AAA + RADIUS on Catalyst switches

Similar Questions

• AAA/RADIUS of debugging for a special mac only address

  I have a question - is there a way I can debug aaa, RADIUS, communication eap on a switch to a particular mac (endpoint) only address?

  Thank you.

  EAP authentication

  In order to troubleshoot the interaction between the WLC and the authentication server (RADIUS external or internal to the EAP server), use the command debug AAA all turn on, which shows the required details. This command must be used after the client to debug command and can be combined with other commands to debug as needed (for example, transfer).

   (Cisco Controller) >debug client 00:00:00:00:00:00 (Cisco Controller) >debug aaa all enable (Cisco Controller) >show debug MAC address ................................ 00:00:00:00:00:00 Debug Flags Enabled: aaa detail enabled. aaa events enabled. aaa packet enabled. aaa packet enabled. aaa ldap enabled. aaa local-auth db enabled. aaa local-auth eap framework errors enabled. aaa local-auth eap framework events enabled. aaa local-auth eap framework packets enabled. aaa local-auth eap framework state machine enabled. aaa local-auth eap method errors enabled. aaa local-auth eap method events enabled. aaa local-auth eap method packets enabled. aaa local-auth eap method state machine enabled. aaa local-auth shim enabled. aaa tacacs enabled. dhcp packet enabled. dot11 mobile enabled. dot11 state enabled dot1x events enabled dot1x states enabled. mobility handoff enabled. pem events enabled. pem state enabled.

• Cisco CSA 4.2 + RADIUS + HP procurve switches

  Hello!

  We mixed network environment with cisco / HP hardware.

  We are currently assessing the Cisco ACS 4.2 to manage network access network equipment.

  Cisco equipment works very well, but we have problems the RADIUS and procurve switches (Ganymede works very well)

  I googled around and it seems that you need to create a new '(VSA, Vendor) vendor-specific attributes' for procurve switches and the IETF radius settings according to the variables on the right which must match the HP equipment.

  Problem is that I can't find this information online.

  Anyone who manages to solve this problem?

  Would really appreciate help!

  Thank you

  BR

  Generally, you should download VSA for acs. You must get the HP ini file. Once you have you need create a vsa and transfer it to acs.

  Because we need to add a specific seller attribute in the TAS, then we must first

  Create a file 'accountActions.csv' using the format specified in "RDBMS synchronization."

  Import definition', once we are ready with the file, then we must do an RDBMS

  Synchorization folder of ACS (SE) and then go on:

  Reports and activity > RDBMS synchronization and make sure that the synchronization has been

  done it without error. Once this is done, you must re - start the ACS SE, then

  We can create a new AAA client and use the new RADIUS (xxxx), and the attributes that we

  added can be made visible for:

  The interface configuration > and select the newly added Radius VSA attribute.

  : RDBMS synchronization:

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/CSA

  PP40/ugse40/sad.htm#wp756877

  : Import a definition RDBMS synchronization:

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/CSA

  PP40/ugse40/AG.htm

  Kind regards

  ~ JG

• How to restrict Internet access by using the RADIUS server via switch Catalyst 3560

  Dear all,

  I need a configuration using any. I have a small network of 15 users a 3560, which is in turn connected to a router ISR 2811. Interface fastethernet 0/24 switch 3560 I intend to connect to a unix based server RADIUS. ISP is connected on the opposite side of the 2811 to the fa0/0 interface.

  I want to make is that if someone among the 15 users tries to access the internet, they must be validated in the RADIUS server by their pre-configured user credentials. (I'm going to store 15 user credentials here). If someone else tries to connect (except those 15) he or she should be denied internet access.

  The RADIUS server will be having a login page to type the name of user and password.

  Please guide based on what commands I should inject into the 3560 or what specifically, I need to have to run this task.

  Thanks in advance!

  Samrat.

  I only did this in a very long time, but you probably want to do is activate the web authentication.

  http://www.Cisco.com/c/en/us/TD/docs/switches/LAN/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swwebauth.html

• AAA & RADIUS

  In a laboratory, when I set the following there is no recording of the show in the switch using telnet/ssh:

  AAA new-model

  Group AAA authentication login default RADIUS

  RADIUS group AAA authorization exec default authenticated if

  start-stop radius group AAA accounting exec by default

  I have configured the following Cisco on the AAA server AV-pair:

  Shell: priv-lvl = 15

  When I login via telnet/ssh, there is no problem at all. However, when I connect via the console, I get no priv level? It authenticates me to user exec but not more details.

  If anyone has seen this, I would appreciate greatly any help.

  Thank you

  HII christ

  Try this aaa authorization console command

  where u set the value of shell or RADIUS ietf att av pair.

  Try a brand something the exec button and then set in previll level 15

  Concerning

  Manish

• privilege level of the AAA RADIUS server control

  I had the radius authentication on my switch, but I'm trying to allow two types of connection of users using Windows Active Directory. NetworkUsers that can display the configuration and NetworkAdmins who can do what either. I would like to NetworkAdmins when they log on, go directly to the privilege level 15 but could not get that part to work. Here is my configuration:

  Domain controller for Windows 2008 R2 with NPS installed.

  RADIUS client: I have the IP address of the switch as well as the key. I selected under the name of the Vendor tab in advance of cisco

  Network policies:

  NetworkAdmins which has the Group networkadmin in conditions and under settings I have nothing the standard and for the individual seller I have:

  Cisco Cisco-AV-pair shell: priv-lvl = 15

  My config switch:

  AAA new-model
  !
  !
  RADIUS AAA server group MTFAAA
  Server name dc-01
  Server name dc-02
  !
  Group AAA authentication login NetworkAdmins local MTFAAA
  Group AAA authorization exec NetworkAdmins local MTFAAA

  dc-01 RADIUS server
  address ipv4 10.0.1.10 auth-1645 acct-port of 1646
  7 button *.
  !
  dc-02 RADIUS server
  ipv4 10.0.1.11 address auth-1645 acct-port of 1646
  7 button *.
  !

  No matter what I do, it is not the default privilege level 15 when I login. All thoughts

  You have specified the permission under line vty group? I think it is the authorization exec command. Something like that.

• AAA RADIUS authentication for the only user group

  Hello

  I use ACS3.1 and tries to use authentication radius for all network switches in my company.

  Meet the im problem now is how to restrict only a user group to access the connection/exec switches? It seems that all user IDS in my acs able to telnet (user access) to the switch (using their login credentials).

  I would like to limit still from telnet by using their ID except administrator group.

  Counsel on how this is possible.

  TKS!

  The GBA, you need admin users in their own ACS group separated, leaving other users in their own group also.

  Change the group that contains the users you don't want to give access to and under the heading of restricted access network (OAN), in "Group defined Network Access Restrictions", check the "Define based on IP access restrictions", choose "Rejected the call point" and enter switches in the table below (put a * in the port and address).

  This prevents standard users authentication to switches. You can add all your switches in a group of network devices (NDG) to this, then you have to add that, in the section NAR rather than adding each switch individually.

• Several ports to listen for SSH on Catalyst switches

  Hello community,

  On Cisco routers, you can set up multiple SSH ports (instead of the default tcp 22) in combination with rotary groups. Then attach these rotating groups of specific VTY lines. It works very well.

  But it seems on Cisco switches, you cannot set different ports of SSH. The order Router(config) #ip ssh port portnum Rotary group is not available. You can use the rotating on the VTY lines, but it does for Telnet connections.

  Did someone knows if it is possible to use rotating groups on switches with SSH? What I'm trying to achieve is, I want to use multiple lists of AAA method and define these specific VTY lines slot. In this way, I am able to designate specific users, connecting from specific IP on a dedicated VTY line addresses, with a personalized list of AAA method.

  Any help is very appreciated!

  Kind regards

  Dion Dohmen

  Hello

  I am currently using 12.2 (58) SE2 on the 3560.

  Software Cisco IOS, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2 (58) SE2, RELEASE SOFTWARE (fc1)

  I lowered my IOS to check if she is still supported for the 3560 on 12.2 (55) SE1 and is not.

  XXX availability is 1 minute
  System to regain the power ROM
  System restarted at 14:38:50 GMT Tuesday, July 29, 2014
  System image file is "flash:/c3560-ipservicesk9-mz.122-55.SE1.bin".

  XXX (config) #ip ssh?
  new authentication attempts to specify number of authentication retries
  DSCP DSCP IP value for SSH traffic
  Configure logging for SSH logging
  priority of the value of IP precedence for SSH traffic
  source-interface interface to specify to address SSH source
  connections
  timeout specify SSH timeout
  Protocol version to specify supported version

  XXX (config) #ip ssh

  I then upgraded to 12.2 (55) SE9 and there is still not supported.

  XXX availability is 1 minute
  System to regain the power ROM
  System restarted at 14:47:49 GMT Tuesday, July 29, 2014
  System image file is "flash:/c3560-ipservicesk9-mz.122-55.SE9.bin".

  XXX (config) #ip ssh?
  new authentication attempts to specify number of authentication retries
  DSCP DSCP IP value for SSH traffic
  Configure logging for SSH logging
  priority of the value of IP precedence for SSH traffic
  source-interface interface to specify to address SSH source
  connections
  timeout specify SSH timeout
  Protocol version to specify supported version

  XXX (config) #ip ssh

  I would recommend that you upgrade, but I unfortunately don't see any point.

  Thank you

  Nehmaan

• AAA RADIUS 3750 x

  Hello!

  I'm troubleshooting an installation of battery new 3750 x - everything is wonderful save two issues, being the RADIUS. I have reflected the config a another pile of identical work but I am having no love with my DEPARTMENT. Debug RADIUS auth showed this - any ideas?

  I tried a few things including specifying my management interface VLAN as source for RADIUS, but it had no effect.

  I am running 15.0 (2) SE-IPBASEK9-m

  10:22:43: RADIUS: AAA Attr not supported: interface [221] 4

  10:22:43: RADIUS: 74 74 [tt]

  Thanks for your help

  HI John,.

  Take a look at this.

  AAA group Group1 radius server

  Server 10.10.220.130 auth-port 182 acct-port 1813

  The RADIUS authehtication listen on port 1812. Try this reconfiguration as below.

  AAA group Group1 radius server

  ACCT-port of the server 10.10.220.130 auth-port 1812 1813

  Concerning

  Najaf

  Please rate when there is place or useful!

• Lifecycle for Catalyst switches

  Hello

  I have a client who wants to know what is the life expectancy for switching series of following products:

  • C3750
  • C3750-E
  • C4500-E
  • C6500-E

  I gave, they want to know if there are plans for the foregoing to be gradually in the near future. If yes - what is the time frame for each? If no - more how many years can they expect the viable product? Similarly, are there offender to expand the range of products for the series C3750 and C3750-E, given the model 'limited' available today?

  I couldn't find an other another void / community to post this question. I hope that you can transfer this appropriate to address the BU investigation.

  Thanks in advance for your help.

  Keith

  Keith,

  Thank you for your question.  This community is for Cisco Small Business products, and your question is referring to a product Cisco Elite/Classic.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main this forum is subject to the subject matter experts on Cisco Elite/Classic products that may be able to answer your question.

  Community support space Support SB---> NetPro Forum

  -Voice and conference---> UC and video Forum http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748. SJ3A? page = Unified_Communications_and_Video_discussion

  -Security and monitoring---> Security Forum http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748. SJ3A? page = Security_discussion

  -Wireless---> Wireless - mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748. SJ3A? page = Wireless_-_Mobility_discussion

  -Storage---> Data Center Forum to the http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748 network. SJ3A? page = Data_Center_discussion

  -Routers---> Network Infrastructure Forum http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748. SJ3A? page = Network_Infrastructure_discussion

  -Switches---> Network Infrastructure Forum http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748. SJ3A? page = Network_Infrastructure_discussion

• Cisco Catalyst 2960-S switch configured for 802. 1 x sends a query to access the Radius Server Radius

  Setup

  Cisco Catalyst 2960-S running 15.0.2 - SE8

  Under Centos freeRadius 6.4 RADIUS server

  Client (supplicant) running Windows 7

  When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
  Here is my config running. Any advice would be greatly appreciated.
  #show running mySwitch-
  mySwitch #show running-config
  Building configuration...

  Current configuration: 2094 bytes
  !
  version 12.2
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname myswitch
  !
  boot-start-marker
  boot-end-marker
  !
  activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
  !
  !
  AAA new-model
  !
  !
  AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
  !
  !
  AAA - the id of the joint session
  1 supply ws-c2960s-24ts-l switch
  !
  !
  !
  !
  !
  control-dot1x system-auth
  pvst spanning-tree mode
  spanning tree extend id-system
  !
  !
  !
  !
  internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
  GigabitEthernet1/0/1 interface
  !
  interface GigabitEthernet1/0/2
  !
  interface GigabitEthernet1/0/3
  !
  interface GigabitEthernet1/0/4
  !
  interface GigabitEthernet1/0/5
  !
  interface GigabitEthernet1/0/6
  !
  interface GigabitEthernet1/0/7
  !
  interface GigabitEthernet1/0/8
  !
  interface GigabitEthernet1/0/9
  !
  interface GigabitEthernet1/0/10
  !
  interface GigabitEthernet1/0/11
  !
  interface GigabitEthernet1/0/12
  switchport mode access
  Auto control of the port of authentication
  dot1x EAP authenticator
  !
  interface GigabitEthernet1/0/13
  !
  interface GigabitEthernet1/0/14
  !
  interface GigabitEthernet1/0/15
  !
  interface GigabitEthernet1/0/16
  !
  interface GigabitEthernet1/0/17
  !
  interface GigabitEthernet1/0/18
  !
  interface GigabitEthernet1/0/19
  !
  interface GigabitEthernet1/0/20
  !
  interface GigabitEthernet1/0/21
  !
  interface GigabitEthernet1/0/22
  !
  interface GigabitEthernet1/0/23
  !
  interface GigabitEthernet1/0/24
  !
  interface GigabitEthernet1/0/25
  !
  interface GigabitEthernet1/0/26
  !
  interface GigabitEthernet1/0/27
  !
  interface GigabitEthernet1/0/28
  !
  interface Vlan1
  IP 10.1.2.12 255.255.255.0
  !
  IP http server
  IP http secure server
  activate the IP sla response alerts
  recording of debug trap
  10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
  Line con 0
  line vty 0 4
  password password
  line vty 5 15
  password password
  !
  end

