Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Radius authentication failed on Cisco 6509

Hi All,

I have configured Radius authentication on Windows 2008 server (NPS) 

The following configuration is working perfectly on Cisco Switch 3560.

aaa new-model

aaa session-id common

aaa authentication login default group radius local

radius-server host 10.40.34.8 auth-port 1645 acct-port 1646 key XXX

But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)

Your help would be very much appreciated.

Regards,

Yoosaf Lulu

  • AAA Identity and NAC
2 REPLIES
Silver

Re: Radius authentication failed on Cisco 6509

Hello,

Which specific event is the NPS generating for the 6509 authentication attempt?

Also, if you enable "debug aaa authentication" and "debug radius" would be able to share the outputs after recreating the authenticaation failure?

Regards.

New Member

Radius authentication failed on Cisco 6509

Dear Carlos,

I have rectified the issue.

Pls find the bug details associated with the existing running image in the Cisco 6509

1.   Bug id:-CSCsv14886 

            Cause: - Failure to send RADIUS state attribute

            Symptom:-Switch using RADIUS for dot1x authentication is not sending RADIUS state attribute to ACS server.

                           The ACS server discards these packets and the switch marks the server as down.

            Conditions: Cat6500 running 12.2(33)SXH2a using RADIUS for dot1x authentication

            Workaround: None

            1st Fixed in Version: - 12.2(33)SXH5

2.   Bud id :- CSCir00551

Cause: - Misleading radius debug message

Symptom:- The "%RADIUS-4-RADIUS_ALIVE: RADIUS server 172.27.66.89:2295,2296 has returned."

                  is a little misleading. It is not saying that the server has returned, in the

                 Sense of being heard from. It is only saying that RADIUS has marked the server

                 as being alive because the deadtime timer has expired, and RADIUS is willing to

                 re-send messages to this server again.

Conditions: - None

Workaround: None

12.2(33)SXH4 is included in the affected version

The above 2 bugs associated with the radius issue in the existing image may be the cause of Radius not working with the cores witch, As we tested TACACS+ works correctly without any issues, would recommend you to configure TACACS+ for both the core switches and also for other devices, as TACACS+ is more secure than Radius .You can Use TACACS+ with Cisco ACS.

2173
Views
0
Helpful
2
Replies
This widget could not be displayed.