cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
957
Views
0
Helpful
0
Replies

AAA - RADIUS Authentication for HTTPS Connections

KSI-ITNet
Level 1
Level 1

Hello All,

I am currently trying to setup a RADIUS server using the Network Policy Service role in Windows Server 2012R2.

I've got everything working on 2 switches. One is an HP Pro Curve 2610-24 and the other is a Cisco Catalyst 3650

According to the 'show version' command, the 3650 is running:

Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)

 

The value in this is we can switch MSPs (like we just did) and not have to login to each switch and delete their credentials. Additionally, it makes it quicker/easier to add accounts for new staff and we can better document changes when everyone has their own individualized login.

 

My issue is that on a switch at another facility, I am unable to get to the web interface using the RADIUS server, but I can SSH to it. I have added the 'ip http authentication aaa' command which was successful on the first Catalyst 3650 and the HP switches I tested on.

 

We have a lot of switches across a few sites, so I want to troubleshoot this issue before moving onto the rest of the devices. The switch is a Catalyst 3650 and has the following IOS:

Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(40)SE, RELEASE SOFTWARE (fc3)

 

Here is the debug I received while trying to authenticate:


38w1d: HTTP AAA picking up console Login-Authentication List name: default
38w1d: HTTP AAA picking up console Exec-Authorization List name: default
38w1d: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
38w1d: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute                                                                                                                                                              6 on-for-login-auth" is off
38w1d: RADIUS(00000000): Config NAS IP: 0.0.0.0
38w1d: RADIUS(00000000): sending
38w1d: RADIUS/ENCODE: Best Local IP-Address 192.168.30.79 for Radius-Server 10.1                                                                                                                                                             .7.117
38w1d: RADIUS(00000000): Send Access-Request to 10.1.7.117:1645 id 1645/29, len                                                                                                                                                              57
38w1d: RADIUS:  authenticator 57 7E 42 44 20 20 3E ED - A4 5C 3D 2A 25 67 3B 99
38w1d: RADIUS:  User-Name           [1]   13  "MyUserName"
38w1d: RADIUS:  User-Password       [2]   18  *
38w1d: RADIUS:  NAS-IP-Address      [4]   6   192.168.30.79
38w1d: RADIUS: Received from id 1645/29 10.1.7.117:1645, Access-Reject, len 20
38w1d: RADIUS:  authenticator B3 94 EB 03 CB 93 22 64 - 52 5D BA 10 F9 C9 45 BC
38w1d: RADIUS(00000000): Received from id 1645/29
38w1d: HTTP: Authentication failed for level 15

 

I am definitely putting the right credentials in - Like I said, this does work for SSH.

Here is the running config for aaa:

aaa new-model
aaa authentication login default group radius local enable
aaa authorization exec default group radius local
aaa session-id common
ip http authentication aaa

 

I am fairly new to this sort of thing. I have a home lab and am studying for the CCNA: R&S, but have only recently began to make some controlled changes in a production environment. I have done some research and have come across some information suggesting a bug in IOS, but the versions didn't seem to match up with my situation.

Any help is greatly appreciated.

 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: