AAA authentication

  • 1
  • Question
  • Updated 4 days ago
Can't login using AAA radius to a ICX 7450-24. It displays the error when enter credentials and press return/enter : access denied by radius server. What should I set on radius server to get the AAA authentication working please
Photo of WS

WS

  • 6 Posts
  • 0 Reply Likes

Posted 5 days ago

  • 1
Photo of James S.

James S.

  • 6 Posts
  • 0 Reply Likes
Do you have the Vendor specific information entered to the RADIUS server?

Check this out: http://docs.ruckuswireless.com/fastiron/08.0.80/fastiron-08080-securityguide/GUID-945A5436-ED61-497F...
Photo of WS

WS

  • 3 Posts
  • 0 Reply Likes
Yes I've followed that topic to enter Vendor specific to Radius Server. But I don't know why it rejects the request access. 

Do you have information about how to configure NPS server ( Connection request access policy and network policy) on windows 2019? Thanks
Photo of James S.

James S.

  • 6 Posts
  • 0 Reply Likes
the NPS server should be as follows: 
create policy for IPv4 address pool (I have found that it works best to create 1 policy per subnet)
create policy for windows accounts to have access(we create a network admin group and give vendor specific attributes as follows: 
Vendor code 1991, yes to permit attribute 1, decimal, 0. 
Next vendor code 1991, yes, 2, whois* 1. 
Next vedor code 1991, yes, 3, decimal, 0

check all encryption types.

Harder to explain, much easier to show....
try this video: https://www.youtube.com/watch?v=KAGEA7OnPvY
Photo of NETWizz

NETWizz

  • 200 Posts
  • 63 Reply Likes
What RADIUS server do you have?  I only ask because the instructions to configure it are different.
Photo of WS

WS

  • 6 Posts
  • 0 Reply Likes
My radius server is windows 2019
Photo of NETWizz

NETWizz

  • 200 Posts
  • 63 Reply Likes
Yes, but mine is on an older sever version... I looked at some screenshots, and they look the same, so I suspect this may work.  Your Millage May Vary.

Also if you use this for other stuff, no promises the Network Policies wont potentially break other connection requests depending upon the processing order, etc.

I am looking at an old 2012 r2 box that was decommissioned that I had this working on...

Under NPS > Policies > Connection Request Profiles

I created a Policy called ICX Request
Policy State -> Policy Enabled CHECKED
Type of network access server -> Unspecified

Conditions TAB:  Client Vendor -> RADIUS Standard

Settings Tab:  Authentication Methods ->ALL unchecked
Authentication -> Authenticate requests on this server

Everything else is blank

***

Under NPS > Policies > Network Policies
I created one named "ICX Admin Level"

Policy State -> Policy Enabled CHECKED
Overview Tab:
Access Permission -> Grant access SELECTED
Type of network access server -> Unspecified
Conditions Tab:
Conditions: Windows Groups  Value:YOURDOMAN\Network Admins (or whatever group you want)

Constraints Tab:
Authentication Methods:
EAP Types -> [Blank]
Less secure authentication methods:
Microsoft Encrypted Authentication Version 2 (MS-CHAP-v2) CHECKED
Microsoft Encrypted Authentciation (MS-CHAP) CHECKED
Unencrypted authentication (PAP,SPAP) CHECKED

Settings Tab:
Standard-> Framed-Protocol PPP  (The attribute number is 7, and it is listed under commonly used for Dial-Up or VPN)
Standard->Framed (attribute is 6, and it is listed under commonly used for dial-up VPN)

Vendor Specific -> Vendor: Vendor Code 1991 Value: 0
On the Add/Edit button 
Enter Vendor Code SELECTED  1991
Yes, It conforms SELECTED then click Change Attribute button

This oppens Configure VSA (RFC Compliant)
Vendor-assigned attribute number: 1
Attribute format: Decimal
Attribute value: 0

NPS Enforcement:
Allow full network access

Encryption:  ALL are checked

***

Creaet a NEW RADIUS client for your switches.  Technically you can even use a subnet if you wish, but for now just use an IP (or DNS)

I like to generate a key because they are nice and complex like Wtws5JjQMsf8tnd^fO6oR82zEVl#4MCJYB&[email protected]

At any rate, make sure the client is enabled and that it is set to RADIUS Standard on the other tab.

****

On the switch:

hostname yourhostname
username backup password yourpassword_if_RADIUS_Breaks

crypto key zeroize rsa
crypto key zeroize dsa
crypto key generate rsa mod 2048


crypto-ssl certificate generate

radius-server host 10.1.2.3
radius-server key Wtws5JjQMsf8tnd^fO6oR82zEVl#4MCJYB&[email protected]


aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode


enable aaa console

console timeout 30
ip dns domain-list yourdomain.tld
ip dns server-address 10.4.5.6 10.7.8.9
no telnet server

clock summer-time
clock timezone us Eastern
!
!
ntp
 server 10.1.2.3
!
!
exit
no web-management http
web-management https

ip access-list standard 99
permit host 10.10.11.12
!
ssh access-group 99
web access-group 99
!
!

ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc
!

Photo of WS

WS

  • 6 Posts
  • 0 Reply Likes
Ok, I'm gonna to try this, I will let you know. Thanks you
(Edited)
Photo of WS

WS

  • 6 Posts
  • 0 Reply Likes
HI, I have my windows server configured exactly as  it is showed on your post, if before  I could not get any error message from the sever, now I have one : 'The connection request did not match any configured network policy. 
reason code 49.'
I've already to review in many manners the network policy but the same error message appears.

Photo of WS

WS

  • 6 Posts
  • 0 Reply Likes
HI guys, it's working now. 
Thanks you.