Radius configuration

Unanswered Question
Nov 13th, 2009

I am looking for the basic bare-bones radius configuration for a 3750. radius server is listening on ports 1812-1813 Just enough to have a client authenticate. also need the vty line config. I am usre tyhe problem is on the radius server end but I just want to confirm. also if anyway to test the config.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
adamclarkuk_2 Fri, 11/13/2009 - 06:45

This should do it

aaa new-model

aaa authentication login default local group radius

radius-server host x.x.x.x auth-port 1812 acct-port 1813

You can also try running debug radius authentication to help identify any issues.

adamclarkuk_2 Fri, 11/13/2009 - 06:57

No you should not need to but you can set

login authentication

under your line config but it is not always needed.

newbie Fri, 11/13/2009 - 07:00

Just one more question. So do I neen to set a key.

adamclarkuk_2 Fri, 11/13/2009 - 07:04

You dont need a key, that depends on your radius server software but I would recommend you use one. The command is :-

radius-server key 0 thisismykey

Other useful commands are below:-

ip radius source-interface

radius-server timeout 10

newbie Fri, 11/13/2009 - 07:20

here is the bare-bones config I am running. i included line that I thoughtw ere pertinent to radius. Do you think I am missing anything?

-service password-encryption

-enable password

-username letmein password 7

-aaa new-model

-aaa authentication login default local group radius

-radius-server host x.x.x.x auth-port 1812 acct-port 1813

-radius-server source-ports 1645-1646

-radius-retransmit 10

line con 0

line vty 5 15

adamclarkuk_2 Fri, 11/13/2009 - 07:25

Looks good to me, what do you get in the output of debug radius authentication ?

Also, no disrespect intended, but you can ping the radius server and the software is running and listening on the right ports?

newbie Fri, 11/13/2009 - 07:39

I can ping the radius host from the switch and I have tried to ping the port using ping x.x.x.x 1812 and ping x.x.x.x 1813 from the switch and other locations in the same network but I do not get an answer. In the debug output I get.

radius protocol debugging is on

radius protocol brief debugging is off

radius protocol verbose debugging is on

radius packet hex dump debugging is off

radius packet protocol authentication debugging is on

radius packet protocol accounting debugging is off

radius elog debugging is off

radius server fail-over debugging is off

adamclarkuk_2 Fri, 11/13/2009 - 07:48

If you are connected to your device via telnet and you have turned on radius authentication debugging, type terminal monitor at priv exec mode:

hostname#terminal monitor

this will redirect the debug (log) messages to your vty session. Once you have done this, start another session and try to authenticate, but do not use the username letmein as you have chosen to do local auth first and radius second, letmein is defined in the local database. Try a username that is not defined locally but is instead configured on your radius server and then watch for the output on the screen to get a clue as to why it is failing.

newbie Fri, 11/13/2009 - 09:01

That helped allot. I believe things on my end are set up correctly. I am setting up the switch part. Someone else is doing the radius server end. I am trying to help them out if I can. Debugging shows me that there is no response from server, tried all servers. the switch is trying to go out and query the ip of the radius server but it is not getting a response.


This Discussion