Solved: Radius authen not working from 3560

mahesh18 · ‎07-17-2013

Hi everyone.

Switch is config for radius authen.

when i try here is the log

%SSH-5-SSH2_USERAUTH: User 'xy' authentication for SSH2 Session from 192.168.x.x (tty = 1) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed

What should i check now

Regards

Mahesh

Jatin Katyal · ‎07-17-2013

you need to post few outputs before I suggest you something. If SSH is working fine with local database that means RSA keys are fine.

If you cannot attach the complete show run. Please attach the below listed outputs in your next reply.

show run | in aaa

show run | beg line vty 0 4

debug radius

debug aaa authen

debug aaa authorization

Error from the radius server, if any.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎07-17-2013

The config is fine.

Where are the debugs output? after running the debugs, did you try to connect again?

If you don't see any debugs, use term mon.

Could you please attach all the info in one go.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎07-17-2013

You need to check 2 things:

- Make sure we have same shared secret key on radius server and IOS

- On radius server, the authentication type should be set as PAP.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎07-17-2013

Mahesh,

Can you attach show run from the IOS device?

Also, have you tried telnet, is that working fine?

What radius server are you using?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

mahesh18 · ‎07-17-2013

Hi Jatin,

SSH works fine when i use local username and pw config on switch.

issue is when under line vty 0 4 when i change auth to radius then i can not ssh.

need to know if issue is with config on switch ot radius server?

Regards

mahesh

Jatin Katyal · ‎07-17-2013

you need to post few outputs before I suggest you something. If SSH is working fine with local database that means RSA keys are fine.

If you cannot attach the complete show run. Please attach the below listed outputs in your next reply.

show run | in aaa

show run | beg line vty 0 4

debug radius

debug aaa authen

debug aaa authorization

Error from the radius server, if any.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

mahesh18 · ‎07-17-2013

Hi Jatin,

Here is info

aaa new-model

aaa group server radius XY

aaa authentication login RSA group XY

aaa authentication login LOCAL local

aaa authentication enable default enable

aaa session-id common

line vty 0 4

access-class 11 in

exec-timeout 5 0

login authentication RSA

transport input ssh

debug radius

Radius protocol debugging is on

Radius protocol brief debugging is off

Radius protocol verbose debugging is off

Radius packet hex dump debugging is off

Radius packet protocol debugging is on

Radius packet retransmission debugging is off

Radius server fail-over debugging is off

Radius elog debugging is off

debug aaa authentication

AAA Authentication debugging is on

debug aaa authentication

AAA Authentication debugging is on

debug aaa authorization

AAA Authorization debugging is on

So what does these line tell you?

Mahesh

Jatin Katyal · ‎07-17-2013

The config is fine.

Where are the debugs output? after running the debugs, did you try to connect again?

If you don't see any debugs, use term mon.

Could you please attach all the info in one go.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

mahesh18 · ‎07-17-2013

Hi Jatin,

Here is debug

001164: Jul 17 20:50:15 UTC: AAA/BIND(00000010): Bind i/f

001165: Jul 17 20:50:15 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'

001166: Jul 17 20:50:15 UTC: RADIUS/ENCODE(00000010): ask "Password: "

001167: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010):Orig. component type = EXEC

001168: Jul 17 20:50:21 UTC: RADIUS: AAA Unsupported Attr: interface [171] 4

001169: Jul 17 20:50:21 UTC: RADIUS: 74 74 [ tt]

001170: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

001171: Jul 17 20:50:21 UTC: RADIUS(00000010): Config NAS IP: 0.0.0.0

001172: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010): acct_session_id: 16

001173: Jul 17 20:50:21 UTC: RADIUS(00000010): sending

001174: Jul 17 20:50:21 UTC: RADIUS/DECODE: parse response no app start; FAIL

001175: Jul 17 20:50:21 UTC: RADIUS/DECODE: parse response; FAIL

001176: Jul 17 20:50:23 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'

001177: Jul 17 20:50:23 UTC: RADIUS/ENCODE(00000010): ask "Password: "

