Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SG200-08 and Radius using IAS

I have set up the IAS following many topics, some vary slightly but most are the same.  The issue I have is my SG200-08 will not allow me access using radius.  Within the Windows Event Viewer I can see the following.

User deano was granted access.

Fully-Qualified-User-Name = HPMEDIASERVER\deano

NAS-IP-Address = <not present>

NAS-Identifier = A0-CF-5B-E4-72-5F

Client-Friendly-Name = Switch 1

Client-IP-Address = 192.168.0.36

Calling-Station-Identifier = <not present>

NAS-Port-Type = <not present>

NAS-Port = <not present>

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = ciscoauth

Authentication-Type = PAP

EAP-Type = <undetermined>

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The above tells me that I have been authorized and I see no failure or issue.  Now on the log on page for the switch it tells me..

Invalid Username or Password.

Please try again.

I unplug my network to it and access the security screen as I have it set to allow radius/local.  Everything is set up, I can't figure out what is going on with this!  does anyone have anything they can share as to why this is happening?

On a footnote, I also use Radius for my wireless devices, of which works fine... well until I removed everything in the remote access policy.

please help, this is driving me nuts... lol

Everyone's tags (6)
19 REPLIES
New Member

SG200-08 and Radius using IAS

Can no one help me?  I have a 24 port Cisco swithch that is behaving the same!  I really do not want to do a reset on these, but it looks like I will have no option.

Bronze

SG200-08 and Radius using IAS

Hello Dean,

Can you setup a port mirror on the port going towards your Radius? Have a computer connected with Wireshark when you try to log into your switch from a second computer? This should show you the packet exchange between the switch and the Radius server. Do you see the return packet come back from the Radius server?

If you continue to have problems and are in your support window please call in and have a technician assist you further. 1866-606-1866.

Thanks

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

New Member

SG200-08 and Radius using IAS

Thank you for your help, Yes I see the packet sent from the Switch to the Radius server and The Radius server reply.  I will paste the info below for you..

431    188.088930    192.168.0.36    192.168.0.2    RADIUS    124    Access-Request(1) (id=131, l=82)

432    188.091966    192.168.0.2    192.168.0.36    RADIUS    106    Access-Accept(2) (id=131, l=64)

Radius server being 192.168.0.2

I am going to do the same from the 24 port switch.

It as it has returned the following. 

2    1.154249    192.168.0.37    192.168.0.2    RADIUS    118    Access-Request(1) (id=0, l=76)

3    1.155518    192.168.0.2    192.168.0.37    RADIUS    125    Access-Accept(2) (id=0, l=83)

The local one I have next to me for testing the 0.36 unit I can unplug and get access to.  I will work with that and leave the 0.37 as it is in a working enviroment right now.

I appreciate you trying to help me with this...

Just to be clear, I can see in the Logs that everything is authenticated on the Radius server.  On the webpage for the router it shows

here is the wireshark grab of the data.

Take note of the arrows, I presume that is the correct data for the Vendor Specific under Remote Access Policy?

New Member

SG200-08 and Radius using IAS

Other information that may be valid.  I brought my firewall down to make sure it was not the issue with the same results.  I also have seen this in the log files of the switch.

Now when you say "Support window," I have only had this unit about 4 weeks now.  The other is way outside unless I buy a support package for them.

New Member

SG200-08 and Radius using IAS

Does anyone know of the valid settings in AIS Profile?  Cisco don't seem to want to help too much seeing as it is a Microsoft IAS.  I can't get any answers from Cisco relating to any settings the Cisco switches and routers use.  Right now I can't use the Radius server to authenticate the switches and routers.

Documentation on this equipment explains nothing also, not a good start for someone getting into Cisco branded equipment huh? lol

New Member

SG200-08 and Radius using IAS

This is what I love, people say Cisco has one of the best support systems in the world.  Yet they do not want to help a small business.

All I got from them is "we do not support Microsoft products."  No explanation on what settings I should even attempt to set up in my policies.  No details on protocols or anything related to setup.

I guess this topic is closed, but thank you to whom has helped me, you was more help then the OFFSHORE support Cisco offers.

New Member

SG200-08 and Radius using IAS

I am experiencing EXACTLY the same thing.  I even updated to 1.0.2.0 from 1.0.0.16 today with no luck. Also, the default time of 1970 after a restart is annoying.  The device shouldn't be this buggy and slow for $180.

If you have found anything out, please post.  I'm thinking of going with the FreeRad product or similar, what a waste of a Saturday.......

Also, you cannot telnet or SSH into these POs's.  I should have found that out earlier....

New Member

SG200-08 and Radius using IAS

Yeah, no telnet as these units are Smart (HAHA), Managed switches allow telnet and so forth.  I have found no help, unable to figure out the correct settings or anything.

It is not really the software, but Cisco told me it could be the policy that has the issue. Again no help on the policy as I was not using their software.

I am so annoyed with this I have given up, I will just have to set my switches and routers manually.  I was intending on having all my equipment which is all now Cisco..... use Radius for authentication.

As I said, I have given up.  If by accident I find something, then I will mention it here.  Funny thing is I wanted to buy a couple of 50 port switches, but right now I am looking at another vendor.

New Member

Re: SG200-08 and Radius using IAS

I have found some interesting things about this unit.  It does not send out it's NAS-IP-Address even when configured to do so.  It never sends out it's type of NAS-Port, which is a problem when my Policy is looking for the NAS-Port to determine if this is a Wireless connection or Ethernet.

Authentication-Type = PAP, I can't get the unit to change to anything else, it always uses PAP even if the policy is not allowing this type.

