Radius Authentication Cisco Switch

Similar Messages

• Radius-Authentication / Cisco 2600 fails MiscError -1642

  Hi,
  Im trying to configure BM 3.8 SP3ir3, Radius (NMAS 2.3) to
  authenticate a Cisco 2600 against my BM. Under BM 3.7 this
  setup is working fine, but now with 3.8 I get the following
  error:
  Access rejected, Miscellaneous error (-1642)
  Ive configured the LPO with the following sequences:
  NDS acceptable, simple acceptable
  A test with NTRADPING:
  with CHAP disabled, it works fine (LPO sequence is NDS)
  with CHAP enabled, Ive got the error above
  I tried the simple login sequence also (like a posting
  in this newsgroup), but no change.
  Hope you can help me, I need chap-authentication...
  From Radius-Debug:
  This one works (without CHAP):
  [2005-07-28 05:52:43 PM] (->)Cacher:
  NWDSReadObjectInfo(das01.radius.bmanager.informati k.kli_pa),
  succeeded, time:7
  [2005-07-28 05:52:43 PM] 31) [(ip) 172.24.4.2:2642], Received 46 Bytes
  (Access-Request (1))
  [2005-07-28 05:52:43 PM] [(total=31) (p=30) (d=0) (r=0) (acc=0)
  (rej=0)]
  [2005-07-28 05:52:43 PM] <2> Done GetNextMessage [(ip)
  172.24.4.2:2642]: time:2611012
  [2005-07-28 05:52:43 PM] -------- START : (Access-Request (1)) [(ip)
  172.24.4.2:2642]: time:640356694---
  [2005-07-28 05:52:43 PM] CACHE:
  CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
  [2005-07-28 05:52:43 PM] AuthRequestHandler(), Calling
  NewRequestHandler.
  [2005-07-28 05:52:43 PM] CACHE:
  CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
  cache
  [2005-07-28 05:52:43 PM]
  (->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
  [2005-07-28 05:52:43 PM] CacheFindContext - GetParentDN(userDN)
  (RADIUS.BMANAGER.INFORMATIK.KLI_PA)
  [2005-07-28 05:52:43 PM] CacheFindContext - tmpContext
  (RADIUS.BMANAGER.INFORMATIK.KLI_PA),
  contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
  [2005-07-28 05:52:43 PM] Handling local authentication request.
  [2005-07-28 05:52:43 PM] CACHE:
  CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
  using cache
  [2005-07-28 05:52:43 PM]
  (->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
  Access Group) succeeded, time:47
  [2005-07-28 05:52:43 PM]
  (->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
  time:42
  [2005-07-28 05:52:43 PM]
  (->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
  Attr) succeeded, time:45
  [2005-07-28 05:52:43 PM] User Name: NAS2-1, User DN:
  NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
  [2005-07-28 05:52:43 PM] (->)NADMAuthRequest()
  [2005-07-28 05:52:43 PM]
  (->)NADMAuthRequest(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA)
  succeeded, time:961
  [2005-07-28 05:52:43 PM] (->)Authenticate (0 policy, NDS pswd) (for
  NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA), succeeded
  [2005-07-28 05:52:43 PM]
  (->)NDSReadData:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Concurr ent
  Limit) failed, no such attribute (-603), time:50
  [2005-07-28 05:52:43 PM] CACHE:
  CacheGetConcurrentLimit(das01.radius.bmanager.info rmatik.kli_pa),
  using cache
  [2005-07-28 05:52:43 PM]
  User:NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Current Login:0, Login
  Limit:-1, succeeded
  [2005-07-28 05:52:43 PM] (->)Authentication SUCCEEDED
  [2005-07-28 05:52:43 PM] Tag "DIALIN" uses profile
  "DIALIN.RADIUS.BMANAGER.INFORMATIK.KLI_PA"
  [2005-07-28 05:52:43 PM] FDN:
  CN=NAS2-1.OU=RADIUS.OU=BMANAGER.OU=INFORMATIK.O=KLI_PA
  [2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
  [2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 6
  [2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
  [2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 7
  [2005-07-28 05:52:43 PM] ->Sending Access-Accept (2) [(ip)
  172.24.4.2(2642)] count=32
  [2005-07-28 05:52:43 PM] ->Inserting into RespQ , code(2) id(7).
  [2005-07-28 05:52:43 PM] -------- END : (Access-Request (1)) [(ip)
  172.24.4.2:2642]: time:640358122---
  This one dont work (chap enabled):
  [2005-07-28 05:52:55 PM] 32) [(ip) 172.24.4.2:2647], Received 47 Bytes
  (Access-Request (1))
  [2005-07-28 05:52:55 PM] [(total=32) (p=31) (d=0) (r=0) (acc=0)
  (rej=0)]
  [2005-07-28 05:52:55 PM] <4> Done GetNextMessage [(ip)
  172.24.4.2:2647]: time:2426593
  [2005-07-28 05:52:55 PM] -------- START : (Access-Request (1)) [(ip)
  172.24.4.2:2647]: time:640481075---
  [2005-07-28 05:52:55 PM] CACHE:
  CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
  [2005-07-28 05:52:55 PM] AuthRequestHandler(), Calling
  NewRequestHandler.
  [2005-07-28 05:52:55 PM] CACHE:
  CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
  cache
  [2005-07-28 05:52:55 PM]
  (->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
  [2005-07-28 05:52:55 PM] CacheFindContext - GetParentDN(userDN)
  (RADIUS.BMANAGER.INFORMATIK.KLI_PA)
  [2005-07-28 05:52:55 PM] CacheFindContext - tmpContext
  (RADIUS.BMANAGER.INFORMATIK.KLI_PA),
  contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
  [2005-07-28 05:52:55 PM] Handling local authentication request.
  [2005-07-28 05:52:55 PM] HandleCHAPRequest(NAS2-1)
  [2005-07-28 05:52:55 PM] CACHE:
  CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
  using cache
  [2005-07-28 05:52:55 PM] CHAP chapCSize: 16
  [2005-07-28 05:52:55 PM] [CHAP]User Name: NAS2-1, User DN:
  NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
  [2005-07-28 05:52:55 PM]
  (->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
  Access Group) succeeded, time:53
  [2005-07-28 05:52:55 PM]
  (->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
  time:42
  [2005-07-28 05:52:55 PM]
  (->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
  Attr) succeeded, time:44
  [2005-07-28 05:52:55 PM] (->)NADMAuthRequest()
  [2005-07-28 05:52:59 PM] ->Sending Access-Reject (3) [(ip)
  172.24.4.2(2647)] count=20
  [2005-07-28 05:52:59 PM] ->Inserting into RespQ , code(3) id(8).
  [2005-07-28 05:52:59 PM] -------- END : (Access-Request (1)) [(ip)
  172.24.4.2:2647]: time:640512029---
  I cannt see an error with chap enabled..
  Regards
  Guenther

  I'm having the same problem. radping works with chap and simple passwords
  but gives the -1642 error when I'm authenticating from my cisco vpn router.
  BTW, I had everything working for YEARS with nds passwords and earlier
  versions of bordermanager. BM 3.8 broke it.
  Thanks
  David
  > Hi Jake,
  >
  > yes, its a cisco-issue. For downloading dynamic routes with
  > radius you need the cisco-default-pw called "cisco". Strange
  > and a big security leak....
  >
  > The authentication with ppp-user and chap / simple password
  > works fine now.
  >
  > Regards
  > Guenther
  >
  > Jake Speed schrieb:
  > > Hi,
  > > yes it's woking fine !
  > > Working with a 3640, and 8 Bri/40 Async Interaces. With Chap enabeld,
  > > and simple password used.
  > > Seems to be a problem on the cisco site, so if radping works NW Radius
  > > and the objects are ok.
  > >
  > > by
  > > Jake
  > >
  > > Guenther Rasch wrote:
  > >
  > >> Hi Craig,
  > >>
  > >> I dont know why, but now CHAP works with ntradping.exe
  > >> - Cisco router still doesnt work. Ive configured
  > >> "simple password" in the lp-object...
  > >>
  > >> Does anyone have a working configuration nmas radius /
  > >> cisco nas-router?
  > >>
  > >> Regards
  > >> Guenther
  > >>
  > >> Craig Johnson schrieb:
  > >>
  > >>> In article <Yg0He.13962$[email protected]>,
  > >>> Guenther Rasch wrote:
  > >>>
  > >>>> is it possible in BM 3.8? Which password / login sequence do I need
  to
  > >>>> get CHAP working?
  > >>>>
  > >>>
  > >>> As far as I know, you cannot make CHAP work against an NDS password,
  > >>> in any version of Novell RADIUS.
  > >>> I don't really know about getting the dial access system password
  > >>> working 3.8 (NMAS) RADIUS. I would assume there would be a login
  > >>> policy object rule for it.
  > >>>
  > >>> Craig Johnson
  > >>> Novell Support Connection SysOp
  > >>> *** For a current patch list, tips, handy files and books on
  > >>> BorderManager, go to http://www.craigjconsulting.com ***
  > >>>
  > >>>

• NPS Discarding RADIUS request from Cisco switch (802.1x)

  Last few weeks I've been busy to get the following to work:
  - Cisco 2960 switch as the suppliant
  - Another Cisco 2960 as the authenticator switch
  - The supplicant is only able to send MS-EAP MS-ChapV2 requests
  - The NPS server is Windows 2008 R2 (and also tested on 2012 R2)
  This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html)
  but I'd like to get it to work with Windows NPS.
  Within NPS I've setup the following Connection Request policy:
  - NAS Port Type: Ethernet
  I'm using the following Network Policy:
  - User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
  - NAS Port Type: Ethernet
  - Autehntcation Type: EAP
  Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):
  User:
  Account Name: Rotterdam-Switch-8-1
  Account Domain: DOMAIN
  Authentication Details:
  Connection Request Policy Name: Secure Wired Connections
  Network Policy Name: Switches Allowed
  Authentication Provider: Windows
  Authentication Server: SERVER.DOMAIN.local
  Authentication Type: EAP
  EAP Type: -
  Account Session Identifier: -
  Reason Code: 1
  Reason: An internal error occurred. Check the system event log for additional information.
  Wireshark on the NPS server shows:
  1. The RADIUS Access-Request (1) being received by the NPS Server
  2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
  3. Another RADIUS Access-Request (1) is beging received by the NPS Server
  Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
  Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)
  I've also tried the following:
  - I've also tested with an invalid username/password. The request is correctly denied
  - I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.
  Any help would be greatly appriciated ofcourse.
  Kind regards,
  Peter

  It only took like.. uhm.. forever.. but there's an answer which is "OK ish..".
  Cisco 2960 switches support EAP-MSCHAP; but it seems that NPS only supports EAP-MSCHAP for VPN Connections and not for Wired/Wirelss authentication. Something to do with inner and outer methods and NPS requireing PEAP as an outer method for Wired/Wirelss
  authentication.
  End result is that both the Cisco switches and NPS do support EAP-MD5. Though it's definitly not as secure (at all), it's definitly a step in the right direction and it's something that we'll be implementing.
  Now it seems that NPS doesn't support EAP-MD5 (which is supposidly depricated), it's possible to re-enable it. Using the following articles.
  http://support.microsoft.com/kb/922574/en-us
  Microsft mentioned me that "Though this article says it applies to Windows Vista only, it does apply to Server 2008R2 as well. Also I would suggest you the following link:
  http://support.microsoft.com/kb/981190"
  Please note that you'll have to enable 'Store password using reversible encryption’  on the accounts that will be used for NEAT authentication.
  All though I would have hoped EAP-MSCHAPv2 would work, I feel I do need to clarify that I understand Microsoft's point of view on this as well. They feel EAP methods without PEAP are simply not safe; which is understandable, espcially for EAP-MD5 which
  could be sniffer using a hub/repeater/etc.
  Kind regards,
  Peter

• RADIUS authentication for SGE2010 switch

  I am trying to configure a SGE2010 switch to use RADIUS authentication. At the moment, the NPS (Windows Server 2008r2 RADIUS) server is receiving the access request and is returning an access accept.
  The switch does not let us log in.
  Cisco-sw1(config)# 09-Nov-2009 21:10:35 %AAA-W-REJECT: New telnet connection for
  user P@ssw0rd, source 192.168.10.213 destination   REJECTED
  Note: It is printing the user's password instead of the username.
  I suspect it is something to do with the cisco-AV-pair attribute. I have tried the following values but nothing works:
  Shell:priv-lvl=15
  Shell = 15
  Level = 15
  Relevant lines from switch configuration:
  radius-server host 192.168.1.23 key P@llssw0rd88
  aaa authentication enable default none
  aaa authentication login default radius
  Any help would be more than greatly appreciated.

  The problem isn't that it is rejecting me. Using network monitor I can see it is accepting the request but for some reason just won't log me in.
  A link was sent to me to another website where it show that you have to go into the settings tab of the policy and change the radius attribute
  to Service-Type Administrative.
  After doing that, I was able to log into the switch with any of the windows domain users I had specified.
  This is the link that gave me the answer
  http://wiki.freeradius.org/Linksys

• Cisco 3650 Converged LAN/WLAN Design: Radius Authentication configuration example needed

  Hello Cisco-Experts,
  one of our customers would like to deploy Cisco3650-switches with integrated WLC-functionality.
  The platform is new to me and I have started to configure some basic settings.
  Unfortunately I cannot find information on how to implement 802.1x Radius authentication.
  Do You know, where I can find detail information or an example how to implement this ?
  Thank You
  Wini

  Hello Rasika,
  thank You very much for link to Your 802.1x authentication configuration
  on similar 3850 platform.
  Very useful stuff.
  Is it possible to setup the Radius -Server function on the switch itself ?
  I'm asking because I would like to test the setup in our office before rollout to customer.
  Kind regards
  Wini

• Cisco switch/router authentication

  hi! is there anyway that i can authenticate user login thru Microsoft AD/IAS to the cisco switch/router without using Cisco ACS or any paid solution? Thx

  Hello,
  IOS configuration:
  Switch(config)#radius-server host 192.168.250.20 key cisco123
  Switch(config)#aaa authentication login default group radius local
  Switch(config)#aaa authorization exec default group radius local
  IAS configuration:
  1) Define the RADIUS client entry:
  2) Define the IAS Policies:

• Cisco ACS 4.2 and Radius authentication?

  Hi,
  I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?

  To access network devices for administrative purpose, we have only three methods available :
  [1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted,  and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
  [2] SSH : Which uses  public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client 
  and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
  [3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
  Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
  And the most secure way to administer a  device is to use SSH.
  Rgds, Jatin
  Do rate helpful post~

• ASA , Cisco VPN client with RADIUS authentication

  Hi,
  I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
  All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
  Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
  Thank you.
  Kind regards,
  Alex

  Hi Alex,
  It is working as it should.
  You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
  thanks
  John

• Cisco ISE IPEP and Non Radius Authenticator

  Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?
  Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?
  I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.
  Anyone have any exmaples or traffic flows if this is possible?
  Thanks,
  Michael Wynston

  Got my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.
  Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
  Guess not
  Sent from Cisco Technical Support iPhone App

• SMB 300 switch - RADIUS authentication

  Did anybody have any luck configuring radius authentication with SMB 300 managed switches? I just deployed one and struggling with radius authentication with AD. Radius server works because there are 10 other Catalyst switches and routers working fine.
  Any pointers on how to setup radius authentication for administrative connection? I need it for http, telnet and ssh management session to the switch.
  Thanks in advance,
  Sam

  yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
  If you need secure communication then you may implement TACACS.
  TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Radius authentication with ISE - wrong IP address

  Hello,
  We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.
  The radius config on the switch:
  aaa new-model
  aaa authentication login default local
  aaa authentication login Comm group radius local
  aaa authentication enable default enable
  aaa authorization exec default group radius if-authenticated
  ip radius source-interface Vlanyy
  radius server 10.xxx.yyy.zzz
   address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
   key 7 abcdefg
  The log from ISE:
  Overview
  Event  5405 RADIUS Request dropped 
  Username  
  Endpoint Id  
  Endpoint Profile  
  Authorization Profile  
  Authentication Details
  Source Timestamp  2014-07-30 08:48:51.923 
  Received Timestamp  2014-07-30 08:48:51.923 
  Policy Server  ise
  Event  5405 RADIUS Request dropped 
  Failure Reason  11007 Could not locate Network Device or AAA Client 
  Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
  Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
  Username  
  User Type  
  Endpoint Id  
  Endpoint Profile  
  IP Address  
  Identity Store  
  Identity Group  
  Audit Session Id  
  Authentication Method  
  Authentication Protocol  
  Service Type  
  Network Device  
  Device Type  
  Location  
  NAS IP Address  10.xxx.aaa.243 
  NAS Port Id  tty2 
  NAS Port Type  Virtual 
  Authorization Profile  
  Posture Status  
  Security Group  
  Response Time  
  Other Attributes
  ConfigVersionId  107 
  Device Port  1645 
  DestinationPort  1812 
  Protocol  Radius 
  NAS-Port  2 
  AcsSessionID  ise1/186896437/1172639 
  Device IP Address  10.xxx.aaa.243 
  CiscoAVPair  
     Steps
    11001  Received RADIUS Access-Request 
    11017  RADIUS created a new session 
    11007  Could not locate Network Device or AAA Client 
    5405  
  As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.
  Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

  Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
  radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
  What interface should your switch be sending the radius request?
  ip radius source-interface VlanXXX vrf default
  Here is what my debug looks like when it is working correctly.
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
  Aug  4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
  Aug  4 15:58:47 EST: RADIUS(00000265): sending
  Aug  4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
  Aug  4 15:58:47 EST: RADIUS:  authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 15:58:47 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port            [5]   6   3                        
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty3"
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 15:58:47 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 15:58:47 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 15:58:47 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
  Aug  4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
  Aug  4 15:58:47 EST: RADIUS:  authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  State               [24]  40 
  Aug  4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
  Aug  4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33  [0cfe230001F70753]
  Aug  4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
  Aug  4 15:58:47 EST: RADIUS:  Class               [25]  58 
  Aug  4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30  [CACS:0a0cfe23000]
  Aug  4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52  [1F70753DFE5F7:PR]
  Aug  4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39  [YISE002/19379469]
  Aug  4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
  Aug  4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
  ---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
  Aug  4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
  Aug  4 16:05:19 EST: RADIUS(00000268): sending
  Aug  4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
  Aug  4 16:05:19 EST: RADIUS:  authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
  Aug  4 16:05:19 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 16:05:19 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 16:05:19 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port            [5]   6   7                        
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty7"
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 16:05:19 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 16:05:19 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 16:05:19 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:23 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:29 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:33 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:38 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:43 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:48 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:53 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:57 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
  This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
  aaa authentication login vty group radius local enable
  aaa authentication login con group radius local enable
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa accounting system default start-stop group radius
  ip radius source-interface VlanXXX vrf default
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server vsa send accounting
  radius-server vsa send authentication
  You can use this in the switch to test radius
  test aaa group radius server 10.xxx.xxx.xxx <username> <password>

• CSS - Radius authentication problem

  Hi,
  for a customer we need to configure Radius authentication working like this:
  - CSS administrator login to device at user level
  - then switch to "enable" mode using a superuser level account.
  First login to CSS with a Radius account at user level works fine, but (after enable command) the login at superuser level doesn't work neighter with Radius account nor with local superuser account.
  Ver.: 08.10.4.01
  This is the configuration:
  radius-server primary 10.113.212.17 secret XXX auth-port 1645
  radius-server source-interface 10.113.212.32
  sntp primary-server 10.113.205.1 version 3
  date european-date
  radius-server secondary 10.113.197.24 secret XXX auth-port 1645
  radius-server dead-time 15
  radius-server retransmit 15
  radius-server timeout 15
  virtual authentication primary radius
  virtual authentication secondary local
  username ZZZ des-password ZZZ superuser
  Any idea?
  Thanks in advance.

  is your server correctly configured as described at :
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/security/guide/Radius.html#wp1108380
  "From the Group Settings section of the Cisco Secure ACS HTML interface, click the IETF RADIUS Attributes, [006] Service-Type checkbox. Then select Administrative. Administrative is required to enable RADIUS authentication for privileged user (SuperUser) connection with the CSS. "
  Gilles.

• RADIUS authentication SF300-24P

  RADIUS authentication SF300-24P
  We have just purchased 20x SF300-24P switches to be installed at our remote offices and we are unable to get RADIUS authentication to work. We already use RADIUS on all our primary network CISCO switches (e.g. 4506s¸ 3560s, 3750s, AP1231Gs,etc) and these work fine so we know the RADIUS server is working.
  We are trying to use RADIUS authentication to gain management access onto these switches. Quite simply although we can see that the RADIUS server is accepting the username and password being sent, however the switch says “authentication failed” when to receives the response. We are using Microsoft NPS RADIUS Clients for authentication purposes.
  We have upgrade the switches to the latest firmware 1.1.2.0, via the console it seems to have a very cut down IOS version so we cannot use the typical CISCO command set to configure the RADIUS as we normally would. Looking at the web GUI there seems to be a number of options missing including the Accounting port. When debugging is switch on there is no indication to say that any of the settings have been misconfigured.
  Any advice you could offer would be gratefully received.
  Mike Lewis

  Here is the documentation excerpt-
  For the RADIUS server to grant access to the web-based switch configuration
  utility, the RADIUS server must return cisco-avpair = shell:priv-lvl=15.
  User authentication occurs in the order that the authentication methods are
  selected. If the first authentication method is not available, the next selected
  method is used. For example, if the selected authentication methods are RADIUS
  and Local, and all configured RADIUS servers are queried in priority order and do
  not reply, the user is authenticated locally.
  If an authentication method fails or the user has insufficient privilege level, the user
  is denied access to the switch. In other words, if authentication fails at an
  authentication method, the switch stops the authentication attempt; it does not
  continue and does not attempt to use the next authentication method.
  Of course the point of interest here is the second paragraph. The initial wording is the behavior you want. The second portion is very open for interpretation (I do agree it is somewhat ambiguous but consistent with the switch behavior). When I read the example and it says the Radius is busy or not responding then you will authenticate locally. Which seems fair enough. But what it doesn't say, is if you can use one or the other, but instead it seems based on preference failure.
  -Tom
  Please rate helpful posts

• DACL does not get downloaded to Cisco Switch from ISE

  Hello,
  I have a cisco switch with ios: c3550-ipbasek9-mz.122-44.SE6.bin
  I am trying to push dACL fro my ISE device into the switch, but it is not getting applied to switch.   dynamic vlan assignment workds fine, but dACL doesnot apply
  Any instruction plz?

  Hi Jatin,
  ISE is properly configured for dACL,   i think there is some compatibility issue on cisco switch ios.
  following is the debug output>>
  06:36:43: dot1x-packet:Received an EAP packet on interface FastEthernet0/11
  06:36:43: EAPOL pak dump rx
  06:36:43: EAPOL Version: 0x1  type: 0x0  length: 0x0006
  06:36:43: dot1x-packet:Received an EAP packet on the FastEthernet0/11 from mac 0019.b981.e812
  06:36:43: dot1x-sm:Posting EAPOL_EAP on Client=1D68028
  06:36:43:     dot1x_auth_bend Fa0/11: during state auth_bend_request, got event 6(eapolEap)
  06:36:43: @@@ dot1x_auth_bend Fa0/11: auth_bend_request -> auth_bend_response
  06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_enter called
  06:36:43: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0019.b981.e812
  06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_response_action called
  06:36:43: RADIUS/ENCODE(00000049):Orig. component type = DOT1X
  06:36:43: RADIUS(00000049): Config NAS IP: 192.168.2.250
  06:36:43: RADIUS/ENCODE(00000049): acct_session_id: 73
  06:36:43: RADIUS(00000049): sending
  06:36:43: RADIUS(00000049): Send Access-Request to 192.168.2.231:1812 id 1645/99, len 267
  06:36:43: RADIUS:  authenticator 5B 61 1D 64 D3 D5 9F AD - 23 E0 11 11 B3 C3 5C 81
  06:36:43: RADIUS:  User-Name           [1]   6   "test"
  06:36:43: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  06:36:43: RADIUS:  Framed-MTU          [12]  6   1500
  06:36:43: RADIUS:  Called-Station-Id   [30]  19  "00-11-5C-6E-5E-0B"
  06:36:43: RADIUS:  Calling-Station-Id  [31]  19  "00-19-B9-81-E8-12"
  06:36:43: RADIUS:  EAP-Message         [79]  8
  06:36:43: RADIUS:   02 7A 00 06 0D 00                 [ z]
  06:36:43: RADIUS:  Message-Authenticato[80]  18
  06:36:43: RADIUS:   A6 AB 5A CA ED B8 B4 1E 36 00 9D AB 1A F6 B9 E0                [ Z6]
  06:36:43: RADIUS:  Vendor, Cisco       [26]  49
  06:36:43: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A802FA0000006F016B36D8"
  06:36:43: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  06:36:43: RADIUS:  NAS-Port            [5]   6   50011
  06:36:43: RADIUS:  NAS-Port-Id         [87]  18  "FastEthernet0/11"
  06:36:43: RADIUS:  State               [24]  80
  06:36:43: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:43: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:43: RADIUS:   31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F  [16B36D8;35Sessio]
  06:36:43: RADIUS:   6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31  [nID=ise-server-1]
  06:36:43: RADIUS:   2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B    [ /171025988/24;]
  06:36:43: RADIUS:  NAS-IP-Address      [4]   6   192.168.2.250
  06:36:43: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
  06:36:43: RADIUS: Received from id 1645/99 192.168.2.231:1812, Access-Challenge, len 1134
  06:36:43: RADIUS:  authenticator 78 36 A3 38 30 1C F0 7A - 19 83 93 81 B4 6B FF 9E
  06:36:43: RADIUS:  State               [24]  80
  06:36:43: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:43: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:43: RADIUS:   31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F  [16B36D8;35Sessio]
  06:36:43: RADIUS:   6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31  [nID=ise-server-1]
  06:36:43: RADIUS:   2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B    [ /171025988/24;]
  06:36:43: RADIUS:  EAP-Message         [79]  255
  06:36:43: RADIUS:   4D 5D 13 47 FC 46 16 EE 62 76 40 09 77 48 31 B6 01 6B 5E 52 33 56 A2 1E 34  [M]GFbv@wH1k^R3V4]
  06:36:43: RADIUS:   02 32 39 FA 4D CA 79 18 4A 42 A2 4E 5C BD AE 29 D2 3D D1 5A FC C2 ED 3E E5 FB C6 B8 D8 DE A8 75 EB 3A A5 7D 02 03 01 00 01 A3 81 CD 30  [29MyJBN\)=Z>u:}0]
  06:36:43: RADIUS:   81 CA 30 0B 06 03 55 1D 0F 04 04 03 02 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 C4 56 80 A7 C9 18 50 92 EE CC 91 D4 E1 EC DB AD E7 1E 70 A8 30 79 06 03 55 1D 1F 04 72 30 70  [0U0U00UVPp0yUr0p]
  06:36:43: RADIUS:   30 6E A0 6C A0 6A 86 32 68 74 74 70 3A 2F 2F 73 79 73 6C  [0nlj2http://sysl]
  06:36:43: RADIUS:   6F 67 2D 73 65 72 76 65 72 2F 43 65 72 74 45 6E  [og-server/CertEn]
  06:36:43: RADIUS:   72 6F 6C 6C 2F 46 4D 46 42 5F 54 72 75 73 74 65  [roll/FMFB_Truste]
