08-13-2008 10:31 AM - edited 03-10-2019 04:01 PM
Greetings,
We have been using our ACS appliance to authenticate logging into our Cisco gear. We have been using tacacs+ and it has worked fine but I am trying to set it up using radius. I basically changed on the configs on my test switch to radius wherever it read tacacs+ and changed out ACS to use the radius protocol. Now, I am unable to log into the test switch I set up when I was able to before using tacacs+.
aaa authentication dot1x default group radius
aaa authentication login default group radius local-case
aaa authorization exec default group radius local
aaa authorization commands 15 default group radius local
aaa accounting commands 15 default start-stop group radius
radius-server directed-request
radius-server host 172.16.x.x auth-port 1645 acct-port 1646 key xxxxxx
When I check the logs on the ACS, it reads "ACS user known"
Let me know if you need anything else.
Thanks
08-13-2008 10:48 AM
When you use the 'test aaa ...' on the switch command what do you get?
From which SVI are you sourcing your connection? Perhaps it would be better to put ip radius source-interface vlan x
Regards
Farrukh
08-13-2008 11:16 AM
Well I wasn't aware of a "test aaa" command but I will try it and see what it says. Int Vlan 21 is the SVI with the IP address assigned to it. I did attempt the "ip radius..." command but still no luck.
08-13-2008 11:23 AM
Ok please run the test command and then give the exact output you see in the ACS 'Failed' (or even Passed) attempts log.
You changed the device from Tacacs to Radius in the 'Network Setup' in ACS?
Regards
Farrukh
08-13-2008 11:59 AM
I ran the test command and it just came back "user rejected"
I did change the device from tacacs+ to radius (cisco ios/pix 6.0) on our ACS.
08-13-2008 12:08 PM
So are you sure you are entering the correct username/password? Are you using some other advanced features like NAR/NAP etc.?
A following debug output would also help:
debug radius
debug aaa authen
debug aaa author
Regards
Farrukh
08-13-2008 12:24 PM
I am sure I am using the correct username/password.
Yes, we are using NAP. That cold be causing an issue as well. I know it is set to "Allow any Protocol type."
08-13-2008 12:25 PM
Yes it has to be something fancy for sure. Please look at the failed attempt log in ACS. It will show you which NAP/NAR policy denied it.
To test you can create new group/user without any NAP/NAR and check your radius. Then 'build' from there step-by-step.
Regards
Farrukh
08-13-2008 12:41 PM
Thank you so much Farrukh, it was something not configured correctly with the NAP. Under authentication, I had to move the Windows Database from Available Database to Selected Database. After that i was able to login. Thanks again for your assistance.
08-13-2008 06:40 PM
No problems at all. Glad its working now :)
Please rate if helpful.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: