Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

No Remote Access After Enabling AAA Radius

Hello,

I can't seem to access our catalyst 4006 after enabling AAA for radius. I have setup IAS on our domain controller and setup a the catalyst as a Radius client as well as configured a remote access policy that points to an AD group to allow switch access. When I try to login to the catalyst with my user information in AD, it seems to hang after I type in my password, asks for the password again then says access denied. This happens both on the console and via a telnet session. I have included my AAA configuration below.

What am I missing?

Tim

(Cisco IOS Software, v 12.2(25)EWA14)

aaa new-model

!

radius-server host 10.100.x.x auth-port 1812 acct-port 1813 key xxxxxxxxxx

radius-server source-ports 1645-1646

!

aaa group server radius Radius-Servers

server 10.100.x.x auth-port 1812 acct-port 1813

!

aaa authentication login default group Radius-Servers local line

aaa authentication enable default group Radius-Servers enable

aaa authentication dot1x default group Radius-Servers

aaa authorization exec default group Radius-Servers if-authenticated

aaa authorization network default group Radius-Servers

aaa accounting dot1x default start-stop group Radius-Servers

aaa accounting exec default start-stop group Radius-Servers

!

line vty 0 4

login authentication default

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: No Remote Access After Enabling AAA Radius

Tim

I believe that the immediate problem is that the source address ussed by your switch is not the address that Radius is expecting. The Radius server is at 10.100.182.250 and that is in the subnet of interface vlan 182. So the address of interface vlan 182 will be the source address of the Radius request. One way to fix that is to use the ip radius source-address command and specify the address that you want the switch to use. Of course in the short term it may be easier to change the Radius server to expect 10.100.182.2 as the client address.

HTH

Rick

6 REPLIES

Re: No Remote Access After Enabling AAA Radius

Do you see any hits on IAS (even logs) ? Make sure that secret key is correct. Ensure that Switch can reach IAS (rule out any communication issue.)

If this is happening with console then it seems all we can do is check IAS event logs. Problem here would be how to change aaa config on switch. If it is locked out then we need to do password recovery.

Regards,

~JG

New Member

Re: No Remote Access After Enabling AAA Radius

I do not see any hits at all on the IAS logs. It's as if the switch will not communicate with IAS. I've tried a different key as well, something simple so I know I wasn't typing it in wrong. Do I need to specify a different address on the IAS server? I have multiple VLANS and currently have the Radius Client set on the catalyst for VLAN 10 (10.100.49.1) which is our network vlan for all switches. Or maybe set vlan10 as a native vlan? The other Dell switches at this location seem to work just fine.

If the config locks me out I do have access through Cisco View and have copied the config before I made the changes so I just restore that config to the running config and I have access again.

Tim

New Member

Re: No Remote Access After Enabling AAA Radius

Here is a full config file minus the list of Ethernet ports. As I said in my last message I have the settings IAS server for this catalyst pointed to vlan 10. (10.100.49.1)

Tim

Hall of Fame Super Silver

Re: No Remote Access After Enabling AAA Radius

Tim

I believe that the immediate problem is that the source address ussed by your switch is not the address that Radius is expecting. The Radius server is at 10.100.182.250 and that is in the subnet of interface vlan 182. So the address of interface vlan 182 will be the source address of the Radius request. One way to fix that is to use the ip radius source-address command and specify the address that you want the switch to use. Of course in the short term it may be easier to change the Radius server to expect 10.100.182.2 as the client address.

HTH

Rick

New Member

Re: No Remote Access After Enabling AAA Radius

Great! That did the trick. I knew it had to be something within my VLAN config. Thanks for the help!

Tim

Hall of Fame Super Silver

Re: No Remote Access After Enabling AAA Radius

Tim

I am glad that my response helped you to solve your problem. Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read a problem and can know that they will read a response which did resolve the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

165
Views
10
Helpful
6
Replies
CreatePlease to create content