001178: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010):Orig. component type = EXEC

001179: Jul 17 20:50:35 UTC: RADIUS: AAA Unsupported Attr: interface [171] 4

001180: Jul 17 20:50:35 UTC: RADIUS: 74 74 [ tt]

001181: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

001182: Jul 17 20:50:35 UTC: RADIUS(00000010): Config NAS IP: 0.0.0.0

001183: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010): acct_session_id: 16

001184: Jul 17 20:50:35 UTC: RADIUS(00000010): sending

001185: Jul 17 20:50:35 UTC: RADIUS/DECODE: parse response no app start; FAIL

001186: Jul 17 20:50:35 UTC: RADIUS/DECODE: parse response; FAIL

001187: Jul 17 20:50:37 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'

001164: Jul 17 20:50:15 UTC: AAA/BIND(00000010): Bind i/f

001165: Jul 17 20:50:15 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'

001166: Jul 17 20:50:15 UTC: RADIUS/ENCODE(00000010): ask "Password: "

001167: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010):Orig. component type = EXEC

001168: Jul 17 20:50:21 UTC: RADIUS: AAA Unsupported Attr: interface [171] 4

001169: Jul 17 20:50:21 UTC: RADIUS: 74 74 [ tt]

001170: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

001171: Jul 17 20:50:21 UTC: RADIUS(00000010): Config NAS IP: 0.0.0.0

001172: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010): acct_session_id: 16

001173: Jul 17 20:50:21 UTC: RADIUS(00000010): sending

001174: Jul 17 20:50:21 UTC: RADIUS/DECODE: parse response no app start; FAIL

001175: Jul 17 20:50:21 UTC: RADIUS/DECODE: parse response; FAIL

001176: Jul 17 20:50:23 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'

001177: Jul 17 20:50:23 UTC: RADIUS/ENCODE(00000010): ask "Password: "

001178: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010):Orig. component type = EXEC

001179: Jul 17 20:50:35 UTC: RADIUS: AAA Unsupported Attr: interface [171] 4

001180: Jul 17 20:50:35 UTC: RADIUS: 74 74 [ tt]

001181: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

001182: Jul 17 20:50:35 UTC: RADIUS(00000010): Config NAS IP: 0.0.0.0

001183: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010): acct_session_id: 16

001184: Jul 17 20:50:35 UTC: RADIUS(00000010): sending

001185: Jul 17 20:50:35 UTC: RADIUS/DECODE: parse response no app start; FAIL

001186: Jul 17 20:50:35 UTC: RADIUS/DECODE: parse response; FAIL

001187: Jul 17 20:50:37 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'

Jatin Katyal · ‎07-17-2013

You need to check 2 things:

- Make sure we have same shared secret key on radius server and IOS

- On radius server, the authentication type should be set as PAP.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

mahesh18 · ‎07-17-2013

Hi Jatin,

Asked the server team to check the server.

Thanks

MAhesh

Jatin Katyal · ‎07-17-2013

Alright. Do ask what radius server are they using? In case Cisco, what is the code?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

mahesh18 · ‎07-18-2013

Hi JAtin,

Radius server is not cisco but i checked secrey keys are same on switch and radius server.

Now i will confirm if the Radius server auth is PAP?

Can you please tell me how you figure out that radius server auth should be PAP?

Regards

Mahesh

Jatin Katyal · ‎07-18-2013

If it's Microsoft Radius server than you need to go to remote access policy, right click, properties, authentication tab, look for PAP authentication. Also, check what error do you see in event viewer logs?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

mahesh18 · ‎07-18-2013

Hi JAtin,

Server team will check tomorrow.

I will keep you posted on this.

Regards

MAhesh

Jatin Katyal · ‎07-18-2013

Do ask for correspending error message they are getting on the radius server when you try to attempt.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

mahesh18 · ‎07-29-2013

Hi JAtin,

Issue is fixed now.

IT was with radius server.Thet are working to find root cause.

Thanks for help.

Regards

Mahesh