07-17-2013 01:14 PM - edited 03-10-2019 08:39 PM
Hi everyone.
Switch is config for radius authen.
when i try here is the log
%SSH-5-SSH2_USERAUTH: User 'xy' authentication for SSH2 Session from 192.168.x.x (tty = 1) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed
What should i check now
Regards
Mahesh
Solved! Go to Solution.
07-17-2013 01:38 PM
you need to post few outputs before I suggest you something. If SSH is working fine with local database that means RSA keys are fine.
If you cannot attach the complete show run. Please attach the below listed outputs in your next reply.
show run | in aaa
show run | beg line vty 0 4
debug radius
debug aaa authen
debug aaa authorization
Error from the radius server, if any.
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 02:00 PM
The config is fine.
Where are the debugs output? after running the debugs, did you try to connect again?
If you don't see any debugs, use term mon.
Could you please attach all the info in one go.
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 02:11 PM
You need to check 2 things:
- Make sure we have same shared secret key on radius server and IOS
- On radius server, the authentication type should be set as PAP.
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 01:17 PM
Mahesh,
Can you attach show run from the IOS device?
Also, have you tried telnet, is that working fine?
What radius server are you using?
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 01:32 PM
Hi Jatin,
SSH works fine when i use local username and pw config on switch.
issue is when under line vty 0 4 when i change auth to radius then i can not ssh.
need to know if issue is with config on switch ot radius server?
Regards
mahesh
07-17-2013 01:38 PM
you need to post few outputs before I suggest you something. If SSH is working fine with local database that means RSA keys are fine.
If you cannot attach the complete show run. Please attach the below listed outputs in your next reply.
show run | in aaa
show run | beg line vty 0 4
debug radius
debug aaa authen
debug aaa authorization
Error from the radius server, if any.
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 01:55 PM
Hi Jatin,
Here is info
aaa new-model
aaa group server radius XY
aaa authentication login RSA group XY
aaa authentication login LOCAL local
aaa authentication enable default enable
aaa session-id common
line vty 0 4
access-class 11 in
exec-timeout 5 0
login authentication RSA
transport input ssh
debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging is off
debug aaa authentication
AAA Authentication debugging is on
debug aaa authentication
AAA Authentication debugging is on
debug aaa authorization
AAA Authorization debugging is on
So what does these line tell you?
Mahesh
07-17-2013 02:00 PM
The config is fine.
Where are the debugs output? after running the debugs, did you try to connect again?
If you don't see any debugs, use term mon.
Could you please attach all the info in one go.
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 02:01 PM
Hi Jatin,
Here is debug
001164: Jul 17 20:50:15 UTC: AAA/BIND(00000010): Bind i/f
001165: Jul 17 20:50:15 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'
001166: Jul 17 20:50:15 UTC: RADIUS/ENCODE(00000010): ask "Password: "
001167: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010):Orig. component type = EXEC
001168: Jul 17 20:50:21 UTC: RADIUS: AAA Unsupported Attr: interface [171] 4
001169: Jul 17 20:50:21 UTC: RADIUS: 74 74 [ tt]
001170: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
001171: Jul 17 20:50:21 UTC: RADIUS(00000010): Config NAS IP: 0.0.0.0
001172: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010): acct_session_id: 16
001173: Jul 17 20:50:21 UTC: RADIUS(00000010): sending
001174: Jul 17 20:50:21 UTC: RADIUS/DECODE: parse response no app start; FAIL
001175: Jul 17 20:50:21 UTC: RADIUS/DECODE: parse response; FAIL
001176: Jul 17 20:50:23 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'
001177: Jul 17 20:50:23 UTC: RADIUS/ENCODE(00000010): ask "Password: "
001178: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010):Orig. component type = EXEC
001179: Jul 17 20:50:35 UTC: RADIUS: AAA Unsupported Attr: interface [171] 4
001180: Jul 17 20:50:35 UTC: RADIUS: 74 74 [ tt]
001181: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
001182: Jul 17 20:50:35 UTC: RADIUS(00000010): Config NAS IP: 0.0.0.0
001183: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010): acct_session_id: 16
001184: Jul 17 20:50:35 UTC: RADIUS(00000010): sending
001185: Jul 17 20:50:35 UTC: RADIUS/DECODE: parse response no app start; FAIL
001186: Jul 17 20:50:35 UTC: RADIUS/DECODE: parse response; FAIL
001187: Jul 17 20:50:37 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'
001164: Jul 17 20:50:15 UTC: AAA/BIND(00000010): Bind i/f
001165: Jul 17 20:50:15 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'
001166: Jul 17 20:50:15 UTC: RADIUS/ENCODE(00000010): ask "Password: "
001167: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010):Orig. component type = EXEC
001168: Jul 17 20:50:21 UTC: RADIUS: AAA Unsupported Attr: interface [171] 4
001169: Jul 17 20:50:21 UTC: RADIUS: 74 74 [ tt]
001170: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
001171: Jul 17 20:50:21 UTC: RADIUS(00000010): Config NAS IP: 0.0.0.0
001172: Jul 17 20:50:21 UTC: RADIUS/ENCODE(00000010): acct_session_id: 16
001173: Jul 17 20:50:21 UTC: RADIUS(00000010): sending
001174: Jul 17 20:50:21 UTC: RADIUS/DECODE: parse response no app start; FAIL
001175: Jul 17 20:50:21 UTC: RADIUS/DECODE: parse response; FAIL
001176: Jul 17 20:50:23 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'
001177: Jul 17 20:50:23 UTC: RADIUS/ENCODE(00000010): ask "Password: "
001178: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010):Orig. component type = EXEC
001179: Jul 17 20:50:35 UTC: RADIUS: AAA Unsupported Attr: interface [171] 4
001180: Jul 17 20:50:35 UTC: RADIUS: 74 74 [ tt]
001181: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
001182: Jul 17 20:50:35 UTC: RADIUS(00000010): Config NAS IP: 0.0.0.0
001183: Jul 17 20:50:35 UTC: RADIUS/ENCODE(00000010): acct_session_id: 16
001184: Jul 17 20:50:35 UTC: RADIUS(00000010): sending
001185: Jul 17 20:50:35 UTC: RADIUS/DECODE: parse response no app start; FAIL
001186: Jul 17 20:50:35 UTC: RADIUS/DECODE: parse response; FAIL
001187: Jul 17 20:50:37 UTC: AAA/AUTHEN/LOGIN (00000010): Pick method list 'RSA'
07-17-2013 02:11 PM
You need to check 2 things:
- Make sure we have same shared secret key on radius server and IOS
- On radius server, the authentication type should be set as PAP.
~BR
Jatin Katyal
**Do rate helpful posts**
07-17-2013 02:20 PM
Hi Jatin,
Asked the server team to check the server.
Thanks
MAhesh
07-17-2013 04:23 PM
Alright. Do ask what radius server are they using? In case Cisco, what is the code?
~BR
Jatin Katyal
**Do rate helpful posts**
07-18-2013 06:58 AM
Hi JAtin,
Radius server is not cisco but i checked secrey keys are same on switch and radius server.
Now i will confirm if the Radius server auth is PAP?
Can you please tell me how you figure out that radius server auth should be PAP?
Regards
Mahesh
07-18-2013 01:55 PM
If it's Microsoft Radius server than you need to go to remote access policy, right click, properties, authentication tab, look for PAP authentication. Also, check what error do you see in event viewer logs?
~BR
Jatin Katyal
**Do rate helpful posts**
07-18-2013 02:01 PM
Hi JAtin,
Server team will check tomorrow.
I will keep you posted on this.
Regards
MAhesh
07-18-2013 02:13 PM
Do ask for correspending error message they are getting on the radius server when you try to attempt.
~BR
Jatin Katyal
**Do rate helpful posts**
07-29-2013 09:30 AM
Hi JAtin,
Issue is fixed now.
IT was with radius server.Thet are working to find root cause.
Thanks for help.
Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide