Skip navigation
Cisco Learning Home > Certifications > Security (CCNA Security) > Discussions

_Communities

This Question is Answered 1 Correct Answer available (4 pts) 1 Helpful Answer available (2 pts)
7564 Views 10 Replies Latest reply: Jul 13, 2009 9:32 AM by Kenny Taylor RSS

Currently Being Moderated

RADIUS login authentication on Catalyst 4500

Jul 10, 2009 1:44 PM

Kenny Taylor 126 posts since
Mar 19, 2009

I am trying to set up login authentication using RADIUS on a Catalyst 4500 SUP V-10GE.  The RADIUS server is on a Windows 2008 box and works great with my spare 1841 router.  The switch is having issues, though, and I'm not entirely sure how to troubleshoot it.  When I do a logon attempt, the output of the "debug radius authentication" command shows the following:

 

14w6d: RADIUS:  Vendor, Cisco       [26]  25
14w6d: RADIUS:   Cisco AVpair       [1]   19  "Shell:priv-lvl=15"
14w6d: RADIUS: saved authorization data for user 1963D448 at 1964A340
14w6d: RADIUS: cisco AVPair "Shell:priv-lvl=15" not applied for shell
14w6d: RADIUS: no appropriate authorization type for user.

Communication from the RADIUS server to the switch seems ok, because it received my AV pair:  "Shell:priv-lvl=15".  But it appears that the switch is rejecting that AV pair.  My config contains:

 

aaa authentication login default group radius local

aaa authentication enable default group radius local

aaa authorization exec default group radius local

radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key supersecretbatmancode

 

Any suggestions on how I can troubleshoot that further?  Thanks!

  • Rickey 1,062 posts since
    Jul 3, 2008
    Currently Being Moderated
    1. Jul 10, 2009 1:48 PM (in response to Kenny Taylor)
    Re: RADIUS login authentication on Catalyst 4500

    I could be wrong but I don't think you need the second authentication statement.  I have a radius configured on my network and I don't use that second authentication statement.  To me it would confuse the radius system.  I would think you could have one or the other.

  • Rickey 1,062 posts since
    Jul 3, 2008
    Currently Being Moderated
    2. Jul 10, 2009 1:51 PM (in response to Rickey)
    Re: RADIUS login authentication on Catalyst 4500

    aaa authorization exec default group radius if-authenticated

     

    Might could be a command you could run as well.  a little modification you could do.

  • Conwyn 7,914 posts since
    Sep 10, 2008
    Currently Being Moderated
    4. Jul 10, 2009 1:58 PM (in response to Rickey)
    Re: RADIUS login authentication on Catalyst 4500

    Hi Kenny

     

    This is off my router try something similar for radius

    I am assuming you have new-model

     

    aaa new-model

    aaa authentication login default group tacacs+ local
    aaa authorization exec default none
    aaa authorization commands 15 default group tacacs+ if-authenticated

     

    Also run debug on the router and see if there are any differences.

     

    Regards Conwyn

  • Rickey 1,062 posts since
    Jul 3, 2008
    Currently Being Moderated
    5. Jul 10, 2009 1:58 PM (in response to Kenny Taylor)
    Re: RADIUS login authentication on Catalyst 4500

    if you have another switch where it is working fine you could look at the config of that one.  You might have the wrong port or something like that if that authorization command I posted didn't help.

  • Conwyn 7,914 posts since
    Sep 10, 2008
    Currently Being Moderated
    7. Jul 10, 2009 2:06 PM (in response to Kenny Taylor)
    Re: RADIUS login authentication on Catalyst 4500

    Hi Kenny

     

    Can you run debug on the 1841 to check the same radius pairs are being used.

     

    Regards Conwyn

  • Conwyn 7,914 posts since
    Sep 10, 2008
    Currently Being Moderated
    9. Jul 10, 2009 3:03 PM (in response to Kenny Taylor)
    Re: RADIUS login authentication on Catalyst 4500

    Hi Kenny

     

    Have a look at the bottom of

     

    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

     

    Regards Conwyn

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)