Networking Forum powered by InfoSec Insitute

Folks-

I have a requirement to have Cisco logins authenticate against a RADIUS server, as per this site:
http://aaronwalrath.wordpress.com/2010/ ... r2-nps-for
-radius-authentication-for-cisco-router-logins/


My server lady did that side of the house, and then I carried on with the Cisco side, as per directions from a friend:

<necessarily anonymized for security>
ip radius source-interface <an IP interface name here>
aaa new-model
aaa group server radius <name of the group the server lady made>
server <IP of the RADIUS server> auth-port <port #> acct-port <port #>
radius-server key <PSK the server lady made during server build>
aaa authentication login default group <same name as in line 3, above> local

I do a "test aaa group <groupname> <username> <password> new-code" from the switch and it returns "rejected username". The account I am using is precisely the one that was configured on the RADIUS server.

Ideas?

look at the NPS logs, they are actually pretty good.

Wow. Funny your doing this because I actually just did this over the weekend. NPS logs are defiantly helpful for this.

Thanks Texan, I may have to pick your brain on this. Don't suppose you work in Beaumont, do you? It would be ironic to see one of our teams here.

EDIT: nope, that's 5.5 hours down the road.. don't imagine you'd commute that far

If this is server 2008 you can find the logs very easy by going to "Event Viewer -> Custom Views -> Server Roles -> Network Policy and Access Services" and it will filter all of the NPS logs which makes it easy to find authentication attempts. Post the sanitized results.

We just cleared our DIACAP, so this is MUCH less pressing- but I will be getting back on it shortly.

I must say that is way better than the old IAS method in server 2003.