cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3885
Views
0
Helpful
7
Replies

Radius authentication issue: Switch is not even communicating with radius server

vincehgov
Level 1
Level 1

I'm having a strange issue.  I'm running a 3560 8 port switch with c3560-ipbasek9-mz.122-58.SE2.bin.

Here is the relevant config:

interface Vlan140

ip address 172.20.40.18 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.20.40.1

aaa new-model

aaa group server radius RADIUSGROUP

server name RADIUS-SERVER1

aaa authentication login default group RADIUSGROUP local

radius server RADIUS-SERVER1

address ipv4 172.20.1.2 auth-port 1812 acct-port 1813

key 7 xxx

-----------------------

I am able to ping the radius server from the switch so there is L3 connectivity.  However, when I try to login using my radius credentials, I get:

Request timed out.

00:58:35: RADIUS(00000014): Request timed out

00:58:35: RADIUS: No response from (172.20.1.2:1812,1813) for id 1645/14

00:58:35: RADIUS/DECODE: No response from radius-server; parse response; FAIL

00:58:35: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

A packet capture shows that pings go across, but I don't see any packets being sent at all for the radius authentication attempt.

I am not running any VRFs or packet filter ACLs.

Does anyone have any ideas?

Thank you in advance.

7 Replies 7

vincehgov
Level 1
Level 1

By the way, I forgot to mention that I've tried it with the "ip radius source-interface" of the vlan interface but still no game.

Jatin Katyal
Cisco Employee
Cisco Employee

What radius server are you running? Could you please verify the shared-secret key on server and switch side.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Hey Jatin,

I wish it was that simple as a mismatched shared-secret.  The problem is that the switch isn't even sending any packets out to the radius server AT ALL.

Vince

Hi.

What radius server are you using? Some radius servers (Windows for example) do not use port 1812 and 1813 for communication, but 1645 and 1646 instead.

Could be worth checking out.

- Dal

I'm sorry guys, I forgot the name of the radius server.  However, I want to focus on why there is no traffic coming out of the switch when it is attempting to communicate with the radius server.  I don't see any packets coming out of the switch destined for the radius server in the first place.  The radius server works when I configure it on other switches.  I used the exact same configuration on all the switches.  They are the same model with the same firmware.  I checksummed the firmware and it is good.

What are you trying to achieve? Do you want to use radius for managment login into the switch?

If so, I think you must add this line:

aaa authorization exec default group RADIUSGROUP local

Hi, yes, I have that line in there as well.  I'm trying to ssh into the switch and authenticate using radius.  I am able to SSH in, but when I attempt to authenticate, it doesn't look like the switch is communicating with the radius server at all.  A packet capture shows that there are no radius traffic.  It is really strange and probably one of those rare issues.  I've set up dozens of switch like this and never had any problems before.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: