Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Radius Authentication Cisco Switch

Hi,

I have a cisco 2960 switch and currently trying to setup radius authentication. My microsoft guy does the server side we have matching keys and he says there is no problem on his side, but we still canno get it to work.

Config on switch


aaa new-model
aaa authentication login default group radius local

radius-server host 10.0.0.13 auth-port 1812
radius-server key 0 test

line vty 0 4
login authentication default

switch and radius server are on the same network. I have done a debug and confused on the output. Can anyone point me in the right direction.

I have done a debug aaa authentication and debug radius

AccessSwitch#

RADIUS/ENCODE(00001586):Orig. component type = Exec

RADIUS:  AAA Unsupported Attr: interface         [221] 4   92269176

RADIUS/ENCODE(00001586): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

RADIUS(00001586): Config NAS IP: 0.0.0.0

RADIUS(00001586): Config NAS IPv6: ::

RADIUS/ENCODE(00001586): acct_session_id: 20

RADIUS(00001586): sending

RADIUS/ENCODE: Best Local IP-Address 10.0.0.56 for Radius-Server 10.0.0.13

RADIUS(00001586): Sending a IPv4 Radius Packet

RADIUS(00001586): Send Access-Request to 10.0.0.13:1812 id 1645/18,len 77

RADIUS:  authenticator 7C B1 A0 55 62 45 7B AF - F2 E2 48 4C C3 F0 72 98

RADIUS:  User-Name           [1]   15  "james.hoggard"

RADIUS:  User-Password       [2]   18  *

RADIUS:  NAS-Port            [5]   6   2

RADIUS:  NAS-Port-Id         [87]  6   "tty2"

RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

RADIUS:  NAS-IP-Address      [4]   6   10.0.0.56

RADIUS(00001586): Started 5 sec timeout

RADIUS: Received from id 1645/18 10.0.0.13:1812, Access-Reject, len 20

RADIUS:  authenticator 80 CE C9 C2 D6 30 65 A9 - 07 D8 12 4C 9E 80 A9 3C

RADIUS(00001586): Received from id 1645/18

AAA/AUTHEN/LOGIN (00001586): Pick method list 'default'

RADIUS/ENCODE(00001586): ask "Password: "

RADIUS/ENCODE(00001586): send packet; GET_PASSWORD

Thanks

James.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Radius Authentication Cisco Switch

yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.

If you need secure communication then you may implement TACACS.

TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
3 REPLIES
Cisco Employee

Radius Authentication Cisco Switch

Since radius server is sending access-reject so you need to check the NPS/IAS Event Viewer logs to find the reason of failure. My guess, PAP as an authetication method is not enabled under Remote access policy > properties >authentication. But you still need to check the event viewer logs to determine the exact reason.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Radius Authentication Cisco Switch

Thanks.

PAP is unencrypted isn't it? is there a way i can get the cisco device to use an encrypted method?

James

Cisco Employee

Re: Radius Authentication Cisco Switch

yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.

If you need secure communication then you may implement TACACS.

TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
430
Views
0
Helpful
3
Replies