Skip navigation
Login   |   Register
Cisco Learning Home > Certifications > Security (CCNA Security) > Discussions

_Communities

This Question is Answered 1 Correct Answer available (4 pts) 1 Helpful Answer available (2 pts)
8807 Views 12 Replies Latest reply: Jan 26, 2015 6:49 AM by Artem RSS

Currently Being Moderated

RADIUS login authentication on Catalyst 4500

Jul 10, 2009 1:44 PM

Kenny Taylor 126 posts since
Mar 19, 2009

I am trying to set up login authentication using RADIUS on a Catalyst 4500 SUP V-10GE.  The RADIUS server is on a Windows 2008 box and works great with my spare 1841 router.  The switch is having issues, though, and I'm not entirely sure how to troubleshoot it.  When I do a logon attempt, the output of the "debug radius authentication" command shows the following:

 

14w6d: RADIUS:  Vendor, Cisco       [26]  25
14w6d: RADIUS:   Cisco AVpair       [1]   19  "Shell:priv-lvl=15"
14w6d: RADIUS: saved authorization data for user 1963D448 at 1964A340
14w6d: RADIUS: cisco AVPair "Shell:priv-lvl=15" not applied for shell
14w6d: RADIUS: no appropriate authorization type for user.

Communication from the RADIUS server to the switch seems ok, because it received my AV pair:  "Shell:priv-lvl=15".  But it appears that the switch is rejecting that AV pair.  My config contains:

 

aaa authentication login default group radius local

aaa authentication enable default group radius local

aaa authorization exec default group radius local

radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key supersecretbatmancode

 

Any suggestions on how I can troubleshoot that further?  Thanks!

  • Rickey 1,026 posts since
    Jul 3, 2008
    Currently Being Moderated
    1. Jul 10, 2009 1:48 PM (in response to Kenny Taylor)
    Re: RADIUS login authentication on Catalyst 4500

    I could be wrong but I don't think you need the second authentication statement.  I have a radius configured on my network and I don't use that second authentication statement.  To me it would confuse the radius system.  I would think you could have one or the other.

    Join this discussion now: Login / Register
  • Rickey 1,026 posts since
    Jul 3, 2008
    Currently Being Moderated
    2. Jul 10, 2009 1:51 PM (in response to Rickey)
    Re: RADIUS login authentication on Catalyst 4500

    aaa authorization exec default group radius if-authenticated

     

    Might could be a command you could run as well.  a little modification you could do.

    Join this discussion now: Login / Register
  • Conwyn 9,677 posts since
    Sep 10, 2008
    Currently Being Moderated
    4. Jul 10, 2009 1:58 PM (in response to Rickey)
    Re: RADIUS login authentication on Catalyst 4500

    Hi Kenny

     

    This is off my router try something similar for radius

    I am assuming you have new-model

     

    aaa new-model

    aaa authentication login default group tacacs+ local
    aaa authorization exec default none
    aaa authorization commands 15 default group tacacs+ if-authenticated

     

    Also run debug on the router and see if there are any differences.

     

    Regards Conwyn

    Join this discussion now: Login / Register
  • Rickey 1,026 posts since
    Jul 3, 2008
    Currently Being Moderated
    5. Jul 10, 2009 1:58 PM (in response to Kenny Taylor)
    Re: RADIUS login authentication on Catalyst 4500

    if you have another switch where it is working fine you could look at the config of that one.  You might have the wrong port or something like that if that authorization command I posted didn't help.

    Join this discussion now: Login / Register
  • Conwyn 9,677 posts since
    Sep 10, 2008
    Currently Being Moderated
    7. Jul 10, 2009 2:06 PM (in response to Kenny Taylor)
    Re: RADIUS login authentication on Catalyst 4500

    Hi Kenny

     

    Can you run debug on the 1841 to check the same radius pairs are being used.

     

    Regards Conwyn

    Join this discussion now: Login / Register
  • Conwyn 9,677 posts since
    Sep 10, 2008
    Currently Being Moderated
    9. Jul 10, 2009 3:03 PM (in response to Kenny Taylor)
    Re: RADIUS login authentication on Catalyst 4500

    Hi Kenny

     

    Have a look at the bottom of

     

    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

     

    Regards Conwyn

    Join this discussion now: Login / Register
  • virendra 1 posts since
    Sep 20, 2014
    Currently Being Moderated
    11. Sep 20, 2014 3:27 AM (in response to Kenny Taylor)
    Re: RADIUS login authentication on Catalyst 4500

    I also have Cisco Switch 4500 in my envirument ... facing the same issue .

    Not able to login through radius .

    Kenny can you please explain for "Service-Type=Login" .

    Join this discussion now: Login / Register
  • Artem 1 posts since
    Oct 4, 2011
    Currently Being Moderated
    12. Jan 26, 2015 6:49 AM (in response to virendra)
    Re: RADIUS login authentication on Catalyst 4500

    Search in your RADIUS server for attribute number 6 and set it to required value (1 - login, 6 - administrative). You may need also "shell:priv-lvl=15" Cisco AV-Pair (depends on system).

     

    RADIUS exec authorization for old switches (works also with cisco 2611):

    http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/13847-72.html#f

     

    Microsoft WS 2008 R2 standard attributes and its numbers:

    https://technet.microsoft.com/ru-ru/library/dd197472(v=ws.10).aspx

    Join this discussion now: Login / Register

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)