Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4309
Views
15
Helpful
3
Replies

Radius Authentication Cisco Switch

Go to solution
James Hoggard
Level 1
Level 1

‎02-01-2014 03:08 AM - edited ‎03-10-2019 09:20 PM

Hi,

I have a cisco 2960 switch and currently trying to setup radius authentication. My microsoft guy does the server side we have matching keys and he says there is no problem on his side, but we still canno get it to work.

Config on switch


aaa new-model
aaa authentication login default group radius local

radius-server host 10.0.0.13 auth-port 1812
radius-server key 0 test

line vty 0 4
login authentication default

switch and radius server are on the same network. I have done a debug and confused on the output. Can anyone point me in the right direction.

I have done a debug aaa authentication and debug radius

AccessSwitch#

RADIUS/ENCODE(00001586):Orig. component type = Exec

RADIUS:  AAA Unsupported Attr: interface         [221] 4   92269176

RADIUS/ENCODE(00001586): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

RADIUS(00001586): Config NAS IP: 0.0.0.0

RADIUS(00001586): Config NAS IPv6: ::

RADIUS/ENCODE(00001586): acct_session_id: 20

RADIUS(00001586): sending

RADIUS/ENCODE: Best Local IP-Address 10.0.0.56 for Radius-Server 10.0.0.13

RADIUS(00001586): Sending a IPv4 Radius Packet

RADIUS(00001586): Send Access-Request to 10.0.0.13:1812 id 1645/18,len 77

RADIUS:  authenticator 7C B1 A0 55 62 45 7B AF - F2 E2 48 4C C3 F0 72 98

RADIUS:  User-Name           [1]   15  "james.hoggard"

RADIUS:  User-Password       [2]   18  *

RADIUS:  NAS-Port            [5]   6   2

RADIUS:  NAS-Port-Id         [87]  6   "tty2"

RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

RADIUS:  NAS-IP-Address      [4]   6   10.0.0.56

RADIUS(00001586): Started 5 sec timeout

RADIUS: Received from id 1645/18 10.0.0.13:1812, Access-Reject, len 20

RADIUS:  authenticator 80 CE C9 C2 D6 30 65 A9 - 07 D8 12 4C 9E 80 A9 3C

RADIUS(00001586): Received from id 1645/18

AAA/AUTHEN/LOGIN (00001586): Pick method list 'default'

RADIUS/ENCODE(00001586): ask "Password: "

RADIUS/ENCODE(00001586): send packet; GET_PASSWORD

Thanks

James.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to James Hoggard

‎02-01-2014 12:05 PM

yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.

If you need secure communication then you may implement TACACS.

TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-01-2014 08:53 AM

Since radius server is sending access-reject so you need to check the NPS/IAS Event Viewer logs to find the reason of failure. My guess, PAP as an authetication method is not enabled under Remote access policy > properties >authentication. But you still need to check the event viewer logs to determine the exact reason.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Go to solution
James Hoggard
Level 1
Level 1
In response to Jatin Katyal

‎02-01-2014 11:10 AM

Thanks.

PAP is unencrypted isn't it? is there a way i can get the cisco device to use an encrypted method?

James

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to James Hoggard

‎02-01-2014 12:05 PM

yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.

If you need secure communication then you may implement TACACS.

TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents