We have been using our ACS appliance to authenticate logging into our Cisco gear. We have been using tacacs+ and it has worked fine but I am trying to set it up using radius. I basically changed on the configs on my test switch to radius wherever it read tacacs+ and changed out ACS to use the radius protocol. Now, I am unable to log into the test switch I set up when I was able to before using tacacs+.
aaa authentication dot1x default group radius
aaa authentication login default group radius local-case
aaa authorization exec default group radius local
aaa authorization commands 15 default group radius local
aaa accounting commands 15 default start-stop group radius
radius-server host 172.16.x.x auth-port 1645 acct-port 1646 key xxxxxx
When I check the logs on the ACS, it reads "ACS user known"
Let me know if you need anything else.
When you use the 'test aaa ...' on the switch command what do you get?
From which SVI are you sourcing your connection? Perhaps it would be better to put ip radius source-interface vlan x
Well I wasn't aware of a "test aaa" command but I will try it and see what it says. Int Vlan 21 is the SVI with the IP address assigned to it. I did attempt the "ip radius..." command but still no luck.
Ok please run the test command and then give the exact output you see in the ACS 'Failed' (or even Passed) attempts log.
You changed the device from Tacacs to Radius in the 'Network Setup' in ACS?
I ran the test command and it just came back "user rejected"
I did change the device from tacacs+ to radius (cisco ios/pix 6.0) on our ACS.
So are you sure you are entering the correct username/password? Are you using some other advanced features like NAR/NAP etc.?
A following debug output would also help:
debug aaa authen
debug aaa author
I am sure I am using the correct username/password.
Yes, we are using NAP. That cold be causing an issue as well. I know it is set to "Allow any Protocol type."
Yes it has to be something fancy for sure. Please look at the failed attempt log in ACS. It will show you which NAP/NAR policy denied it.
To test you can create new group/user without any NAP/NAR and check your radius. Then 'build' from there step-by-step.
Thank you so much Farrukh, it was something not configured correctly with the NAP. Under authentication, I had to move the Windows Database from Available Database to Selected Database. After that i was able to login. Thanks again for your assistance.