cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
753
Views
0
Helpful
6
Replies

IAS + VTY access

simon.bijman
Level 1
Level 1

Hi there,

I am trying to test 802.1x to work for my network using a Catalyst 3550 and Microsoft IAS on a Windows 2000 server. Computers authenticating on the network work just fine. However, I am unable to get RADIUS authentication to work when accessing the VTY. Here's the AAA and RADIUS configuration of my switch:

aaa new-model

aaa authentication login default group radius local-case

aaa authentication login if_needed local-case

aaa authentication dot1x default group radius

aaa authorization exec default group radius if-authenticated

aaa authorization network default group radius

radius-server host 10.17.224.1 auth-port 1812 acct-port 1813 key obviously_not_this_key

radius-server retransmit 3

!

line con 0

login authentication if_needed

line vty 0 4

exec-timeout 0 0

I also can't find any failed authentication requests in the log files of the IAS server. I have verified the switch is sending out requests, so that's not the problem. The problem is the IAS server not being bothered to do anything with those requests and I don't know why.

I would be very grateful if anyone can help me with this.

6 Replies 6

will.shaw
Level 1
Level 1

You need to use TACACS+ to access the switch via VTY, otherwise use a local username and password.

Is there some reason that you think that Radius would not work to authenticate access to the VTY of the switch? I believe that either Radius or TACACS is able to do this.

I wonder if the issue is communication between the switch and the Radius server or is something in the setup of the Radius server. I assume from the original post that Simon is testing with telnet to the VTY (not via console), that he has verified that the switch is actually sending the Radius authentication request. But the request is not being processed by the server. If that is not true then please clarify.

I would suggest that the first step is to verify that the address configured on the switch is the correct address for the Radius server. Assuming that it is, then I suggest demonstrating IP connectivity (probably ping is the easy way to demonstrate this). Assuming that IP connectivity is not the issue then I suggest that the next thing is to check some things on the server. Can you verify that the server is running the Radius daemon and that it is lintening for Radius requests on port 1812? (When I set up IOS devices to authenticate with Radius they are using port 1645.)

If the Radius daemon is running and is listening for port 1812 then perhaps the other possibility to check for is the possibility that there is a filter or access list somewhere that is not permitting either the request or the response to go through.

HTH

Rick

HTH

Rick

mhoda
Level 5
Level 5

Hello Simon,

Based on what you are saying that 802.1x is working fine, but not the login, and also switch is forrwarding the request, but no response from the IAS server. If thats the right assumption, then I think the problem is with the IAS. If you can share the following debug output we can comment on this:

debug radius

debug aaa authen

As the radius takes care of authen/author in the same packet, my suggestion would be to remove the following line from the config:

aaa authorization exec default group radius if-authenticated

Also please check to see what dictionary did you use for the 802.1x for the switch as AAA client.

Thanks,

Mynul Hoda

CISSP, CCIE # 9159

Author: Cisco Network Security Troubleshooting -http://www.ciscopress.com/title/1587051893

Hello all,

Thank you for your reactions. Mynul is correct, 802.1x for authenticating computers works, but using it for authenticating login access fails. I have checked the switch is forwarding the RADIUS requests, so that's not the problem. Here's the output from the debug commands

*Mar 6 23:12:50: AAA: parse name=tty3 idb type=-1 tty=-1

*Mar 6 23:12:50: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0

*Mar 6 23:12:50: AAA/MEMORY: create_user (0x15929B8) user='NULL' ruser='NULL' ds0=0 port='tty3' rem_addr='10.16.222.13' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

*Mar 6 23:12:50: AAA/AUTHEN/START (1954730523): port='tty3' list='' action=LOGIN service=LOGIN

*Mar 6 23:12:50: AAA/AUTHEN/START (1954730523): using "default" list

*Mar 6 23:12:50: AAA/AUTHEN/START (1954730523): Method=radius (radius)

*Mar 6 23:12:50: AAA/AUTHEN (1954730523): status = GETUSER

*Mar 6 23:12:53: AAA/AUTHEN/CONT (1954730523): continue_login (user='(undef)')

*Mar 6 23:12:53: AAA/AUTHEN (1954730523): status = GETUSER

*Mar 6 23:12:53: AAA/AUTHEN (1954730523): Method=radius (radius)

*Mar 6 23:12:53: AAA/AUTHEN (1954730523): status = GETPASS

*Mar 6 23:12:55: AAA/AUTHEN/CONT (1954730523): continue_login (user='xxxxxx')