I did have a Cisco Level 2 operator e-mail me with some pictures on a LAB setup they did using the same device, I am unable to make it work and he said he would do a Webex with me.  Not heard from him in 2 days now.

Another interesting thing, I am running the 1.0.2.0 Firmware. Well not interesting, but the latest version is now 1.0.0.16? Now what is up with that?

So I am still stuck, not knowing what is going on.. Oh and my Trouble ticket has been closed for me while I was out of town..


New Member

SG200-08 and Radius using IAS

I have finally got one of my other switch types working.  SLM224G is now working via IAS Radius, yet still the SG200-08 will not authenticate.  Cisco gave me settings for the SG200-08, but when I use their settings IAS will deny with the following..

User admin was denied access.

Fully-Qualified-User-Name = NEPTUNE\admin

NAS-IP-Address =

NAS-Identifier = A0-CF-5B-E4-72-5F

Called-Station-Identifier =

Calling-Station-Identifier =

Client-Friendly-Name = SG200-08

Client-IP-Address = 192.168.0.36

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name = Switch_Policy

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = SG200-08

Authentication-Type = PAP

EAP-Type =

Reason-Code = 66

Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

The reason for this is, I am told to uncheck everything, go into EAP and Select MD5-Challange! Well apparently the switch does not like this.

So I set it to PAP, SPAP and I get the following.

User admin was granted access.

Fully-Qualified-User-Name = NEPTUNE\admin

NAS-IP-Address =

NAS-Identifier = A0-CF-5B-E4-72-5F

Client-Friendly-Name = SG200-08

Client-IP-Address = 192.168.0.36

Calling-Station-Identifier =

NAS-Port-Type =

NAS-Port =

Proxy-Policy-Name = Switch_Policy

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = SG200-08

Authentication-Type = PAP

EAP-Type =

Yet still, I can't log into the switch.  Cisco are telling me the switch is fine YET I am also told by Level 2 HE could not get the switch to work on there test server, so he tried it on another and it worked.

So what is this difference? Why is this doing this?

I know I said I gave up on this, but I don't like to be defeated by some electronic device! lol

New Member

Re: SG200-08 and Radius using IAS

OK, It is working, with a little bit of help from the Technet community we figured it out.

Settings are as follows for the SG200-08

Your Remote Access Policy should be set up like the following.

Create a Remote Access policy for the switch, I called mine SG200-08, just so I know which I am dealing with.

If you are using a wireless policy, make sure it is at the top! (Important).

Remove anything under policy conditions and click add,  The first thing you will need is Windows-Groups.  Then add your Windows Group of users you want to allow access to your switches, if you have not done this yet, close this and do it now!

Next you will want to add Client-IP-Address, you can do this a few ways, for instance I used or added 192.168.0.36 as this is a specific policy for the SG200-08.  The only reson I do this is because different switches may use different settings.  You could use 192.168.0.* or 192.168.0.0/24 or 192.168.0.0/16 and so on.  Depending on your server version you may not be allowed to use /24.

Next you need "Grant Remote Access Permission".  When done click edit profile.

Your Dial in contrants should all be blank, click the Authentication Tab, the only thing checked here should be "Unencrypted Authentication (PAP, SPAP).

Click the advanced tab and remove anything listed.  Click on "Add"  scroll down to service type and double click it, change the Attribute value to "Administrative" and click ok.  Scroll down to Vendor-Specific and double click it.  Click "Add", Change the Vendor to "Cisco", Click yes it conforms, click "Configure Attribute.

In the "Configure Attribute" section, "Vendor-assigned attribute nmber" should be a 1, Attribute Format is "String" and the "Attribute value" should be shell:priv-lvl:15

Click ok, ok again, ok again, close, apply and ok.  Go test it, it should work.

I hope this fixes the issue for anyone that is using an SG200-08 on Windows Radius IAS.

Bronze

Re: SG200-08 and Radius using IAS

Dean,

Great post,

I did some testing as well and found that at least on Server 2008 you can use both Cisco or Radius Standard for the client type.

I also am able to use the Default MS-CHAP settings as long as I also choose the PAP, SPAP.

Thanks,

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

New Member

Re: SG200-08 and Radius using IAS

Yeah, I forgot to mention either will work..  I did this set up based on 2003 server and should be doing the complete setup on 2008 shortly.

Just happy I got it figured out

New Member

Re: SG200-08 and Radius using IAS

I was hoping to get EAP support for the login, have not found a way of doing that as of yet.  I am not 100% sure you can use EAP unless it is over a wireless network.

Bronze

Re: SG200-08 and Radius using IAS

Hello Dean,

EAP is for client access, are you trying to setup 802.1x for restricting clients from accessing the switch?

The switch can be a EAP authenticator, but not an EAP peer.

Please look over the following document.

http://www.google.com/imgres?imgurl=http://i.technet.microsoft.com/dynimg/IC157983.gif&imgrefurl=http://technet.microsoft.com/en-us/library/bb457039.aspx&usg=__UyZL1QAaRF0fbVtL38cPf5nlngQ=&h=375&w=600&sz=17&hl=en&start=10&zoom=1&tbnid=rOVFu0F5GqCzhM:...

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

New Member

Re: SG200-08 and Radius using IAS

I kinda figured it would be that way, was just looking into it to be sure.  Thank you for your help..

New Member

Great post. This got my SG200

Great post. This got my SG200-08 authenticating from my RADIUS server in a matter of minutes - after hours of frustration.

 

New Member

Thank you, it took me a long

Thank you, it took me a long time with the help from others to get this right.  I am happy it got you going within a short time.


Dean

New Member

One thing to remember, MS

One thing to remember, MS-CHAP is not a very good security system to employ, I have not played with others as of yet, but it works.

7529
Views
5
Helpful
19
Replies