Let me start by putting my issue into one sentence:
I have a Catalyst 4507 and I can't log onto it using RADIUS even though the configuration is the same as a Catalyst 3850 which is working and testing RADIUS using the IOS-XE tests in the 4507 is successful. What could be the problem?
I successfully configured a Catalyst 3850 to use a Windows Server 2008 R2 NPS server for RADIUS. I mostly replicated that configuration on a Catalyst 4507 (adjusted for platform differences) and when I run test aaa group
on the 4507, the test succeeds. When I try to actually log on to the 4507 with an account that needs RADIUS to authenticate, it fails. It looks like the failure on logon is a timeout contacting the RADIUS server, but I can't figure out why the authentication request would work differently between the test and the actual logon.
Here's some config, test, and output:
Config
Version:
#show ver
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software
(cat4500es8-UNIVERSALK9-M), Version 03.08.02.E RELEASE SOFTWARE (fc2)
Management Interface (from which RADIUS requests must be sent):
!
interface FastEthernet1
vrf forwarding mgmtVrf
ip address yy.yy.yy.yy 255.255.255.0
speed auto
duplex auto
!
AAA Config:
#show run aaa
!
aaa authentication login default local group radius
aaa authorization exec default local group radius
aaa accounting exec default start-stop group radius
aaa accounting delay-start
username XXXX privilege 15 secret 5 XXXX
!
!
radius server NPSSERVER
address ipv4 xx.xx.xx.xx auth-port 1645 acct-port 1646
key 7 XXXX
!
!
aaa group server radius RADIUSGROUP
server name NPSSERVER
ip vrf forwarding mgmtVrf
ip radius source-interface FastEthernet1
!
!
aaa new-model
aaa session-id common
!
Tests
Cleared counters:
#show aaa servers
RADIUS: id 1, priority 1, host xx.xx.xx.xx, auth-port 1645, acct-port 1646
State: current UP, duration 2157s, previous duration 0s
Dead: total time 0s, count 13
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
RADIUS Test and Counters:
#test aaa group RADIUSGROUP username@domain.com XXXXXX new-code
User successfully authenticated
USER ATTRIBUTES
service-type 0 7 [NAS Prompt]
priv-lvl 0 15 (0xF)
#show aaa servers
RADIUS: id 1, priority 1, host xx.xx.xx.xx, auth-port 1645, acct-port 1646
State: current UP, duration 2278s, previous duration 0s
Dead: total time 0s, count 13
Quarantined: No
Authen: request 1, timeouts 0, failover 0, retransmission 0
Response: accept 1, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 4ms
Transaction: success 1, failure 0
Throttled: transaction 0, timeout 0, failure 0
Login Attempt and Counters:
login as: username@domain.com
Using keyboard-interactive authentication.
Password:
Access denied
#show aaa servers
RADIUS: id 1, priority 1, host xx.xx.xx.xx, auth-port 1645, acct-port 1646
State: current UP, duration 2436s, previous duration 0s
Dead: total time 0s, count 13
Quarantined: No
Authen: request 5, timeouts 4, failover 0, retransmission 3
Response: accept 1, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 4ms
Transaction: success 1, failure 1
Throttled: transaction 0, timeout 0, failure 0
Here's the output from debug aaa authentication
during a failed logon attempt:
*Dec 2 19:35:48.817: AAA/BIND(00000041): Bind i/f
*Dec 2 19:35:48.817: AAA/AUTHEN/LOGIN (00000041): Pick method list 'default'
*Dec 2 19:36:02.322: %RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not responding.
*Dec 2 19:36:02.322: %RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked alive.
*Dec 2 19:36:14.379: AAA/AUTHEN/LOGIN (00000041): Pick method list 'default'
The logs on the NPS servers are pretty difficult to read, but I'm pretty sure they show success when I log on from the working switch, success when I test from the 4507, and no connection at all when I attempt to log on to the 4507.
(Mostly) Complete config:
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname REDACTED
!
boot-start-marker
boot system flash bootflash:cat4500es8-universalk9.SPA.03.08.02.E.152-4.E2.bin
boot-end-marker
!
!
vrf definition mgmtVrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 REDACTED
!
username REDACTED privilege 15 secret 5 REDACTED
aaa new-model
!
!
aaa group server radius RADIUSGROUP
server name RADIUSSERVER
ip vrf forwarding mgmtVrf
ip radius source-interface FastEthernet1
!
aaa authentication login default local group radius
aaa authorization exec default local group radius
aaa accounting delay-start
aaa accounting exec default start-stop group radius
!
!
aaa session-id common
clock timezone UTC -5 0
clock summer-time EDT recurring
!
!
udld enable
!
!
ip domain-name domain.com
ip name-server REDACTED
ip name-server REDACTED
!
!
power redundancy-mode redundant
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
!
redundancy
mode sso
!
vlan internal allocation policy ascending
!
! ******* Port-channel interfaces redacted
!
interface FastEthernet1
vrf forwarding mgmtVrf
ip address x.x.x.x 255.255.255.0
speed auto
duplex auto
!
! ******** Line card interfaces redacted
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
interface Vlan11
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
interface Vlan20
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
interface Vlan23
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
interface Vlan24
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
interface Vlan28
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
interface Vlan29
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
interface Vlan30
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
interface Vlan40
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
interface Vlan60
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
interface Vlan100
description REDACTED
ip address REDACTED
ip helper-address REDACTED
no ip redirects
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 REDACTED
ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 REDACTED
ip ssh version 2
!
ip access-list extended snmp-access
permit ip host REDACTED any
!
ip radius source-interface FastEthernet1
!
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps flash insertion removal
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps vlan-membership
!
!
radius server RADIUSSERVER
address ipv4 REDACTED auth-port 1645 acct-port 1646
key 7 REDACTED
!
!
!
!
line con 0
logging synchronous
stopbits 1
line vty 0 4
exec-timeout 15 0
line vty 5 15
!
ntp server REDACTED
ntp server REDACTED
!
end
Best Answer
The mistake/oversight in my config is here:
Using the
radius
keyword at the end instead of the explicit name of the RADIUS group defined elsewhere means the AAA system does not correctly use that RADIUS group. The correct AAA configuration command is this:Where
RADIUSGROUPNAME
matches with the keyword chosen in the first line of the following configuration commands:The reason why the test was successful is because I was specifying the RADIUS group name in the test, like so:
Running the test as follows would fail: