Re: Aruba 2930F RADIUS authentication

Hello @lee2021 ,

It seems an issue with the policy.

Please share switch radius config and below commands output:

show authentication
show radius
show version
show log -r

Also  check the server end policy settings?

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company

Hi akg7

Yes I think its something on ther server as well, but I can't figure out why. I tried every which way as advised on several different guides, but I still get the same error on the event viewer. Can't find any standard guides just for aruba however, so maybe there is something I'm missing. Is there something I can follow to try again?

Below are the results from the commands. (replaced the ips and user names)

----------------------------------

Status and Counters - Authentication Information

 Authorized enabled as backup for secondary login are preceded by *

  Login Attempts : 3

  Lockout Delay : 0

  Respect Privilege : Enabled

  Bypass Username For Operator and Manager Access : Disabled

                 | Login       Login        Login

  Access Task    | Primary     Server Group Secondary

  -------------- + ----------- ------------ ----------

  Console        | Local                    None

  Telnet         | Local                    None

  Port-Access    | EapRadius   radius       None

  Webui          | Local                    None

  SSH            | Radius      radius       Local

  Web-Auth       | ChapRadius  radius       None

  MAC-Auth       | ChapRadius  radius       None

  SNMP           | Local                    None

  Local-MAC-Auth | Local       radius       None

  REST           | Radius                   Local

                 | Enable      Enable       Enable

  Access Task    | Primary     Server Group Secondary

  -------------- + ----------- ------------ ----------

  Console        | Local                    None

  Telnet         | Local                    None

  Webui          | Local                    None

  SSH            | Radius      radius       Local

  REST           | Radius                   None

----------------

Status and Counters - General RADIUS Information

 Dead RADIUS server are preceded by *

  Deadtime (minutes)             : 0           TLS Dead Time (minutes)          : 0

  Timeout (seconds)              : 5           TLS Timeout (seconds)            : 30

  Retransmit Attempts            : 3           TLS Connection Timeout (seconds) : 30

  Global Encryption Key          :

  Dynamic Authorization UDP Port : 3799

  Source IP Selection            : Outgoing Interface

  Source IPv6 Selection          : Outgoing Interface

  Tracking                       : Disabled

  Request Packet Count           : 3

  Track Dead Servers Only        : Disabled

  Tracking Period (seconds)      : 300

  ClearPass Identity             :

                  Auth  Acct  DM/ Time   |

  Server IP Addr  Port  Port  CoA Window | Encryption Key                                                                            OOBM

  --------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----

  1.1.1.1      1812  1813  No  300    | xxxxxxx                                                                              No

  1.1.1.1      1812  1813  No  300    | xxxxxxx                                                                         No

  1.1.1.1      1812  1813  No  300    | xxxxxxx                                                                              No

  1.1.1.1    1812  1813  No  300    | xxxxxxx                                                                           No

-----------

Image stamp:    /ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)

                Jun  7 2021 21:35:47

                WC.16.10.0015

                516

Boot Image:     Primary

Boot ROM Version:    WC.16.01.0008

Active Boot ROM:     Primary

------------

W 08/24/21 13:13:33 00419 auth: Invalid user name/password on SSH session User

            'luser' is trying to login from 1.1.1.1

I 08/24/21 13:08:11 04694 auth: Authentication and authorization are configured

            with the same method.Command authorization will be performed for all

            SSH users.

W 08/24/21 13:07:51 04693 auth: Authentication and authorization are configured

            with different methods. Command authorization may be skipped for

            some SSH users.

W 08/24/21 13:07:11 04693 auth: Authentication and authorization are configured

            with different methods. Command authorization may be skipped for

            some SSH users.

W 08/24/21 13:07:04 04693 auth: Authentication and authorization are configured

            with different methods. Command authorization may be skipped for

            some SSH users.

W 08/24/21 13:04:13 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from1.1.1.1

W 08/24/21 13:03:36 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from 11.1.1.1

I 08/24/21 12:49:40 03363 auth: User 'user' logged out of SSH  session from

           1.1.1.1

W 08/24/21 12:49:40 00641 ssh: read error Operation timed out, session aborted

W 08/24/21 10:59:33 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from 1.1.1.1

W 08/24/21 10:45:46 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from 1.1.1.1

W 08/24/21 10:45:05 00419 auth: Invalid user name/password on SSH session User

            'user is trying to login from 1.1.1.1

Hi akg7 (already posted this but the site didn't post it it seems).. so here goes again  

I think it's a server side issue as well more than switch side. I followed this guide and similar others, but no luck
https://fixitdave.wordpress.com/2015/02/14/hp-procurve-with-radius-authentication-using-nps/
and
https://www.frenchnetworkengineer.fr/forum/aruba/aruba-switch-2930-2530-radius-authentication

If there's any better guides to follow about this that would help, I'd be grateful as couldn't really find anything specific

Switch Results:
------------------------------
Status and Counters - Authentication Information

 Authorized enabled as backup for secondary login are preceded by *

  Login Attempts : 3

  Lockout Delay : 0

  Respect Privilege : Enabled

  Bypass Username For Operator and Manager Access : Disabled

                 | Login       Login        Login

  Access Task    | Primary     Server Group Secondary

  -------------- + ----------- ------------ ----------

  Console        | Local                    None

  Telnet         | Local                    None

  Port-Access    | EapRadius   radius       None

  Webui          | Local                    None

  SSH            | Radius      radius       Local

  Web-Auth       | ChapRadius  radius       None

  MAC-Auth       | ChapRadius  radius       None

  SNMP           | Local                    None

  Local-MAC-Auth | Local       radius       None

  REST           | Radius                   Local

                 | Enable      Enable       Enable

  Access Task    | Primary     Server Group Secondary

  -------------- + ----------- ------------ ----------

  Console        | Local                    None

  Telnet         | Local                    None

  Webui          | Local                    None

  SSH            | Radius      radius       Local

  REST           | Radius                   None      

-----------------------

show radius

 Status and Counters - General RADIUS Information

 Dead RADIUS server are preceded by *

  Deadtime (minutes)             : 0           TLS Dead Time (minutes)          : 0

  Timeout (seconds)              : 5           TLS Timeout (seconds)            : 30

  Retransmit Attempts            : 3           TLS Connection Timeout (seconds) : 30

  Global Encryption Key          :

  Dynamic Authorization UDP Port : 3799

  Source IP Selection            : Outgoing Interface

  Source IPv6 Selection          : Outgoing Interface

  Tracking                       : Disabled

  Request Packet Count           : 3

  Track Dead Servers Only        : Disabled

  Tracking Period (seconds)      : 300

  ClearPass Identity             :

                  Auth  Acct  DM/ Time   |

  Server IP Addr  Port  Port  CoA Window | Encryption Key                                                                            OOBM

  --------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----

 1.1.1.1      1812  1813  No  300    | xxxxxxxxx                                                                              No

 1.1.1.1      1812  1813  No  300    | xxxxxxxxx                                                                        No

 1.1.1.1      1812  1813  No  300    | xxxxxxxxx                                                                            No

 1.1.1.1      1812  1813  No  300    | xxxxxxxxx                                                                       No  

---------------------------------------

show version

Image stamp:    /ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)

                Jun  7 2021 21:35:47

                WC.16.10.0015

                516

Boot Image:     Primary

Boot ROM Version:    WC.16.01.0008

Active Boot ROM:     Primary

----------------------------------------

W 08/25/21 12:10:28 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from 1.1.1.1

W 08/25/21 12:03:37 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from 1.1.1.1

Hello @lee2021 ,

Here switch is acting as Radius server or client?

From switch logs, it seems using different methods of authenticationa nd authorization.

W 08/24/21 13:07:51 04693 auth: Authentication and authorization are configured with different  methods. Command authorization may be skipped for some SSH users.

Can you check this and also config if Windows server and switch able to ping each other?

I am sharing link for switch for Radius configuration.

You can verify from switch if it is configured correctly in switch:

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00042657en_us

For server, let me search if find something.

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company

Hi, thanks for your reply

Switch would be the client. I can ping the radius server, and we also have 802.1x set up for wifi and switch ports which works fine with the radius.

I set it up as just radius to connect:
aaa authentication ssh login radius 

And set the server to accept PAP. but no luck.

I will go through the link you sent as well to make sure all is setup correct, but everything should be ok switch wise  

Thanks

So far no luck still. Is there any vendor specific information to add on the nps side?

Guides we found for other types of switches have vendo specific information added on the network policy