04-11-2017 05:54 AM
You are still getting access reject from the RADIUS server so whatever username / password combination you are using on the switch is being rejected by RADIUS.
As I mentioned before I would suggest you try as simplified a configuration as possible, keep PAP rather than CHAP, at least this allows you to see the contents of the RADIUS requests when capturing.
I am sure that for some reason your RADIUS server is not matching user correctly
Everything on the switch looks OK
Can you set up test user perhaps rather than domain user?
04-13-2017 05:20 AM
I have set up Win2k8 to test with icx6450, the only difference is that I have used local configured account on Win2k8 server rather than AD user as I do not have AD configured.
The only steps I have not seen from your configuration are registration of NPS server in AD, not sure if this has been done to allow domain users
I also have not seen exactly how your users / groups and group memberships have been configured for NPS
Also can you confirm that switch is correctly specified as RADIUS client
I see no reason why Win2k8 should not work for you as RADIUS server.
I am still sure that your problem relates to username / password combination
Can you set up a non domain user local to NPS server to test to see if this works?
04-17-2017 07:01 AM
MIck, Thanks for you help!!
I find the error and I see that it was another network policy that I was canceling the authentication and now is working!
I bother you with another question. What happens if the radius server stops working? No way to authenticate? Just for console?
04-17-2017 07:38 AM
04-18-2017 12:26 AM
To answer your two questions
First with regards to failure of RADIUS server, you should configure a secondary authentication method in the event that RADIUS is unavailable
aaa authentication enable default radius local
aaa authentication login default radius local
This would configure local as the secondary authentication method for login and enable, it would require you to configure a local user account to authenticate with in the event that RADIUS was unavailable. e.g.
icx6450(config)#username fallback privilege 0 password password
To get AAA to work on console connections you need to add the following configuration
icx6450(config)#enable aaa console
05-15-2017 06:05 AM
You need to configure the vendor specific attribute for foundry-privilege-level
Hope this is what you are looking for