  06:36:43: RADIUS:   64 43 41 2E 63 72 6C 86 34 66 69 6C 65 3A 2F 2F 5C  [dCA.crl4file://\]
  06:36:43: RADIUS:   5C 73 79 73 6C 6F 67 2D 73 65 72 76 65 72 5C 43  [\syslog-server\C]
  06:36:43: RADIUS:   65 72 74 45 6E 72 6F 6C 6C 5C 46 4D 46 42 5F 54  [ertEnroll\FMFB_T]
  06:36:43: RADIUS:   72 75 73 74 65 64 43 41 2E         [ rustedCA.]
  06:36:43: RADIUS:  EAP-Message         [79]  251
  06:36:43: RADIUS:   63 72 6C 30 10 06 09 2B 06 01 04 01 82 37 15 01 04 03 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 63 BA F8 CE D5 8B 0E 94 77 AE 86 6C 37 AB 2F 36 9A B2 85 D5 4A  [crl0+70*Hcwl7/6J]
  06:36:43: RADIUS:   74 8C 33 F5 93 06 A6 57 8D 39 56 8F 02 08 97 CB C6 08 70 8C 22 1E 5D 1F A8 26 6D 60 1F 05 62 D1 24 AB 03 8C 41 F8 1C F1 F8 C2 87 8B 97 02 71 FC 6A  [t3W9Vp"]&m`b$Aqj]
  06:36:43: RADIUS:   EB 12 FC DD 8C 5C 9C 2D AF D2 C4 1C 18 1B 40 BE 78 B0 54 55 59 89 03 1B B7 FB 91 85 EE CA C0 18 1C 78 5D 4D BA FA 9E 44 D3 45 53 A3 BE 46 8A FB 81 BD F1 4C B3 3B  [\-@xTUYx]MDESFL;]
  06:36:43: RADIUS:   D6 66 7E 5B 79 9F 83 53 5E 49 92 B5 7F E5 1A E2 86 8C 83 96 7D 75 A5 1D 08 4E 32 C3 5E EC BF 28 53 EC 53 8A C3 E0 36  [f~[yS^I}uN2^(SS6]
  06:36:43: RADIUS:   82 EE AA 0D 38 3E BA 9C 1D D9 24 BD 48 A6 EE 44 BD 95 68 85 CA 8C 44 F8 E8 A2 FB 94 BC 6F 7C F2 06 91 6C A0 A6 BB 7B 7F 56 BD 15 32 A4     [ 8>$HDhDo|l{V2]
  06:36:43: RADIUS:  Message-Authenticato[80]  18
  06:36:43: RADIUS:   DD 82 F7 10 3F C7 B5 62 9B 2A BB 24 16 A7 59 33            [ ?b*$Y3]
  06:36:44: RADIUS(00000049): Received from id 1645/99
  06:36:44: RADIUS/DECODE: EAP-Message fragments, 253+253+253+249, total 1008 bytes
  06:36:44: dot1x-packet:Received an EAP request packet from EAP for mac 0019.b981.e812
  06:36:44: dot1x-sm:Posting EAP_REQ on Client=1D68028
  06:36:44:     dot1x_auth_bend Fa0/11: during state auth_bend_response, got event 7(eapReq)
  06:36:44: @@@ dot1x_auth_bend Fa0/11: auth_bend_response -> auth_bend_request
  06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_exit called
  06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_enter called
  06:36:44: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x7B length: 0x03F0 type: 0xD  data: @Cfui[ab2,Jt1){                                                                                                                              2]g&GZ1pIbu;+Ga;iF"jy#
  oohuV.aFZ4_|
  P0`At   )B
  06:36:44: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
  06:36:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:44: RADIUS:  Message-Authenticato[80]  18
  06:36:44: RADIUS:   F5 B0 56 D3 C6 87 BD 10 6E C7 4A 72 5B 5C 60 C5           [ VnJr[\`]
  06:36:44: RADIUS:  Vendor, Cisco       [26]  49
  06:36:44: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A802FA0000006F016B36D8"
  06:36:44: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  06:36:44: RADIUS:  NAS-Port            [5]   6   50011
  06:36:44: RADIUS:  NAS-Port-Id         [87]  18  "FastEthernet0/11"
  06:36:44: RADIUS:  State               [24]  80
  06:36:44: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:44: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:45: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
  06:36:45: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:45: dot1x-registry:registry:dot1x_ether_macaddr called
  06:36:45: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
  06:36:45: EAPOL pak dump Tx
  06:36:45: EAPOL Version: 0x2  type: 0x0  length: 0x0039
  06:36:45: EAP code: 0x1  id: 0x7E length: 0x0039 type: 0xD
  06:36:45: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0019.b981.e812)
  06:36:45: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_request_action called
  06:36:46: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:46: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
  06:36:46: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  06:36:46: EAPOL pak dump rx
  06:36:46: EAPOL Version: 0x1  type: 0x0  length: 0x0006
  06:36:46: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/11 CODE= 2,TYPE= 13,LEN= 6
  06:36:46: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/11
  06:36:46: dot1x-ev:Received pkt saddr =0019.b981.e812 , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.0006
  06:36:46: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port  Fa0/11 is TRUE