*Mar 6 23:12:55: AAA/AUTHEN (1954730523): status = GETPASS

*Mar 6 23:12:55: AAA/AUTHEN (1954730523): Method=radius (radius)

*Mar 6 23:12:55: RADIUS: Pick NAS IP for u=0x15929B8 tableid=0 cfg_addr=0.0.0.0

*Mar 6 23:12:55: RADIUS: ustruct sharecount=1

*Mar 6 23:12:55: Radius: radius_port_info() success=1 radius_nas_port=1

*Mar 6 23:12:55: RADIUS(00000000): Send Access-Request to 10.17.224.1:1812 id 1645/220, len 75

*Mar 6 23:12:55: RADIUS: authenticator 42 B6 BB 25 2E 45 38 56 - FB D5 3E B4 D7 AA 6F B0

*Mar 6 23:12:55: RADIUS: NAS-IP-Address [4] 6 10.16.240.203

*Mar 6 23:12:55: RADIUS: NAS-Port [5] 6 3

*Mar 6 23:12:55: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

*Mar 6 23:12:55: RADIUS: User-Name [1] 5 "xxxxx"

*Mar 6 23:12:55: RADIUS: Calling-Station-Id [31] 14 "10.16.222.13"

*Mar 6 23:12:55: RADIUS: User-Password [2] 18 *

*Mar 6 23:13:01: RADIUS: Retransmit to (10.17.224.1:1812,1813) for id 1645/220

*Mar 6 23:13:07: RADIUS: Retransmit to (10.17.224.1:1812,1813) for id 1645/220

*Mar 6 23:13:12: RADIUS: Retransmit to (10.17.224.1:1812,1813) for id 1645/220

*Mar 6 23:13:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.17.224.1:1812,1813 is not responding.

*Mar 6 23:13:18: RADIUS: Tried all servers.

*Mar 6 23:13:18: RADIUS: No valid server found. Trying any viable server

*Mar 6 23:13:18: RADIUS: Tried all servers.

*Mar 6 23:13:18: RADIUS: No response from (10.17.224.1:1812,1813) for id 1645/220

*Mar 6 23:13:18: RADIUS: No response from server

*Mar 6 23:13:18: AAA/AUTHEN (1954730523): status = ERROR

*Mar 6 23:13:18: AAA/AUTHEN/START (3454497188): port='tty3' list='' action=LOGIN service=LOGIN

*Mar 6 23:13:18: AAA/AUTHEN/START (3454497188): Restart

*Mar 6 23:13:18: AAA/AUTHEN/START (3454497188): Method=LOCALCASE

*Mar 6 23:13:18: AAA/AUTHEN (3454497188): status = GETPASS

*Mar 6 23:13:18: AAA/AUTHEN/CONT (3454497188): continue_login (user='xxxxx')

*Mar 6 23:13:18: AAA/AUTHEN (3454497188): status = GETPASS

*Mar 6 23:13:18: AAA/AUTHEN/CONT (3454497188): Method=LOCALCASE

*Mar 6 23:13:18: AAA/AUTHEN (3454497188): status = PASS

You can see the request just times out, then switches to local-case method (the back-up method).

If you mean what EAP type by 802.1x dictionary, I used the default. I assumed this is EAP-MD5 or PAP or something like that, but I couldn't verify this. It might be the problem, do you know witch EAP type switches use for this kind of thing?

Lots of thanks,

Simon Bijman

Hi

please I need the router must be configured to use TACACS+ for all users authentications,

Do you know how implementation ??

I define a new user on the server AAA Cisco Secure ACS ver 3.3

I define this command in the router but

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authorization exec default group tacacs+ none

tacacs-server host xxx.xxx.xxx.xxx key xxx

but when telnet the router I put the username and password and send me the error

access denied.

Why ?

I would suggest at least one change in the config that you posted instead of this line:

aaa authorization exec default group tacacs+ none

I would suggest that you configure this:

aaa authorization exec default group tacacs+ enable

but that change would not explain the problem that you are describing.

There are a few questions which will help find what the problem is. 1) are you sure that the tacacs-server host that is configured is correct? 2) are you sure that the key configured for the tacacs host is correct (in my experience this is frequently the problem)? 3) are you sure that the tacacs server is configured to process for this router (and is configured for the correct address that this router will be using)? 4) are you sure that the tacacs server has configured the user ID and password that you are using to attempt to login to the router? 5) are there entries in the tacacs server failed attempts report that show the attempts to login from this router? (if there are entries in the failed attempts report, they should indicate what the problem is)

If answering these questions does not solve the problem then I would suggest that you run debug tacacs authentication on the router, attempt to login again, and post the debug output.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: