I was troubleshooting AAA authentication using RADIUS going to a Windows NPS server. We kept seeing the session authenticate properly but get kicked out just seconds after a successful authentication. I searched all over the internet looking for any ideas as to what was happening, but I did not find any solutions. Since I found the problem, I am writing this blog in hopes of helping someone else out with the same mistake.
It is key to note that I had another network engineer troubleshooting with me, and we both had two sessions open to the core switch we were troubleshooting. We used one SSH session to run debug on and watch the logs (terminal monitor) and the to make configuration changes on. Then, on a third putty session, we would try to authenticate into the switch.
Here is a copy of our Cisco switch RADIUS configuration:
radius server NPS_RADIUS
address ipv4 192.168.4.8 auth-port 1812 acct-port 1813
timeout 5
retransmit 2
key 0 NotTheRealKey
!
aaa new-model
aaa group server radius NPS_RADIUS
aaa authentication login default group NPS_RADIUS local
aaa authorization exec default group NPS_RADIUS local if-authenticated
What was confusing is in the debug, I would see proper authentication (accept-allow), but the session would still drop immediately. After we had given up and restored the configuration to what it was before, we still had the exact same issue.
This allowed me to see that the actual problem was in the line vty portion of the configuration:
line vty 0 4
exec-timeout 120 0
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 120 0
no exec
transport input ssh
The line vty 5 15, had a “no exec,” which logged us off as soon as we logged in. Without putting anything in the logs or debug. Once we removed the “no exec” from the vty, we were able to SSH with more than 4 sessions. It hope this helps others find similar issues a little quicker.
Jason Howe, PEI