• SG 300-10 802.1x radius authentication slowness

  We have 802.1x authentication via radius and vlan-id tagging with guest vlan fallback working successfully, but we've noticed that no matter what settings we try for the port, it seems that the switch takes about 20 seconds after the port comes up before it sends the authentication request to the radius server.
  We tried enabling portfast under stp and when the port is connected, it does immediately come up, and the user is pushed to the guest vlan, and then after about 20 seconds the prompt comes up and credentials can be entered and then it will send the request to the radius server. If the credentials are saved, it still takes the same amount of time before it sends those saved credentials. 
  I'm curious if this intended behavior, a limitation of hardware, or a setting on the port I'm missing. We tried lowering the various quiet-period, silence-period, etc timeouts, and are still seeing the same results. All tested os's (OSX, Windows 7+8, Ubuntu + Arch nix) experienced the same results.
  Any advice would be appreciated, thank you!
  See below for our conf:
  net055#show running-config 
  config-file-header
  net055
  v1.3.7.18 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode switch 
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  dot1x guest-vlan timeout 30
  vlan database
  default-vlan vlan 3333
  exit
  vlan database
  vlan 1,100,102,104,111
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  dot1x system-auth-control
  hostname net055
  line console
  exec-timeout 30
  exit
  line ssh
  exec-timeout 0
  exit
  encrypted radius-server host 172.16.200.57 key REMOVED= usage dot1.x
  radius-server host source-interface vlan 100
  management access-list mlist2
  permit ip-source 172.16.202.0 mask 255.255.255.0
  permit ip-source 172.16.200.0 mask 255.255.255.0
  exit
  management access-class mlist2
  aaa authentication enable default enable none         
  aaa accounting dot1x start-stop group radius
  enable password level 15 encrypted REMOVED
  no service password-recovery
  no passwords complexity enable
  passwords aging 0
  username REMOVED privilege 15
  username REMOVED privilege 15
  ip ssh server
  ip ssh password-auth
  ip http timeout-policy 1800 https-only
  no ip http server
  tacacs-server timeout 10
  clock timezone EST -5
  clock source sntp
  sntp unicast client enable
  sntp server 172.16.100.95
  ip name-server  8.8.4.4
  interface vlan 100
   ip address 172.16.200.21 255.255.255.0
   no ip address dhcp
  interface vlan 102
   name dev-0-Gnv-202.0
  interface vlan 104
   name gen-0-Gnv-204.0
  interface vlan 111
   name guest-0-Gnv-10-66-61.0
   dot1x guest-vlan
  interface gigabitethernet1
   switchport trunk allowed vlan add 100,102,104,111
  interface gigabitethernet2
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x timeout supp-timeout 5
   dot1x radius-attributes vlan static
   dot1x port-control auto
   spanning-tree portfast
  interface gigabitethernet3                            
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto
  interface gigabitethernet4
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto
  interface gigabitethernet5
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto
   spanning-tree portfast
  interface gigabitethernet6
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static                  
   dot1x port-control auto
   spanning-tree portfast
  interface gigabitethernet7
   dot1x guest-vlan enable
   dot1x max-req 10
   dot1x reauthentication
   dot1x timeout quiet-period 5
   dot1x radius-attributes vlan static
   dot1x port-control auto
  interface gigabitethernet8
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto
  interface gigabitethernet9
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto                              
   spanning-tree portfast
  interface gigabitethernet10
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto
  exit
  ip default-gateway 172.16.200.1

  Forgot to follow up here. 
  This is a known deficiency of how the SG300 line implements 802.1x vs how all other cisco switches implement it (and how other vendors implement it). The support tech said Cisco was unwilling to fix this deficiency (he would never provide a reason why). 
  If you have OSX and 802.1x and dont want it to take >30 seconds for users to get auth'd I would suggest going to another vendor since Cisco has said they will not fix this issue.