07-11-2008 07:28 AM - edited 03-10-2019 03:58 PM
Hello,
I can't seem to access our catalyst 4006 after enabling AAA for radius. I have setup IAS on our domain controller and setup a the catalyst as a Radius client as well as configured a remote access policy that points to an AD group to allow switch access. When I try to login to the catalyst with my user information in AD, it seems to hang after I type in my password, asks for the password again then says access denied. This happens both on the console and via a telnet session. I have included my AAA configuration below.
What am I missing?
Tim
(Cisco IOS Software, v 12.2(25)EWA14)
aaa new-model
!
radius-server host 10.100.x.x auth-port 1812 acct-port 1813 key xxxxxxxxxx
radius-server source-ports 1645-1646
!
aaa group server radius Radius-Servers
server 10.100.x.x auth-port 1812 acct-port 1813
!
aaa authentication login default group Radius-Servers local line
aaa authentication enable default group Radius-Servers enable
aaa authentication dot1x default group Radius-Servers
aaa authorization exec default group Radius-Servers if-authenticated
aaa authorization network default group Radius-Servers
aaa accounting dot1x default start-stop group Radius-Servers
aaa accounting exec default start-stop group Radius-Servers
!
line vty 0 4
login authentication default
Solved! Go to Solution.
07-11-2008 12:14 PM
Tim
I believe that the immediate problem is that the source address ussed by your switch is not the address that Radius is expecting. The Radius server is at 10.100.182.250 and that is in the subnet of interface vlan 182. So the address of interface vlan 182 will be the source address of the Radius request. One way to fix that is to use the ip radius source-address command and specify the address that you want the switch to use. Of course in the short term it may be easier to change the Radius server to expect 10.100.182.2 as the client address.
HTH
Rick
07-11-2008 08:09 AM
Do you see any hits on IAS (even logs) ? Make sure that secret key is correct. Ensure that Switch can reach IAS (rule out any communication issue.)
If this is happening with console then it seems all we can do is check IAS event logs. Problem here would be how to change aaa config on switch. If it is locked out then we need to do password recovery.
Regards,
~JG
07-11-2008 10:04 AM
I do not see any hits at all on the IAS logs. It's as if the switch will not communicate with IAS. I've tried a different key as well, something simple so I know I wasn't typing it in wrong. Do I need to specify a different address on the IAS server? I have multiple VLANS and currently have the Radius Client set on the catalyst for VLAN 10 (10.100.49.1) which is our network vlan for all switches. Or maybe set vlan10 as a native vlan? The other Dell switches at this location seem to work just fine.
If the config locks me out I do have access through Cisco View and have copied the config before I made the changes so I just restore that config to the running config and I have access again.
Tim
07-11-2008 10:27 AM
07-11-2008 12:14 PM
Tim
I believe that the immediate problem is that the source address ussed by your switch is not the address that Radius is expecting. The Radius server is at 10.100.182.250 and that is in the subnet of interface vlan 182. So the address of interface vlan 182 will be the source address of the Radius request. One way to fix that is to use the ip radius source-address command and specify the address that you want the switch to use. Of course in the short term it may be easier to change the Radius server to expect 10.100.182.2 as the client address.
HTH
Rick
07-11-2008 12:28 PM
Great! That did the trick. I knew it had to be something within my VLAN config. Thanks for the help!
Tim
07-11-2008 01:02 PM
Tim
I am glad that my response helped you to solve your problem. Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read a problem and can know that they will read a response which did resolve the problem.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: