servers

aaa accounting exec default start-stop group Radius-Servers

!

line vty 0 4

login authentication default

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to tbrooks25

‎07-11-2008 12:14 PM

Tim

I believe that the immediate problem is that the source address ussed by your switch is not the address that Radius is expecting. The Radius server is at 10.100.182.250 and that is in the subnet of interface vlan 182. So the address of interface vlan 182 will be the source address of the Radius request. One way to fix that is to use the ip radius source-address command and specify the address that you want the switch to use. Of course in the short term it may be easier to change the Radius server to expect 10.100.182.2 as the client address.

HTH

Rick

HTH

Rick

View solution in original post

6 Replies 6

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎07-11-2008 08:09 AM

Do you see any hits on IAS (even logs) ? Make sure that secret key is correct. Ensure that Switch can reach IAS (rule out any communication issue.)

If this is happening with console then it seems all we can do is check IAS event logs. Problem here would be how to change aaa config on switch. If it is locked out then we need to do password recovery.

Regards,

~JG

0 Helpful

Go to solution
tbrooks25
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-11-2008 10:04 AM

I do not see any hits at all on the IAS logs. It's as if the switch will not communicate with IAS. I've tried a different key as well, something simple so I know I wasn't typing it in wrong. Do I need to specify a different address on the IAS server? I have multiple VLANS and currently have the Radius Client set on the catalyst for VLAN 10 (10.100.49.1) which is our network vlan for all switches. Or maybe set vlan10 as a native vlan? The other Dell switches at this location seem to work just fine.

If the config locks me out I do have access through Cisco View and have copied the config before I made the changes so I just restore that config to the running config and I have access again.

Tim

0 Helpful

Go to solution
tbrooks25
Level 1
Level 1

‎07-11-2008 10:27 AM

Here is a full config file minus the list of Ethernet ports. As I said in my last message I have the settings IAS server for this catalyst pointed to vlan 10. (10.100.49.1)

Tim

Preview file
5 KB
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to tbrooks25

‎07-11-2008 12:14 PM

Tim

I believe that the immediate problem is that the source address ussed by your switch is not the address that Radius is expecting. The Radius server is at 10.100.182.250 and that is in the subnet of interface vlan 182. So the address of interface vlan 182 will be the source address of the Radius request. One way to fix that is to use the ip radius source-address command and specify the address that you want the switch to use. Of course in the short term it may be easier to change the Radius server to expect 10.100.182.2 as the client address.

HTH

Rick

HTH

Rick

Go to solution
tbrooks25
Level 1
Level 1
In response to Richard Burts

‎07-11-2008 12:28 PM

Great! That did the trick. I knew it had to be something within my VLAN config. Thanks for the help!

Tim

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to tbrooks25

‎07-11-2008 01:02 PM

Tim

I am glad that my response helped you to solve your problem. Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read a problem and can know that they will read a response which did resolve the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents