Radius and Windows Server/2008

battanc · ‎04-07-2009

I am trying to use Radius for Port-Security on a Catalyst 3560; the Radius-Server is a Windows Server/2008.

I am not able to get authenticating.

This is the Configuration of the Switch:

SW-SEDE#sh run

Building configuration...

Current configuration : 2845 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname SW-SEDE

!

enable password cisco

!

username cisco privilege 15 password 0 cisco

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting network default start-stop group radius

!

aaa session-id common

ip subnet-zero

ip routing

!

dot1x system-auth-control

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

switchport mode access

!

(omissis)

!

interface GigabitEthernet0/12

switchport mode access

dot1x pae authenticator

dot1x port-control auto

!

(omissis)

!

interface Vlan1

description VLAN-DEFAULT

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

description VLAN-2

ip address 192.168.2.254 255.255.255.0

!

interface Vlan3

description RESTRICTED

ip address 192.168.3.254 255.255.255.0

!

interface Vlan99

description VLAN-Router

ip address 192.168.99.1 255.255.255.0

!

ip default-gateway 192.168.99.254

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.99.254

ip http server

!

radius-server cache expiry 1

radius-server host 192.168.1.11 auth-port 1812 acct-port 1813

radius-server key tantovalagattaallardoche

!

control-plane

!

And this is the DEBUG output:

16:31:52: AAA/BIND(00000018): Bind i/f

16:31:52: AAA/AUTHEN/19 (00000018): Pick method list 'default'

16:31:52: RADIUS: AAA Unsupported [161] 19

16:31:52: RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 30 [GigabitEthernet0]

16:31:52: RADIUS: 2F [/]

16:31:52: RADIUS(00000018): Storing nasport 50012 in rad_db

16:31:52: RADIUS(00000018): Config NAS IP: 0.0.0.0

16:31:52: RADIUS/ENCODE(00000018): acct_session_id: 22872064

16:31:52: RADIUS(00000018): sending

16:31:52: RADIUS/ENCODE: Best Local IP-Address 192.168.1.254 for Radius-Server 192.168.1.11

16:31:52: RADIUS(00000018): Send Access-Request to 192.168.1.11:1812 id 21645/28, len 127

16:31:52: RADIUS: authenticator 7D 49 7D A6 E3 2F AD 22 - 8E E2 8F A8 55 95 6E AA

16:31:52: RADIUS: User-Name [1] 8 "user01"

16:31:52: RADIUS: Service-Type [6] 6 Framed [2]

16:31:52: RADIUS: Framed-MTU [12] 6 1500

16:31:52: RADIUS: Called-Station-Id [30] 19 "00-1B-0C-8F-93-0C"

16:31:52: RADIUS: Calling-Station-Id [31] 19 "00-09-6B-0C-86-9F"

16:31:52: RADIUS: EAP-Message [79] 13

16:31:52: RADIUS: 02 02 00 0B 01 75 73 65 72 30 31 [?????user01]

16:31:52: RADIUS: Message-Authenticato[80] 18

16:31:52: RADIUS: E8 D5 38 63 79 AF 23 B6 9E 75 9D 6E 2E 18 DE EB [??8cy?#??u?n.???]

16:31:52: RADIUS: NAS-Port [5] 6 50012

16:31:52: RADIUS: NAS-Port-Type [61] 6 Eth [15]

16:31:52: RADIUS: NAS-IP-Address [4] 6 192.168.1.254

16:31:58: RADIUS: Retransmit to (192.168.1.11:1812,1813) for id 21645/28

16:32:04: RADIUS: Retransmit to (192.168.1.11:1812,1813) for id 21645/28

16:32:09: RADIUS: Retransmit to (192.168.1.11:1812,1813) for id 21645/28

16:32:15: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.11:1812,1813 is not responding.

16:32:15: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.11:1812,1813 has returned.

16:32:15: RADIUS: No response from (192.168.1.11:1812,1813) for id 21645/28

16:32:15: RADIUS/DECODE: parse response no app start; FAIL

16:32:15: RADIUS/DECODE: parse response; FAIL

Some HELP?

Jagdeep Gambhir · ‎04-07-2009

It seems that Radius is not responding to the request. Make sure secret key is same and there is no firewall in between blocking radius traffic.

Regards,

~JG

Florin Barhala · ‎04-21-2009

Also check the listening ports of your server.