RE: Authenticating users on cisco 3750 switch

"Jean-Francois Fortin" <jean-francois.fortin@oz.com> · Tue, 19 Sep 2006 20:22:04 -0400

The radius server only has one interface and we do see the reply being
sent by the server to the switch.  An ip has been set to VLAN 1 and the
radius server is part of that vlan.  Switch ip is 10.9.19.5 and server
ip is 10.9.19.16, netmask is /24.

JF

-----Original Message-----
From:
freeradius-users-bounces+jean-francois.fortin=oz.com@lists.freeradius.or
g
[mailto:freeradius-users-bounces+jean-francois.fortin=oz.com@lists.freer
adius.org] On Behalf Of Peter Nixon
Sent: Tuesday, September 19, 2006 2:17 PM
To: FreeRadius users mailing list
Subject: Re: Authenticating users on cisco 3750 switch

Do you have multiple interfaces in your radius server? Maybe you are
replying 
from a different IP..

-Peter

On Tue 19 Sep 2006 16:22, Jean-Francois Fortin wrote:
> We did what is mentioned in the doc but still doesn't work.  It is
like
> if the answer from the radius doesn't reach back the switch.  But the
> switch and the Radius server are on the same network.
>
> >From radius server:
>
> ...
> modcall: group authorize returns ok for request 3
> auth: type Local
> auth: user supplied User-Password matches local User-Password
> Sending Access-Accept of id 148 to 10.9.19.5:21645
>         Service-Type = NAS-Prompt-User
> Finished request 3
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.9.19.5:21645, id=148,
> length=62
> Sending duplicate reply to client tmiciscosw.tmi-ppe.oz.com:21645 -
ID:
> 148
> Re-sending Access-Accept of id 148 to 10.9.19.5:21645
>
> On the Switch:
>
> 013717: Sep 19 13:19:24: %RADIUS-4-RADIUS_DEAD: RADIUS server
> 10.9.19.16:1812,1.
> 013718: Sep 19 13:19:24: %RADIUS-4-RADIUS_ALIVE: RADIUS server
> 10.9.19.16:1812,.
> % Username:  timeout expired!
> % Authentication failed.
>
>
>
>
> -----Original Message-----
> From:
>
freeradius-users-bounces+jean-francois.fortin=oz.com@lists.freeradius.or
> g
>
[mailto:freeradius-users-bounces+jean-francois.fortin=oz.com@lists.freer
> adius.org] On Behalf Of Peter Nixon
> Sent: Tuesday, September 19, 2006 4:29 AM
> To: FreeRadius users mailing list
> Subject: Re: Authenticating users on cisco 3750 switch
>
> On Mon 18 Sep 2006 23:38, Jean-Francois Fortin wrote:
> > Hi,
> >
> >             We are trying to use freeradius as authentication system
>
> to
>
> > allow users to connect to our cisco switch (3750) for management.
The
> > radius server is running ok, we can authenticate Cisco ASA, BigIP LB
> > against it.  But when trying with the 3750, we see that the radius
> > server accept the user and return an answer to the switch, but it
> > doesn't work.  Anyone has sample config using freeradius with cisco
> > switch?
>
> http://wiki.freeradius.org/index.php/Cisco

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc