Looking for some help with configuring radius login capability. I'm pretty new to these switches and still new to the CLI. I already have a NPS created and set up with a Connection Request Policy, Network Policy, and the switch as a radius client. I also have the Cisco-AV-Pair shellriv-lvl=15 attribute configured. All help is greatly appreciated.
Apologies for taking so long to reply, I finally had the time to give this a shot. I did exactly as @UBNT-benpin pointed with no luck. Here are the exact commands i used
login via ssh
enable then password
radius server host auth 192.168.24.28 name nps port 1812 radius server key auth 192.168.24.28
Enter PSK twice radius server primary 192.168.24.28 ip http authentication local radius ip https authentication local radius
copy system:running-config nvram:startup-config
After that i checked the legacy GUI and under System>AAA> Authentication list it shows httplist and httpslist as local,radius under method options. Under list type it shows default. I have checked the NPS server event logs and show no events coming from the switch. I have my router pointed to the same NPS and can see logs for that. Im sure that the switch is added as a radius client in the NPS, and the apporiate Connection Request and Network Policies are correct. I would be more than happy to post pics of the policy configs if anyone wants. Also i would like to be able to ENABLE and SSH into the switch with the same process if possible. I have also made sure that the port and protocol is open on the NPS server firewall. Any help is greatly apperciated.
@UBNT-benpin thanks for the reply and the help. Attached is the sanitized config. It appears to me going throug it that the commands took. Before deleting i verified that the PSK in the config was the same as on the NPS. Maybe it could be something on the NPS side. Do you know of any post or articles that could possibly help me find the misconfiguration if not in the switch? Also what configuration needs to happen to make the user account have enable rights?
Thanks again for all the help.
Thanks again for the configuration file.
You don't seem to have added AAA authentication and authorization to the device. This is necessary to specify the login method that will be used by default (local login is set by default on all lines). There are some example configs in the thread I linked earlier.
You can either use the default list name (which applies AAA login to all lines) or use your own custom list name and then decide where it needs to be applied. An example of a custom list name (aaa-list) is:
aaa authentication login aaa-list local radius aaa authorization exec aaa-list local radius aaa accounting exec aaa-list start-stop radius line ssh accounting exec aaa-list login authentication aaa-list authorization exec aaa-list exit line telnet accounting exec aaa-list login authentication aaa-list authorization exec aaa-list exit ip http accounting exec aaa-list ip http authentication local radius ip https accounting exec aaa-list ip https authentication local radius
If you also want to use RADIUS accounting, you will need to add:
radius accounting mode radius server host acct 192.168.24.28 name nps port 1813 radius server key acct 192.168.24.28
If you want authenticated users to end up in privileged (#) mode instead of user (>) mode, also add the Cisco-AV-Pair attribute.
There is an example image in the post here.
Note that RADIUS and TACACS+ authentication currently only work with the lines (Telnet / SSH / Console) and the legacy Web UI.
Ben Pin - EdgeMAX Support
Thank you so much @UBNT-benpin for all the help. I was able to get it working. I can log into the GUI with radius and SSH with radius right to enable mode. However if i exit to user mode I'm not able to enable again. This is not a huge deal though. Added another backup just incase there is something that I'm missing.
Glad that you were able to get it working!
The enable password is a separate authentication method. Looking at the NPS server, you will see a similar log message:
Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: NULL SID Account Name: $enab15$ Account Domain: WIN2016 Fully Qualified Account Name: WIN2016\$enab15$
This means that you will need to create a separate user account named $enab15$ and associate it with a password. Another option is to set a local enable password on the switch itself:
EdgeSwitch) #enable password ? <cr> Press enter to execute the command. <password> Specify the password.
In your config, the enable password is checked first, If it does not exist, the request will be forwarded to the RADIUS server.
Ben Pin - EdgeMAX Support