I've got In my network environment Cisco Catalyst 3550 SMI. I set it to use Radius authorization in IAS on Windows 2003. This Cisco device and IAS Server are in diffrent VLANs (diffrent subnets) but they can ping each other (routing between VLANs are working). IAS is confiured properly but sometimes (not always) I cannot login to this switch (log from IAS is OK - user which I use was accepted by rules configured on IAS) and after putting password and for a while I have information: % Backup authentication and login is not possible (I try to login from host which is in the same VLAN as this switch). In the same time, when I try to login form host, which is in the same VLAN as IAS Server, everything goes OK. Does anybody know what can be wrong??
Post the IOS version in use and a sanitized switch config
Capture the AAA debugging output for a succesful authentication from the problem VLAN;
debug radius debug debug aaa authentication
When the problem occurs, again capture using the same commands and compare to see if the auth packets are being sent to IAS server and if the switch receives a response.
OK. Here is log from success login: .Mar 31 14:42:01: AAA/AUTHEN/CONT (2107571542): continue_login (user='(undef)') .Mar 31 14:42:01: AAA/AUTHEN (2107571542): status = GETUSER .Mar 31 14:42:01: AAA/AUTHEN (2107571542): Method=radius (radius) .Mar 31 14:42:01: AAA/AUTHEN (2107571542): status = GETPASS .Mar 31 14:42:04: AAA/AUTHEN/CONT (2107571542): continue_login (user='slabr') .Mar 31 14:42:04: AAA/AUTHEN (2107571542): status = GETPASS .Mar 31 14:42:04: AAA/AUTHEN (2107571542): Method=radius (radius) .Mar 31 14:42:04: RADIUS: ustruct sharecount=1 .Mar 31 14:42:04: RADIUS: Initial Transmit tty1 id 35 10.10.10.189:1812, Access- Request, len 74 .Mar 31 14:42:04: Attribute 4 6 0A0A06FA .Mar 31 14:42:04: Attribute 5 6 00000001 .Mar 31 14:42:04: Attribute 61 6 00000005 .Mar 31 14:42:04: Attribute 1 7 736C6162 .Mar 31 14:42:04: Attribute 31 11 31302E31 .Mar 31 14:42:04: Attribute 2 18 A2FE0EB9 .Mar 31 14:42:04: RADIUS: Received from id 35 10.10.10.189:1812, Access-Accept, len 64 .Mar 31 14:42:04: Attribute 7 6 00000001 .Mar 31 14:42:04: Attribute 6 6 00000002 .Mar 31 14:42:04: Attribute 25 32 3BB004C5 .Mar 31 14:42:04: RADIUS: saved authorization data for user E1980C at 861D48 .Mar 31 14:42:04: AAA/AUTHEN (2107571542): status = PASS
and here is when the lohin fails: .Mar 31 14:41:11: RADIUS: Tried all servers. .Mar 31 14:41:11: RADIUS: No response for id 33 .Mar 31 14:41:11: RADIUS: No response from server .Mar 31 14:41:11: AAA/AUTHEN (3799657483): status = ERROR .Mar 31 14:41:11: AAA/AUTHEN/START (3707451166): port='tty1' list='' action=LOGI N service=LOGIN .Mar 31 14:41:11: AAA/AUTHEN/START (3707451166): Restart .Mar 31 14:41:11: AAA/AUTHEN/START (3707451166): no methods left to try .Mar 31 14:41:11: AAA/AUTHEN (3707451166): status = ERROR .Mar 31 14:41:11: AAA/AUTHEN/START (3707451166): failed to authenticate .Mar 31 14:41:13: AAA/MEMORY: free_user (0x861D48) user='slabr' ruser='' port='t ty1' rem_addr='10.10.6.1' authen_type=ASCII service=LOGIN priv=1 .Mar 31 14:41:13: AAA: parse name=tty1 idb type=-1 tty=-1 .Mar 31 14:41:13: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port =1 channel=0 .Mar 31 14:41:13: AAA/MEMORY: create_user (0xE1980C) user='' ruser='' port='tty1 ' rem_addr='10.10.6.1' authen_type=ASCII service=LOGIN priv=1 .Mar 31 14:41:13: AAA/AUTHEN/START (1941398153): port='tty1' list='efls' action= LOGIN service=LOGIN .Mar 31 14:41:13: AAA/AUTHEN/START (1941398153): found list efls .Mar 