Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Catalyst 3560 can't access radius-server in vrf

Dear all:

          My configuration:              

                radius-server host 10.138.44.57 auth-port 1645 acct-port 1646 key 7 ******

                !

                aaa new-model

                !

                aaa authentication dot1x default group radius local

                !

                ip radius source-interface loopback1 vrf CC

                !

                interface loopback1

                   ip add 10.1.1.1 255.255.255.255

                   ip vrf forwarding CC

                !

           I CAN  ping IP 10.138.44.57(radius-server) in vrf CC.but,the switch can't access radius-server

           this is the debug logging :

                aug 24  %RADIUS-4-RADIUS_DEAD: RADIUS server 10.138.44.57:1645,1646 is not responding.

                aug 24 %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.138.44.57:1645,1646 is being marked alive.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Catalyst 3560 can't access radius-server in vrf

Hello Chen,

The vrf keyword does not seem to be available at the "radius-server host" command.

In order for the dot1x authentication to work in the CC vrf, I think you need to associate the VRF under a newly created radius server group.

I have similar configurations on some 6500's and have seen the availability of the command on my lab 3560-X .

The configuration would be of this type =>

===========================================

aaa new-model

!

aaa group server radius TEST-VRF-RADIUS

server 10.138.44.57 auth-port 1645 acct-port 1646

ip vrf forwarding CC              

!

aaa authentication dot1x default group TEST-VRF-RADIUS local

!

ip radius source-interface loopback1 vrf CC

!

interface loopback1

ip add 10.1.1.1 255.255.255.255

ip vrf forwarding CC

!

radius-server [host 10.138.44.57] key  ******

===========================================

If it is still not working feel free to post associated radius/aaa debugs from the 3560 and also check if some authentication packets are arriving on the radius server.

Best regards.

Karim

3 REPLIES
Silver

Catalyst 3560 can't access radius-server in vrf

Hello Chen,

The vrf keyword does not seem to be available at the "radius-server host" command.

In order for the dot1x authentication to work in the CC vrf, I think you need to associate the VRF under a newly created radius server group.

I have similar configurations on some 6500's and have seen the availability of the command on my lab 3560-X .

The configuration would be of this type =>

===========================================

aaa new-model

!

aaa group server radius TEST-VRF-RADIUS

server 10.138.44.57 auth-port 1645 acct-port 1646

ip vrf forwarding CC              

!

aaa authentication dot1x default group TEST-VRF-RADIUS local

!

ip radius source-interface loopback1 vrf CC

!

interface loopback1

ip add 10.1.1.1 255.255.255.255

ip vrf forwarding CC

!

radius-server [host 10.138.44.57] key  ******

===========================================

If it is still not working feel free to post associated radius/aaa debugs from the 3560 and also check if some authentication packets are arriving on the radius server.

Best regards.

Karim

New Member

Catalyst 3560 can't access radius-server in vrf

Dear krahmani323

Thank you

It's OK

New Member

Catalyst 3560 can't access radius-server in vrf

Just wanted to help future people as some of the answers I found here were confusing.

This is all you need from the AAA perspective:

aaa new-model

!

!

aaa group server radius RADIUS-VRF-X

server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475

ip vrf forwarding X

!        

aaa authentication login default group RADIUS-VRF-X local

aaa authorization exec default group X local if-authenticated

Per VRF AAA reference:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

1438
Views
0
Helpful
3
Replies
CreatePlease login to create content