Please Help: 3550 lab switch locked by radius server

Unanswered Question
Oct 5th, 2009

Hi All,

Any idea? After clean up all routers and switches config files, sw3 still asks for radius username and password.

When console login and using 3550 password recovery procedure, it still asks for username and password.

When config aaa new-model, no username is asked only the passowrd cisco in typed in. (please see detail config file in the following)

Note: This is for CCIE R&S home lab rack.

==========

// radius server locks sw3

Access-Server#9

[Resuming connection 9 to sw3 ... ]

User Access Verification

Username:

Username: cisco

Password:

% Backup authentication

00:27:36: %RADIUS-4-RADIUS_DEAD: RADIUS server 150.100.1.254:1645,1646 is not responding.

00:27:36: %RADIUS-4-RADIUS_ALIVE: RADIUS server 150.100.1.254:1645,1646 has returned.

Username:

===========

sw3#sh run

Building configuration...

Current configuration : 4655 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname sw3

!

!

aaa new-model

aaa authentication dot1x default group radius

!

aaa session-id common

mls qos

ip subnet-zero

ip routing

no ip domain-lookup

!

!

!

!

!

!

dot1x system-auth-control

dot1x guest-vlan supplicant

no file verify auto

!

!

interface FastEthernet0/11

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 999

dot1x auth-fail vlan 999

!

interface FastEthernet0/12

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 999

dot1x auth-fail vlan 999

!

interface FastEthernet0/13

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 999

dot1x auth-fail vlan 999

!

interface FastEthernet0/14

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 999

dot1x auth-fail vlan 999

!

interface FastEthernet0/15

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 999

dot1x auth-fail vlan 999

!

interface FastEthernet0/16

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 999

dot1x auth-fail vlan 999

!

interface FastEthernet0/17

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 999

dot1x auth-fail vlan 999

!

interface FastEthernet0/18

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 999

dot1x auth-fail vlan 999

!

interface FastEthernet0/19

switchport mode dynamic desirable

channel-group 1 mode desirable

!

interface FastEthernet0/20

switchport mode dynamic desirable

channel-group 1 mode desirable

!

interface FastEthernet0/21

switchport mode dynamic desirable

!

interface FastEthernet0/22

switchport mode dynamic desirable

!

interface FastEthernet0/23

switchport mode dynamic desirable

channel-group 2 mode desirable

!

interface FastEthernet0/24

switchport mode dynamic desirable

channel-group 2 mode desirable

!

interface GigabitEthernet0/1

switchport mode dynamic desirable

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip http server

ip http secure-server

!

radius-server host 150.100.1.254 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key cisco

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
xcz504d1114 Mon, 10/05/2009 - 12:38

I'm not quite sure what your end result is, are you trying to use Radius or not?

Once you enable aaa new-model, you have to specify the login method, if you are only using teh radius for dot1x and not console access, then you would want:

make sure you have a user/pass set

aaa authentication login default local

If you WANT to use the radius to authenticate:

aaa authentication login default local group radius

That will let you have a "backup" so if your radius fails, you can get in using the local group.

It's typical for people to lock themselves out when doing their dot1x labs for their CCIE's :) Don't sweat it.

HTH,

Craig

dchen0999 Mon, 10/05/2009 - 14:12

Thanks Craig for the help.

What is local group? How to get back in the switch? I don't know the username except I know I type in password: cisco.

Please kindly show me how to log back in the switch.

dchen0999 Mon, 10/05/2009 - 14:14

try to do password recovery per cisco doc, but config.text file is missing from flash dir:

switch: dir flash:

Directory of flash:/

2 -rwx 5276 syslog

3 -rwx 0 env_vars

4 -rwx 7131928 c3550-ipservicesk9-mz.122-25.SEE.bin

5 drwx 64 crashinfo

24 -rwx 326 system_env_vars

7 drwx 192 c3550-i9q3l2-mz.121-13.EA1a

26 -rwx 24 private-config.text

xcz504d1114 Mon, 10/05/2009 - 15:12

Glad you got it worked out!

The "local group" is actually 2 seperate pieces to the aaa syntax;

aaa authentication

default

local

group radius

those are how they are actually grouped, the "group radius" portion just specifies to use all of the radius servers in the group, the group is defined when you put the radius host ip information in.

The "local" just specifies to look at the local user / password, if you changed the order and put local after the radius, then it would look at the radius first, then the local if the radius failed.

HTH,

Craig

dchen0999 Mon, 10/05/2009 - 15:44

// thanks Craig. I do the lab for many times without being locked out of switch. No sure why it is locked out by radius server this time.

Is there anyway we can specify username for aaa new-model to prevent being locked out of switch again.

Also, this would a good point for CCIE lab troubleshoot section after 10/18/09 lab change: 3550/60 password recovery.

aaa new-model

aaa authentication dot1x default group radius

!

dot1x system-auth-control

dot1x guest-vlan supplicant

!

radius-server host 150.100.1.254 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key cisco

dchen0999 Mon, 10/05/2009 - 19:20

Replied by: jeye - Network Consulting Engineer, Cisco Systems, Inc., CCIE - Oct 5, 2009, 1:23pm PST

Have you use no aaa new-model

or

del flash:/config.text?

no aaa new-model should remove the authentication and del flash:/config.text should wipe the switch clean except the VLAN database.

Regards,

jerry

dchen0999 Mon, 10/05/2009 - 19:22

1. no aaa new-model // I can't log in sw

2. del flash:/config.text // this should work.

dchen0999 Mon, 10/05/2009 - 19:23

Replied by: jeye - Network Consulting Engineer, Cisco Systems, Inc., CCIE - Oct 5, 2009, 3:52pm PST

If you reboot at this point, the switch should come up clean. Do you need to keep your config? Also, I see your cross post to the other forum. I will jump on the other one and consolidate the answer at one place.

Regards,

jerry

xcz504d1114 Tue, 10/06/2009 - 05:27

I was really confused for aminute there, is there more than one person using that account?

If you remove the aaa authentication, you need to specify "login" under your con 0, or vty 0 15, this will prompt you for a password, if you want to use a username and password, use "login local" under your vty / con 0

HTH,

Craig

dchen0999 Tue, 10/06/2009 - 08:41

Thanks Craig. Will check it out when I run across this lab next time.

Thanks everyone for the help and have a nice day.

dchen0999 Tue, 10/06/2009 - 09:06

per cisco doc,

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/sw8021x.html#wpxref10658

Switch(config)# radius-server dead-criteria time 30 tries 20

Switch(config)# radius-server deadtime 60

// will it be this line to specify username/password

Switch(config)# radius-server host 1.1.1.2 acct-port 1550 auth-port 1560 test username

user1 idle-time 30 key abc1234

Switch(config)# dot1x critical eapol

Switch(config)# dot1x critical recovery delay 2000

Switch(config)# interface gigabitethernet 0/1

Switch(config)# radius-server deadtime 60

Switch(config-if)# dot1x critical

Switch(config-if)# dot1x critical recovery action reinitialize

Switch(config-if)# dot1x critical vlan 20

Switch(config-if)# end

Switch(config)# aaa new-model

Switch(config)# aaa authentication login default group radius

Switch(config)# aaa authorization auth-proxy default group radius

Switch(config)# radius-server host 1.1.1.2 key key1

Switch(config)# radius-server attribute 8 include-in-access-req

Switch(config)# radius-server vsa send authentication

Switch(config)# ip device tracking

Switch(config) end

Actions

This Discussion