Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need Help Cisco AAA to any RADIUS Software

Status
Not open for further replies.

DigiByte34

Programmer
Nov 18, 2019
7
US
Hello friends, I definitely hope my title doesn't sound 'lazy', but I've tried a lot of what I could to setup my cisco RADIUS client to a RADIUS server and still no luck.

Here is a snapshot of my system. (This is a home lab for studying purposes and testing/setup)
-3 Cisco 3750 Catalyst PoE L3 Switches
-3 Cisco 2811 ISR Routers
-One laptop (Windows 8.1) with many VM's in Virtualbox that I am trying to use as the servers. This laptop has Windows 2012 R2 in Virtualbox setup with the network adapter as NAT. Host IP address 192.168.10.10, Guest IP Address 10.0.2.15. I have ensured that NAT port forwarding is setup in Virtualbox (port 1812 open on UDP and port 1813 open on UDP, as well as the legacy RADIUS port 1645 and 1646 on UDP)
-Inside of the Windows Server 2012 R2 VM, I setup NPS per many tutorials and setup the Active Directory user groups for Cisco-Admins and Cisco-Users. Created 2 users User1 as the Cisco Admin (shell:priv-lvl=15) and User2 and the Cisco User.

I am not sure if this won't work through the VM or if I am doing something else wrong? I installed wireshark into WS2012 R2 and I do see the RADIUS request packets coming into the server from the SW1 switch when I try to SSH into it from Putty. The problem is the server in WS2012 R2 doesn't give any response or do anything. I would also like to try to setup FreeRADIUS but it is saying that I need to register the product and I cannot find any documentation anywhere on the internet how to do that. Maybe if I try and test with another RADIUS server it may be successful and prove the WS2012 RADIUS config is incorrect?

I've tried the NTRadPING test utility in both the host and guest VM to see if I get any RADIUS server response and no luck. I uploaded some images below to show the configs.

Picture 1: How to register freeradius?
Picture 2: NTRadPING test
Picture 3: Wireshark packet capture
Wireshark Packet Capture attached (from inside the WS2012 VM)

Thank you for reviewing my post.

How_to_Register_oyp2eu.png

NTRadPing_jyep1x.png

RADIUS_Packet_Capture_m6gdxq.png
 
 https://files.engineering.com/getfile.aspx?folder=6a382e71-3e8a-47d1-a940-9b11e9899fe0&file=RADIUS_Troubleshoot.pcapng
Also, I have attached the debug output from the CISCO switch I am trying to use AAA on, as well as the running configuration from the SW1 that I am trying to use AAA with.

Cisco_Debug_Output_l2ctk4.png


SW1(config)#do show run
Building configuration...

Current configuration : 6048 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Z4tC$UgVpp8eddA.a.VKeyZnzP1
!
username backup privilege 15 secret 5 $1$sRs7$X26w.YCo79pRJlDzW.bk60
username Admin privilege 15 secret 5 $1$zwez$lKrcKKpb.7FHvbn0K8dIT.
!
!
aaa new-model
!
!
aaa group server radius RAD_SERVERS
server-private 192.168.10.10 auth-port 1812 acct-port 1813 key 1234
!
aaa authentication login default group RAD_SERVERS local
aaa authorization console
aaa authorization exec default group RAD_SERVERS local if-authenticated
!
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
switch 1 provision ws-c3750v2-48ps
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
ip domain-name Engineering.com
ip host R3 1.1.7.1
ip host R2 1.1.6.1
ip host R1 1.1.5.1
ip host SW2 1.1.1.1
ip host SW3 1.1.3.1
!
!
!
!
crypto pki trustpoint TP-self-signed-3489245184
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3489245184
revocation-check none
rsakeypair TP-self-signed-3489245184
!
!
crypto pki certificate chain TP-self-signed-3489245184
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343839 32343531 3834301E 170D3933 30333031 30303031
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34383932
34353138 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CDF2 D32A0E49 24D04B2F 84BB5C0B 2C354688 3EBE551B 100C18A9 EA5F127F
01476630 56B519FA 41316704 025C8AD5 D1FF02A5 F5C1A543 DA7278DA 32769DC4
9CBE952E B983B7DF 01A68E9E 3D82F4E2 AABA1907 7C0A7E35 5DF5D6A3 E29924B2
DCB3217F AFF7D16A CA4BF093 B4187E36 28AA3403 6B80CBBB D964C50A 8F5A79B5
1E770203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13535731 2E456E67 696E6565 72696E67 2E636F6D 301F0603
551D2304 18301680 14F842C7 B0CEF5C3 0D666CB0 2DC56BCA 231A953C EF301D06
03551D0E 04160414 F842C7B0 CEF5C30D 666CB02D C56BCA23 1A953CEF 300D0609
2A864886 F70D0101 04050003 818100A5 F182A61D 3E91A0EF 994D4BEE C9C99393
C9CE5F9C 80E82960 D5B426B3 65640951 F8D91227 6683C9D3 178A2327 1058A64F
534DACD0 2DA060FB 95DCBA59 25A2990B 4DC1BDD6 9964A45B 1EE18337 F33527A9
07A83D5F 972BDA66 429211EF 0A638E11 DBA12DBB 814AC058 5F9812A5 FB933A24
58245D5B 033F3209 42C3138C C1E508
quit
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ftp username John
ip ftp password abcd
ip ssh version 2
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface Port-channel2
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
!
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
!
interface FastEthernet1/0/8
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode dynamic desirable
!
interface FastEthernet1/0/14
switchport mode access
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface FastEthernet1/0/25
!
interface FastEthernet1/0/26
!
interface FastEthernet1/0/27
!
interface FastEthernet1/0/28
!
interface FastEthernet1/0/29
!
interface FastEthernet1/0/30
!
interface FastEthernet1/0/31
!
interface FastEthernet1/0/32
!
interface FastEthernet1/0/33
!
interface FastEthernet1/0/34
!
interface FastEthernet1/0/35
!
interface FastEthernet1/0/36
!
interface FastEthernet1/0/37
!
interface FastEthernet1/0/38
!
interface FastEthernet1/0/39
!
interface FastEthernet1/0/40
!
interface FastEthernet1/0/41
!
interface FastEthernet1/0/42
!
interface FastEthernet1/0/43
!
interface FastEthernet1/0/44
!
interface FastEthernet1/0/45
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
channel-group 2 mode desirable
!
interface FastEthernet1/0/46
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
channel-group 2 mode desirable
!
interface FastEthernet1/0/47
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
channel-group 3 mode on
!
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
!
router rip
version 2
network 0.0.0.0
no auto-summary
!
ip classless
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
logging trap debugging
logging host 192.168.10.10 session-id hostname
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
exec-timeout 0 0
password 1234
logging synchronous
transport input ssh
line vty 5 15
transport input ssh
!
end

