topic Re: Layer 2/3 switching: Trouble Implementing RADIUS via Windows NPS to authenticate login in ICX Switches

Layer 2/3 switching: Trouble Implementing RADIUS via Windows NPS to authenticate login

james_schena — Wed, 24 Jul 2019 19:07:31 GMT

Looking for the SME out there that has the information regarding implementing Windows NPS as a small to medium scale version of RADIUS authentication. I have found snips here and there of pieces of the puzzle but they don't seem to be coming together correctly to properly authenticate. This is what I have so far:

-NPS Service is started and registered with AD

-RADIUS client is added with "friendly Name" and IP

-Switch has the following aaa commands:

aaa authentication enable default radius enable
aaa authentication login default radius local
aaa authentication login privilege-mode
aaa authorization exec default radius
aaa accounting commands 0 default start-stop radius

radius-server x.x.x.x

radius-server key test

I have tried several Network policies and configurations that I found online, but nothing seems to be the key to the castle.

I am currently getting access denied statements from the switch and NPS logs are saying an unauthorized IP is attempting to access the NPS with code 13 listed.

Any assistance is appreciated.

Re: Layer 2/3 switching: Trouble Implementing RADIUS via Windows NPS to authenticate login

netwizz — Wed, 24 Jul 2019 19:27:19 GMT

Mine looks something like this:

aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode

radius-server host 10.1.2.3
radius-server host 10.4.5.6
radius-server key 2 $TF53PjpTMzl0XnwxIUtQMGldd3d3azB0dK3aWjlPMl1LfGd1a1M+IzosNlZoeCFZY0NMaDpVcSxMKG4/clBLXg==

It is working.

Have you authorized the IP in NPS? Have you debugged Radius? Are you certain which IP the switch is using to communicate to NPS as its source?

Re: Layer 2/3 switching: Trouble Implementing RADIUS via Windows NPS to authenticate login

james_schena — Wed, 24 Jul 2019 20:08:30 GMT

I built the switch as a RADIUS client in NPS, so when you say authorized the IP in NPS I'm not 100% certain what else there is to do in that aspect??

When I check to logs it says the ssh is rejected when I try RADIUS, but it will still fail over to local credentials. I can reach the switch via ssh on the same IP.

Did you need to build any NPS policies of any kind?

Re: Layer 2/3 switching: Trouble Implementing RADIUS via Windows NPS to authenticate login

andr_boucher_5j — Thu, 25 Jul 2019 12:26:10 GMT

Like Netwizz said, Are you certain which IP the switch is using to communicate to NPS as its source?

you should see the same client ip in the event log of nps and in the client you defined...

you could force it with "ip radius source-interface" if its not the ip you expected.

Re: Layer 2/3 switching: Trouble Implementing RADIUS via Windows NPS to authenticate login

james_schena — Thu, 25 Jul 2019 12:32:48 GMT

I have verified the IP's on both ends and the logs in NPS confirmed the IP of the client is correct, but it says it is invalid IP.