  interface GigabitEthernet1/0/16
  !
  interface GigabitEthernet1/0/17
  !
  interface GigabitEthernet1/0/18
  !
  interface GigabitEthernet1/0/19
  !
  interface GigabitEthernet1/0/20

  Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.

  Regarding the configuration, it seems a bit out of the AAA. Try to remove the:

  line "aaa dot1x group service radius authentication" and this by using instead:

  "aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.

• No remote access after you activate the Radius AAA

  Hello

  I can't access our catalyst 4006 after activating the AAA for RADIUS. I have install IAS on our domain controller configuration / a catalyst as a Radius client and configured a remote access policy that points to an ad group to allow access to the switch. When I try to connect to catalyst by my user information in AD, it seems to crash after I type my password, asks for the password again, then says access denied. This happens both on the console and through a telnet session. I have included below the configuration of my AAA.

  What Miss me?

  Tim

  (Cisco IOS 12.2 v software (25) EWA14)

  AAA new-model

  !

  RADIUS-server host 10.100.x.x auth-port 1812 acct-port 1813 key xxxxxxxxxx

  Server RADIUS ports source-1645-1646

  !

  AAA Radius Server Group server RADIUS

  Server 10.100.x.x auth-port 1812 acct-port 1813

  !

  AAA authentication login default group local line Radius servers

  the AAA authentication enable default group, select Radius servers

  Authentication servers-Radius AAA dot1x default group

  Group AAA authorization exec default for authenticated if Radius servers

  Group AAA authorization network default Radius servers

  AAA dot1x default arrhythmic accounting Radius Servers group

  AAA accounting by default start-stop group Radius servers directly

  !

  line vty 0 4

  by default the authentication of connection

  Tim

  I think that the immediate problem is that the source address of your switch ussed is not address who is pregnant with Ray. The Radius Server is 10.100.182.250 and it is in the subnet of the interface vlan 182. If the address of the interface vlan 182 will be the source address of the Radius request. Difficulty which is to use the command of source ip range address and specify the address at which you want the switch to be used. Of course, in the short term, it would be easier to change the Radius Server to wait 10.100.182.2 as the address of the customer.

  HTH

  Rick

• No AAA authentication for switch

  I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.

  AAA new-model

  AAA authentication login default group Ganymede + local
  authorization AAA console
  AAA authorization exec default group Ganymede + local

  radius-server X.X.33.XX host
  radius-server key 7?

  I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?

  Thank you

  Robert

  Robert,

  Please make sure following

  -Radius server is accessible from the switch and port 49 is not blocked.

  S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)

  -Check the secret key

  If the problem is still there then please get

  Debug aaa authentication

  debugging Ganymede

  Kind regards

  ~ JG

• RADIUS authorization does not not for Nortel by ACS 5.3 switches

  Hello

  RADIUS authorization does not work on the Nortel switches, I configured the access policies relevant for the attributes RADIUS (attached screenshot)

  Order get not executed due to the failure of authorization:

  config cli password rwa

  I do not see RADIUS authorization reports option, just to check if someone has understood how to set up these reports?

  I made a capture of packages for packages of AAA of the nortel switch and found that the accounting request contains the cli command sent for authorization. (pcap file attached)

  Kind regards

  Akhtar

  Akhtar,

  This isn't how the authorization of RADIUS. Accept access and the av-pairs that are sent in the response is the permission for the session of the user. This isn't like Ganymede where each command is permitted with an authentication request separate with the command that the client is running.

  When it comes to radius account management isn't too late in the process.

  Thank you

  Tarik admani

• RADIUS authentication for the switch using ISE

  Hi guys,.

  Someone did he do Radius Authentication for switch cli connection using ISE?

  We did it in our environment with ISE, but it is a challenge to give read-only access / Priv-1.

  If some users know the enable password, they can use and earn full privilege.

  Anyway to get around this other than to change the enable password?

  We have thousands of switches and won't change on each of them.

  If you have another method please advice.

  Thank you in advance.

  Well, you can set the "enable" function also be controlled via the AAA server with the following command:

  AAA authentication enable... This way server AAA will be checked for authentication for the secret to activate and use the local database as a last resort

  I hope this helps!

  Thank you for evaluating useful messages!