Layer 2/3 switching: Trouble Implementing RADIUS via Windows NPS to authenticate login

  • 1
  • Question
  • Updated 11 months ago
  • (Edited)

Looking for the SME out there that has the information regarding implementing Windows NPS as a small to medium scale version of RADIUS authentication. I have found snips here and there of pieces of the puzzle but they don't seem to be coming together correctly to properly authenticate. This is what I have so far:


-NPS Service is started and registered with AD

-RADIUS client is added with "friendly Name" and IP

-Switch has the following aaa commands:

aaa authentication enable default radius enable
aaa authentication login default radius local
aaa authentication login privilege-mode
aaa authorization exec default radius
aaa accounting commands 0 default start-stop radius

radius-server x.x.x.x

radius-server key test


I have tried several Network policies and configurations that I found online, but nothing seems to be the key to the castle.


I am currently getting access denied statements from the switch and NPS logs are saying an unauthorized IP  is attempting to access the NPS with code 13 listed.


Any assistance is appreciated.

Photo of James S.

James S.

  • 6 Posts
  • 0 Reply Likes

Posted 12 months ago

  • 1
Photo of NETWizz

NETWizz

  • 213 Posts
  • 66 Reply Likes
Mine looks something like this:

aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode


radius-server host 10.1.2.3
radius-server host 10.4.5.6
radius-server key 2 $TF53PjpTMzl0XnwxIUtQMGldd3d3azB0dK3aWjlPMl1LfGd1a1M+IzosNlZoeCFZY0NMaDpVcSxMKG4/clBLXg==


It is working.

Have you authorized the IP in NPS?  Have you debugged Radius?  Are you certain which IP the switch is using to communicate to NPS as its source?

Photo of James S.

James S.

  • 6 Posts
  • 0 Reply Likes
I built the switch as a RADIUS client in NPS, so when you say authorized the IP in NPS I'm not 100% certain what else there is to do in that aspect??

When I check to logs it says the ssh is rejected when I try RADIUS, but it will still fail over to local credentials. I can reach the switch via ssh on the same IP. 

Did you need to build any NPS policies of any kind?
Photo of André Boucher

André Boucher

  • 4 Posts
  • 0 Reply Likes
Like Netwizz said, Are you certain which IP the switch is using to communicate to NPS as its source?

you should see the same client ip in the event log of nps and in the client you defined...

you could force it with "ip radius source-interface" if its not the ip you expected.
Photo of James S.

James S.

  • 6 Posts
  • 0 Reply Likes
I have verified the IP's on both ends and the logs in NPS confirmed the IP of the client is correct, but it says it is invalid IP.