Courseiva
SecurityCCNA 200-301

RADIUS Server Not Responding — Authentication Failing

Presenting Symptom

Users are unable to authenticate to the network via 802.1X, and RADIUS authentication requests are timing out.

Network Context

The network consists of a Cisco Catalyst 2960 switch (IOS 15.2) acting as the authenticator for 802.1X, connected to a Cisco ISE (RADIUS server) at 192.168.1.100. The switch is configured with aaa new-model and dot1x system-auth-control. This is a small branch office with about 50 users.

Diagnostic Steps

1

Check RADIUS server reachability

ping 192.168.1.100
!!!!! or ..... (success or failure)

If ping fails, there is a Layer 3 connectivity issue. If ping succeeds, the problem is likely at the application layer (RADIUS configuration or server).

2

Verify RADIUS server configuration on the switch

show running-config | include radius
radius server ISE
 address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
 key mysecret

Ensure the RADIUS server is defined with correct IP, ports, and shared secret. Missing or incorrect key is a common issue.

3

Check AAA authentication method list

show running-config | section aaa
aaa new-model
aaa authentication dot1x default group radius

Verify that dot1x authentication is using the RADIUS group. If missing or misconfigured, authentication will fail.

4

Enable debug for RADIUS authentication

debug radius authentication
RADIUS: sending to IPv4:192.168.1.100:1812 (timeout)
RADIUS: No response from server

If you see 'No response from server' despite ping success, the RADIUS server may not be processing requests (e.g., wrong shared secret, server overload, or ACL blocking).

Root Cause

The RADIUS server's shared secret key on the switch does not match the key configured on the RADIUS server (Cisco ISE). This causes the RADIUS server to silently drop authentication requests.

Resolution

1. On the switch, configure the correct shared secret: radius server ISE key mycorrectsecret 2. Ensure the same key is configured on the RADIUS server (e.g., under Network Access Devices in ISE).

Verification

1. Clear existing authentication sessions: clear aaa sessions 2. Test authentication: test aaa group radius user password Expected output: 'User authenticated successfully' 3. Check RADIUS statistics: show radius statistics Expected: 'Auth. Requests: 1, Auth. Responses: 1, Auth. Timeouts: 0'

Prevention

1. Use a centralized management tool to deploy RADIUS keys consistently across all network devices. 2. Implement a key rotation policy and document shared secrets securely. 3. Regularly test RADIUS authentication using test aaa command after any configuration change.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where RADIUS authentication fails. The exam tests the ability to verify RADIUS configuration, interpret debug output, and identify mismatched shared secrets as a common root cause. Candidates must know the show and debug commands for RADIUS.

Exam Tips

1.

Remember that a successful ping to the RADIUS server does not guarantee authentication success; always check the shared secret.

2.

The debug radius authentication command is powerful but can be CPU-intensive; use it carefully in production.

3.

Know that the default RADIUS ports are UDP 1812 for authentication and 1813 for accounting.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions