Catalyst 3550 and IAS authorization
in [Cisco]
|
Prev: Uninstall VPN Client 4.6
Next: Ip Route to NULL0?
From: S?awek on 31 Mar 2006 04:26 Hi. I've got In my network environment Cisco Catalyst 3550 SMI. I set it to use Radius authorization in IAS on Windows 2003. This Cisco device and IAS Server are in diffrent VLANs (diffrent subnets) but they can ping each other (routing between VLANs are working). IAS is confiured properly but sometimes (not always) I cannot login to this switch (log from IAS is OK - user which I use was accepted by rules configured on IAS) and after putting password and for a while I have information: % Backup authentication and login is not possible (I try to login from host which is in the same VLAN as this switch). In the same time, when I try to login form host, which is in the same VLAN as IAS Server, everything goes OK. Does anybody know what can be wrong?? Regards Slawek
From: Merv on 31 Mar 2006 06:42 1. Post the IOS version in use and a sanitized switch config 2. Capture the AAA debugging output for a succesful authentication from the problem VLAN; debug radius debug debug aaa authentication 3. When the problem occurs, again capture using the same commands and compare to see if the auth packets are being sent to IAS server and if the switch receives a response.
From: Merv on 31 Mar 2006 07:15 The idea is to capture the debug of the command now that it is working. So turn on the debugs, login in, turn -off the debugs and post here teh debug output here Also configure "logging buffer 10000 debug"
From: S?awek on 31 Mar 2006 07:50 > The idea is to capture the debug of the command now that it is working. > > So turn on the debugs, login in, turn -off the debugs and post here teh > debug output here OK. Here is log from success login: ..Mar 31 14:42:01: AAA/AUTHEN/CONT (2107571542): continue_login (user='(undef)') ..Mar 31 14:42:01: AAA/AUTHEN (2107571542): status = GETUSER ..Mar 31 14:42:01: AAA/AUTHEN (2107571542): Method=radius (radius) ..Mar 31 14:42:01: AAA/AUTHEN (2107571542): status = GETPASS ..Mar 31 14:42:04: AAA/AUTHEN/CONT (2107571542): continue_login (user='slabr') ..Mar 31 14:42:04: AAA/AUTHEN (2107571542): status = GETPASS ..Mar 31 14:42:04: AAA/AUTHEN (2107571542): Method=radius (radius) ..Mar 31 14:42:04: RADIUS: ustruct sharecount=1 ..Mar 31 14:42:04: RADIUS: Initial Transmit tty1 id 35 10.10.10.189:1812, Access- Request, len 74 ..Mar 31 14:42:04: Attribute 4 6 0A0A06FA ..Mar 31 14:42:04: Attribute 5 6 00000001 ..Mar 31 14:42:04: Attribute 61 6 00000005 ..Mar 31 14:42:04: Attribute 1 7 736C6162 ..Mar 31 14:42:04: Attribute 31 11 31302E31 ..Mar 31 14:42:04: Attribute 2 18 A2FE0EB9 ..Mar 31 14:42:04: RADIUS: Received from id 35 10.10.10.189:1812, Access-Accept, len 64 ..Mar 31 14:42:04: Attribute 7 6 00000001 ..Mar 31 14:42:04: Attribute 6 6 00000002 ..Mar 31 14:42:04: Attribute 25 32 3BB004C5 ..Mar 31 14:42:04: RADIUS: saved authorization data for user E1980C at 861D48 ..Mar 31 14:42:04: AAA/AUTHEN (2107571542): status = PASS and here is when the lohin fails: ..Mar 31 14:41:11: RADIUS: Tried all servers. ..Mar 31 14:41:11: RADIUS: No response for id 33 ..Mar 31 14:41:11: RADIUS: No response from server ..Mar 31 14:41:11: AAA/AUTHEN (3799657483): status = ERROR ..Mar 31 14:41:11: AAA/AUTHEN/START (3707451166): port='tty1' list='' action=LOGI N service=LOGIN ..Mar 31 14:41:11: AAA/AUTHEN/START (3707451166): Restart ..Mar 31 14:41:11: AAA/AUTHEN/START (3707451166): no methods left to try ..Mar 31 14:41:11: AAA/AUTHEN (3707451166): status = ERROR ..Mar 31 14:41:11: AAA/AUTHEN/START (3707451166): failed to authenticate ..Mar 31 14:41:13: AAA/MEMORY: free_user (0x861D48) user='slabr' ruser='' port='t ty1' rem_addr='10.10.6.1' authen_type=ASCII service=LOGIN priv=1 ..Mar 31 14:41:13: AAA: parse name=tty1 idb type=-1 tty=-1 ..Mar 31 14:41:13: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port =1 channel=0 ..Mar 31 14:41:13: AAA/MEMORY: create_user (0xE1980C) user='' ruser='' port='tty1 ' rem_addr='10.10.6.1' authen_type=ASCII service=LOGIN priv=1 ..Mar 31 14:41:13: AAA/AUTHEN/START (1941398153): port='tty1' list='efls' action= LOGIN service=LOGIN ..Mar 31 14:41:13: AAA/AUTHEN/START (1941398153): found list efls ..Mar 31 14:41:13: AAA/AUTHEN/START (1941398153): Method=radius (radius) ..Mar 31 14:41:13: AAA/AUTHEN (1941398153): status = GETUSER ..Mar 31 14:41:16: AAA: parse name=tty2 idb type=-1 tty=-1 ..Mar 31 14:41:16: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port =2 channel=0 ..Mar 31 14:41:16: AAA/MEMORY: create_user (0xE1A220) user='' ruser='' port='tty2 ' rem_addr='10.10.10.186' authen_type=ASCII service=LOGIN priv=1 ..Mar 31 14:41:16: AAA/AUTHEN/START (47063112): port='tty2' list='efls' action=LO GIN service=LOGIN ..Mar 31 14:41:16: AAA/AUTHEN/START (47063112): found list efls ..Mar 31 14:41:16: AAA/AUTHEN/START (47063112): Method=radius (radius) ..Mar 31 14:41:16: AAA/AUTHEN (47063112): status = GETUSER ..Mar 31 14:41:17: AAA/AUTHEN/CONT (47063112): continue_login (user='(undef)') ..Mar 31 14:41:17: AAA/AUTHEN (47063112): status = GETUSER ..Mar 31 14:41:17: AAA/AUTHEN (47063112): Method=radius (radius) ..Mar 31 14:41:17: AAA/AUTHEN (47063112): status = GETPASS ..Mar 31 14:41:20: AAA/AUTHEN/CONT (47063112): continue_login (user='slabr') ..Mar 31 14:41:20: AAA/AUTHEN (47063112): status = GETPASS ..Mar 31 14:41:20: AAA/AUTHEN (47063112): Method=radius (radius) I don't know if it is all, because I increase looging buffer after success login. But one more thing. I've noticed, that when I first tried login from my host (the same VLAN as switch) - login fail, then login from host with the same VLAN as IAS Server - login success and after that I can login from my host.
From: Merv on 31 Mar 2006 09:37
The authentication failed becuase the switch did not get a response. Put a sniffer (Ethereal) between the switch and the IAS server to confirm that this is the case. You should see a packet go out to the IAS server and then see no reply packet. If that is the case then the problem is on the IAS server RADIUS uses UDP port 1812 by default ( or the port configured in teh IOS config) Does the IAS server have a default gateway configured ? |