cancel
Showing results for 
Search instead for 
Did you mean: 

AAA authentication

whisler_soineus
New Contributor III
Can't login using AAA radius to a ICX 7450-24. It displays the error when enter credentials and press return/enter : access denied by radius server. What should I set on radius server to get the AAA authentication working please
9 REPLIES 9

whisler_soineus
New Contributor III
My radius server is windows 2019

netwizz
Contributor III
Yes, but mine is on an older sever version... I looked at some screenshots, and they look the same, so I suspect this may work.  Your Millage May Vary.

Also if you use this for other stuff, no promises the Network Policies wont potentially break other connection requests depending upon the processing order, etc.

I am looking at an old 2012 r2 box that was decommissioned that I had this working on...

Under NPS > Policies > Connection Request Profiles

I created a Policy called ICX Request
Policy State -> Policy Enabled CHECKED
Type of network access server -> Unspecified

Conditions TAB:  Client Vendor -> RADIUS Standard

Settings Tab:  Authentication Methods ->ALL unchecked
Authentication -> Authenticate requests on this server

Everything else is blank

***

Under NPS > Policies > Network Policies
I created one named "ICX Admin Level"

Policy State -> Policy Enabled CHECKED
Overview Tab:
Access Permission -> Grant access SELECTED
Type of network access server -> Unspecified
Conditions Tab:
Conditions: Windows Groups  Value:YOURDOMAN\Network Admins (or whatever group you want)

Constraints Tab:
Authentication Methods:
EAP Types -> [Blank]
Less secure authentication methods:
Microsoft Encrypted Authentication Version 2 (MS-CHAP-v2) CHECKED
Microsoft Encrypted Authentciation (MS-CHAP) CHECKED
Unencrypted authentication (PAP,SPAP) CHECKED

Settings Tab:
Standard-> Framed-Protocol PPP  (The attribute number is 7, and it is listed under commonly used for Dial-Up or VPN)
Standard->Framed (attribute is 6, and it is listed under commonly used for dial-up VPN)

Vendor Specific -> Vendor: Vendor Code 1991 Value: 0
On the Add/Edit button 
Enter Vendor Code SELECTED  1991
Yes, It conforms SELECTED then click Change Attribute button

This oppens Configure VSA (RFC Compliant)
Vendor-assigned attribute number: 1
Attribute format: Decimal
Attribute value: 0

NPS Enforcement:
Allow full network access

Encryption:  ALL are checked

***

Creaet a NEW RADIUS client for your switches.  Technically you can even use a subnet if you wish, but for now just use an IP (or DNS)

I like to generate a key because they are nice and complex like Wtws5JjQMsf8tnd^fO6oR82zEVl#4MCJYB&kQsuKS2FFg!IO@OWu7CyevweUVvQe

At any rate, make sure the client is enabled and that it is set to RADIUS Standard on the other tab.

****

On the switch:

hostname yourhostname
username backup password yourpassword_if_RADIUS_Breaks

crypto key zeroize rsa
crypto key zeroize dsa
crypto key generate rsa mod 2048


crypto-ssl certificate generate

radius-server host 10.1.2.3
radius-server key Wtws5JjQMsf8tnd^fO6oR82zEVl#4MCJYB&kQsuKS2FFg!IO@OWu7CyevweUVvQe


aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode


enable aaa console

console timeout 30
ip dns domain-list yourdomain.tld
ip dns server-address 10.4.5.6 10.7.8.9
no telnet server

clock summer-time
clock timezone us Eastern
!
!
ntp
 server 10.1.2.3
!
!
exit
no web-management http
web-management https

ip access-list standard 99
permit host 10.10.11.12
!
ssh access-group 99
web access-group 99
!
!

ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc
!

whisler_soineus
New Contributor III
Ok, I'm gonna to try this, I will let you know. Thanks you

whisler_soineus
New Contributor III
HI, I have my windows server configured exactly as  it is showed on your post, if before  I could not get any error message from the sever, now I have one : 'The connection request did not match any configured network policy. 
reason code 49.'
I've already to review in many manners the network policy but the same error message appears.

whisler_soineus
New Contributor III
HI guys, it's working now. 
Thanks you.