Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
0
Helpful
3
Replies

SG300 not sending any traffic to windows 2012 NPS for Radius

itmanager
Level 1
Level 1

‎06-12-2014 01:21 PM

Hi,

 

I've spent about 8 hours trying to figure out why my SG300 is not communicating with the NPS server for Radius 802.1x wired authentication.

 

The SG300 is brand new. I factory reset it and configured a static IP. After that I configured Radius as per the manual. I see no communication taking place between the Windows 2012 server and the switch. The server firewall is off and the server directly connects to the SG300 switch.

I'm only testing with one port (port 1) set to Auto.

This is the log when I connect the laptop that is supposed to authenticate with Windows Server 2012 NPS via Radius

21474836422014-Jan-12 19:14:29Warning%STP-W-PORTSTATUS: gi1: STP status Forwarding      
21474836432014-Jan-12 19:14:25Informational%LINK-I-Up:  Vlan 10      
21474836442014-Jan-12 19:14:25Informational%LINK-I-Up:  gi1  

 

Radius Server ports match the server entry on Cisco. I've tried 1812/1813 and 1645/1646.

I've checked for RADIUS traffic using Wireshark and I see none. :(

Here is the config for the switch:

config-file-header
switch192437
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch 

file SSD indicator encrypted
@
ssd-control-start 
ssd config 
ssd file passphrase control unrestricted 
no ssd file integrity control 
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 
!
vlan database
vlan 10 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
dot1x traps authentication failure 802.1x 
dot1x traps authentication success 802.1x 
hostname switch192437
encrypted radius-server key I2M2eJH2YYXToxz5eMNjsSNVazNUQjFgCJ/g1RbIB+x1FIBscccijeyuu99Flu9CT5Syy01GBcH1SP0ebXn/AfZcrMTJy/B2JXJTghWTf6iKkZSt5gAXaOuKZ8u6t2sK 
radius-server host 192.168.50.14 auth-port 1645 acct-port 1646 priority 1 usage dot1.x 
radius-server timeout 5
aaa accounting dot1x start-stop group radius
aaa accounting login start-stop group radius
username cisco password encrypted 2dfcb56b6e9a11f11eea5681bca745234ed13f41 privilege 15 
ip ssh server
ip ssh password-auth 
snmp-server server
ip name-server  192.168.50.205
!
interface vlan 1
 ip address 192.168.50.246 255.255.255.0 
 no ip address dhcp 
!
interface vlan 10
 name "VLAN10" 
 dot1x guest-vlan 
!
interface gigabitethernet1
 dot1x guest-vlan enable 
 dot1x port-control auto 
!
exit
ip default-gateway 192.168.50.1 
encrypted ip ssh-client key rsa key-pair

Labels:
0 Helpful
3 Replies 3

Tom Watts
VIP Alumni
VIP Alumni

‎06-12-2014 01:30 PM

Hi, it may be possible you do not have the RADIUS priority configured correctly. I think your local log in is taking precedent. You may want to check the log in order to ensure is local to the second to RADIUS

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

itmanager
Level 1
Level 1
In response to Tom Watts

‎06-12-2014 05:07 PM

No change. I made RADIUS first type for HTTPS management and now I can't login via HTTPS. No events on the server showing authentication attempts.

0 Helpful

jer0nim0x
Level 1
Level 1
In response to itmanager

‎12-13-2014 01:04 PM

Did you find a solution?

0 Helpful
Customers Also Viewed These Support Documents