SW1(config)#
 
 https://files.engineering.com/getfile.aspx?folder=bca0e5ef-f012-4784-b68f-1d9f314120b8&file=Cisco_Debug_Output.PNG
Have you defined the Radius clients on the NPS server? You should also set the source interface on the switch to the loopback (ip radius source-interface loopback0).
 
Yes. On Windows Server. I added the Cisco switch as the client that I am trying to use to authenticate to the AAA server.

Cisco SW1 1.1.1.1

See the picture below.

RADIUS_Client_zausgr.png
 
Change this bit
Code:
aaa group server radius RAD_SERVERS
 server-private 192.168.10.10 auth-port 1812 acct-port 1813 key 1234
 ip radius source-interface Loopback0

Your wireshark capture shows the source IPv4 address as 10.0.2.2 which is obviously the closest interface to the server. Without forcing a source interface the IOS device will just use routing and then pick the closest interface.
 
I tried this too. I removed the bit of ip radius source-interface loopback1 under global config and moved it under the configuration mode of the RAD_SERVERS group. (Like how you've shown). Now I am not even showing any packets from RADIUS anymore in the VM guest.

Maybe I can try another freeradius software altogether and get the Microsoft NPS/NAS out of the equation since I am doing this for study purposes. Any recommendations of a software that I can setup on a virtual server to practice with.
 
So wireshark on the Windows VM with the NPS service doesn't now show packets arriving? That's not right. I have a couple of ESXi 6.5 servers in my lab and a couple of Windows server VMs with the NPS role and it works perfectly for me. I don't know much about virtual-box but that might be where the issue is? This bit worries me
This laptop has Windows 2012 R2 in Virtualbox setup with the network adapter as NAT. Host IP address 192.168.10.10, Guest IP Address 10.0.2.15. I have ensured that NAT port forwarding is setup in Virtualbox (port 1812 open on UDP and port 1813 open on UDP, as well as the legacy RADIUS port 1645 and 1646 on UDP)
 
The packets were showing before in the vm with wireshark. The fact that this works for you is comforting to hear. I think shortly later tonight I will wipe the server back to a snapshot before and try to reconfigure again. (I will reinstall ADDS, NPS, and setup NAT).

I may also move the VM into VMWare Workstation that I have and try that. Although I think the problem is probably wrong somewhere in the server NPS config.

Will write back.
 
So I was able to get quite a few things figured out here.

A.) I changed the virtual NIC to bridged mode, and configured an IP address on the same subnet as the host - 192.168.10.0 /24 VLAN 10
B.) I setup a SNMP server in the virtual machine to test that. After opening up the ports on the firewall in the virtual server, I
was able to log traps from SW1, such as creating a VLAN or shutting down an interface.
C.) I setup the DNS server on my virtual machine as well, and programmed all of my Cisco devices (3 switches and 3 routers) on the DNS
server. I can ping them all by hostname, in my domain.
D.) Wireshark DOES work, simultaneously, in both machines (host and guest). The problem with not showing packets was due to me not
hitting enter after clearing the protocol I was sniffing in the filter field.
E.) With that all said, I am moving on to continue setting up and testing the RADIUS config. Will get back on that one as I have
proved that my bridged mode networking is properly working with both SNMP and DNS. I believe on the Windows Server side I need to
carefully review the configuration work done.
 
Okay, I finally figured it out..

The RADIUS client somehow was not configured properly in the Network Policy Server. The IP address was set to the SW1 switch IP address for VLAN 10 (192.168.10.1/24) and not the loopback address of 1.1.1.1 (although somehow I think this happened after, because I remember setting this to 1.1.1.1) I am guessing the combination of

a.) the firewall ports needing to be open
b.) the NPS configuration with the proper client IP
c.) the VM adapter being set to bridged mode

..were the three changes necessary to get this up and going.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top