31 14:41:13: AAA/AUTHEN/START (1941398153): Method=radius (radius) .Mar 31 14:41:13: AAA/AUTHEN (1941398153): status = GETUSER .Mar 31 14:41:16: AAA: parse name=tty2 idb type=-1 tty=-1 .Mar 31 14:41:16: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port =2 channel=0 .Mar 31 14:41:16: AAA/MEMORY: create_user (0xE1A220) user='' ruser='' port='tty2 ' rem_addr='10.10.10.186' authen_type=ASCII service=LOGIN priv=1 .Mar 31 14:41:16: AAA/AUTHEN/START (47063112): port='tty2' list='efls' action=LO GIN service=LOGIN .Mar 31 14:41:16: AAA/AUTHEN/START (47063112): found list efls .Mar 31 14:41:16: AAA/AUTHEN/START (47063112): Method=radius (radius) .Mar 31 14:41:16: AAA/AUTHEN (47063112): status = GETUSER .Mar 31 14:41:17: AAA/AUTHEN/CONT (47063112): continue_login (user='(undef)') .Mar 31 14:41:17: AAA/AUTHEN (47063112): status = GETUSER .Mar 31 14:41:17: AAA/AUTHEN (47063112): Method=radius (radius) .Mar 31 14:41:17: AAA/AUTHEN (47063112): status = GETPASS .Mar 31 14:41:20: AAA/AUTHEN/CONT (47063112): continue_login (user='slabr') .Mar 31 14:41:20: AAA/AUTHEN (47063112): status = GETPASS .Mar 31 14:41:20: AAA/AUTHEN (47063112): Method=radius (radius)
I don't know if it is all, because I increase looging buffer after success login. But one more thing. I've noticed, that when I first tried login from my host (the same VLAN as switch) - login fail, then login from host with the same VLAN as IAS Server - login success and after that I can login from my host.
The authentication failed becuase the switch did not get a response.
Put a sniffer (Ethereal) between the switch and the IAS server to confirm that this is the case. You should see a packet go out to the IAS server and then see no reply packet. If that is the case then the problem is on the IAS server
RADIUS uses UDP port 1812 by default ( or the port configured in teh IOS config)
Does the IAS server have a default gateway configured ?
U¿ytkownik "Merv" napisa³ w wiadomo¶ci news: snipped-for-privacy@u72g2000cwu.googlegroups.com...
IAS Server has default gateway and if I try login just from IAS Server it always has success. And I was wondering, why I can login from my host after I login from host which is in the same VLAN as IAS Server? Maybe ip radius source-interface command should help... Now I set this command and see if it helps. But to check it out, I need some time.
here is an example of using extended ping that allow you to slect the source interface or source IP address instead of the router slecting it.
#ping Protocol [ipv4]: Target IP address: 3.3.3.3 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands? [no]: yes Source address or interface: 12.15.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes? [no]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Well, on this switch I have only one interface (routing between VLANs I have on other L3 device) and only one IP adress. My host is in VLAN6 (just like this switch) and IAS Server is in VLAN7. Now I have noticed that host from VLAN5 has no problem to telnet to this switch like IAS Server. It seems that only hosts from VLAN6 has problems to telnet this switch (I tried to login from other host which is in VLAN6 too, and telent was not possible). Any other suggestions??
OK. Here you are: switch#ping Protocol [ip]: Target IP address: 10.10.10.189 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.10.6.250 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.189, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms switch#
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.