Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
610
Views
0
Helpful
4
Replies

AAA and the using the command "ip routing" on a 3850 switch

Upshot001
Level 1
Level 1

‎02-12-2014 02:24 PM - edited ‎03-10-2019 09:23 PM

Hello,

I am converting all of the switches here, about 150, form TACACS to RADIUS. The reason is that we are going to ISE which not compatible with TACACS.

The problem I ran into was that when I appiled the RADIUS config to some of the 3850 switches (we ahve about 30 of these) it did not work. I could not authenticate because it stated that it could not find a server to authenticate too. As I compared the configs I found one major difference... the ones that did not work had the command "ip routing' in the config and the others did. When I removed it the AAA authentication would then work. I also applied this statement to other 3850 switches and got the same results until I removed it.

I have been reading documention on RADIUS config and the 3850 but have found no clear answer as to why, what for, how come, and all the other things a person could ask. Not even a good explanation of this command (athough I think I may have it figured out).

Any help in resolving this issue would be appreciated.

Have a great day!

David

Labels:
0 Helpful
4 Replies 4

jj27
Spotlight
Spotlight

‎02-12-2014 10:17 PM

Is your RADIUS server on the same VLAN as the switch RADIUS source VLAN?  If not, with IP routing turned on you would need an IP route in the table to reach the RADIUS server.

0 Helpful

kaaftab
Level 4
Level 4
In response to jj27

‎02-14-2014 03:23 AM

Do check the reach ablity to radius server as ip routing and vlans can be a cause but if you can share the config and the logs it would helpe to better answer

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to kaaftab

‎02-14-2014 07:38 AM

As mentioned before, it sounds like a connectivity issue to the RADIUS server.

Is the RADIUS server in the same network segment as the one that provides the TACACS service?

If you enable "ip routing" again, are you able to ping the RADIUS server?

What do the RADIUS debugs reveal? "RADIUS/DECODE: No response from radius-server; parse response; FAIL"?

Some general background about "ip routing":

"In some network environments, VLANs are associated with individual networks or subnetworks. In an IP network, each subnetwork is mapped to an individual VLAN. Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local. However, network devices in different VLANs cannot communicate with one another without a Layer 3 device (router) to route traffic between the VLAN, referred to as inter-VLAN routing. You configure one or more routers to route traffic to the appropriate destination VLAN." Information About IP Routing

HTH.

0 Helpful

Upshot001
Level 1
Level 1
In response to Javier Portuguez

‎02-14-2014 02:08 PM

Javier,

The RADIUS server and TACACS are the same unit. We use Cisco appliances and to change from TACACS to RADIUS is done with a config change there using ACS and also the device that will authenticate too it. Every switch and router we have authenticates this way. So they are within our Enterprise network but may be on different segments.


The config change in the device is...

#radius-server host auth-port acct-port key

on all older IOS's . Since this is being deprecated on the 3850's I used...

#radisu server

   address ipv4 auth-port acct-port

   key

Then the AAA is changed to use RADIUS and then tested with...

#test aaa group radius legacy

I then get a response if it does or does not connect or authenticate. I can also check the logs and see what they say.

It works fine on all of our other devices. The only issue I have is on the 3850's and this ip routing command and the effects this will have later as we finish the configs and try to bring them online to replace the 6513's. I am trying to get ahead on this and not wait to see what happens later.

I have read the Cisco papers you have referenced already and they have not cleared the air for me. What does this command enable on these and how is it effected by the AAA authentication? Do I need to make other config changes to make ip routing work with AAA or visa versa. I have used all the Cisco best practices to make this work including reading the manuals on RADIUS config and RADIUS config on the 3850.

Sorry if I sound empty headed but for some reason it is not clicking.

Thank you,

David

0 Helpful
Customers Also Viewed These Support Documents