- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: Aruba 2930F RADIUS authentication
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā08-24-2021 06:40 AM - last edited on ā09-08-2021 10:53 AM by support_s
ā08-24-2021 06:40 AM - last edited on ā09-08-2021 10:53 AM by support_s
I'm trying to get my switches to do RADIUS authentication, but whatever I try on the NPS (win server 2019)doesn't work. I keep getting the following on the event viewer:
Reason code 66
The User attempts to use an authentication method that is not enabled on the matching network policy.
I have tried multiple guides that I found but nothing seems to work.
I have unencrypted authentication [PAP, SPAP] ticked in the constraints authentication methods section.
Anyone has any guides that definitely work or any idea of why else I might be getting the above error?
On the switch, the radius servers are configured/added and enable/login are set to radius
Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā08-24-2021 08:49 AM - edited ā08-24-2021 09:07 AM
ā08-24-2021 08:49 AM - edited ā08-24-2021 09:07 AM
Re: Aruba 2930F RADIUS authentication
Hello @lee2021 ,
It seems an issue with the policy.
Please share switch radius config and below commands output:
show authentication
show radius
show version
show log -r
Also check the server end policy settings?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā08-25-2021 03:50 AM
ā08-25-2021 03:50 AM
Re: Aruba 2930F RADIUS authentication
Hi akg7
Yes I think its something on ther server as well, but I can't figure out why. I tried every which way as advised on several different guides, but I still get the same error on the event viewer. Can't find any standard guides just for aruba however, so maybe there is something I'm missing. Is there something I can follow to try again?
Below are the results from the commands. (replaced the ips and user names)
----------------------------------
Status and Counters - Authentication Information
Authorized enabled as backup for secondary login are preceded by *
Login Attempts : 3
Lockout Delay : 0
Respect Privilege : Enabled
Bypass Username For Operator and Manager Access : Disabled
| Login Login Login
Access Task | Primary Server Group Secondary
-------------- + ----------- ------------ ----------
Console | Local None
Telnet | Local None
Port-Access | EapRadius radius None
Webui | Local None
SSH | Radius radius Local
Web-Auth | ChapRadius radius None
MAC-Auth | ChapRadius radius None
SNMP | Local None
Local-MAC-Auth | Local radius None
REST | Radius Local
| Enable Enable Enable
Access Task | Primary Server Group Secondary
-------------- + ----------- ------------ ----------
Console | Local None
Telnet | Local None
Webui | Local None
SSH | Radius radius Local
REST | Radius None
----------------
Status and Counters - General RADIUS Information
Dead RADIUS server are preceded by *
Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0
Timeout (seconds) : 5 TLS Timeout (seconds) : 30
Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Source IPv6 Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
ClearPass Identity :
Auth Acct DM/ Time |
Server IP Addr Port Port CoA Window | Encryption Key OOBM
--------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----
1.1.1.1 1812 1813 No 300 | xxxxxxx No
1.1.1.1 1812 1813 No 300 | xxxxxxx No
1.1.1.1 1812 1813 No 300 | xxxxxxx No
1.1.1.1 1812 1813 No 300 | xxxxxxx No
-----------
Image stamp: /ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)
Jun 7 2021 21:35:47
WC.16.10.0015
516
Boot Image: Primary
Boot ROM Version: WC.16.01.0008
Active Boot ROM: Primary
------------
W 08/24/21 13:13:33 00419 auth: Invalid user name/password on SSH session User
'luser' is trying to login from 1.1.1.1
I 08/24/21 13:08:11 04694 auth: Authentication and authorization are configured
with the same method.Command authorization will be performed for all
SSH users.
W 08/24/21 13:07:51 04693 auth: Authentication and authorization are configured
with different methods. Command authorization may be skipped for
some SSH users.
W 08/24/21 13:07:11 04693 auth: Authentication and authorization are configured
with different methods. Command authorization may be skipped for
some SSH users.
W 08/24/21 13:07:04 04693 auth: Authentication and authorization are configured
with different methods. Command authorization may be skipped for
some SSH users.
W 08/24/21 13:04:13 00419 auth: Invalid user name/password on SSH session User
'user' is trying to login from1.1.1.1
W 08/24/21 13:03:36 00419 auth: Invalid user name/password on SSH session User
'user' is trying to login from 11.1.1.1
I 08/24/21 12:49:40 03363 auth: User 'user' logged out of SSH session from
1.1.1.1
W 08/24/21 12:49:40 00641 ssh: read error Operation timed out, session aborted
W 08/24/21 10:59:33 00419 auth: Invalid user name/password on SSH session User
'user' is trying to login from 1.1.1.1
W 08/24/21 10:45:46 00419 auth: Invalid user name/password on SSH session User
'user' is trying to login from 1.1.1.1
W 08/24/21 10:45:05 00419 auth: Invalid user name/password on SSH session User
'user is trying to login from 1.1.1.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā08-25-2021 04:27 AM
ā08-25-2021 04:27 AM
Re: Aruba 2930F RADIUS authentication
Hi akg7 (already posted this but the site didn't post it it seems).. so here goes again
I think it's a server side issue as well more than switch side. I followed this guide and similar others, but no luck
https://fixitdave.wordpress.com/2015/02/14/hp-procurve-with-radius-authentication-using-nps/
and
https://www.frenchnetworkengineer.fr/forum/aruba/aruba-switch-2930-2530-radius-authentication
If there's any better guides to follow about this that would help, I'd be grateful as couldn't really find anything specific
Switch Results:
------------------------------
Status and Counters - Authentication Information
Authorized enabled as backup for secondary login are preceded by *
Login Attempts : 3
Lockout Delay : 0
Respect Privilege : Enabled
Bypass Username For Operator and Manager Access : Disabled
| Login Login Login
Access Task | Primary Server Group Secondary
-------------- + ----------- ------------ ----------
Console | Local None
Telnet | Local None
Port-Access | EapRadius radius None
Webui | Local None
SSH | Radius radius Local
Web-Auth | ChapRadius radius None
MAC-Auth | ChapRadius radius None
SNMP | Local None
Local-MAC-Auth | Local radius None
REST | Radius Local
| Enable Enable Enable
Access Task | Primary Server Group Secondary
-------------- + ----------- ------------ ----------
Console | Local None
Telnet | Local None
Webui | Local None
SSH | Radius radius Local
REST | Radius None
-----------------------
show radius
Status and Counters - General RADIUS Information
Dead RADIUS server are preceded by *
Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0
Timeout (seconds) : 5 TLS Timeout (seconds) : 30
Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Source IPv6 Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
ClearPass Identity :
Auth Acct DM/ Time |
Server IP Addr Port Port CoA Window | Encryption Key OOBM
--------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----
1.1.1.1 1812 1813 No 300 | xxxxxxxxx No
1.1.1.1 1812 1813 No 300 | xxxxxxxxx No
1.1.1.1 1812 1813 No 300 | xxxxxxxxx No
1.1.1.1 1812 1813 No 300 | xxxxxxxxx No
---------------------------------------
show version
Image stamp: /ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)
Jun 7 2021 21:35:47
WC.16.10.0015
516
Boot Image: Primary
Boot ROM Version: WC.16.01.0008
Active Boot ROM: Primary
----------------------------------------
W 08/25/21 12:10:28 00419 auth: Invalid user name/password on SSH session User
'user' is trying to login from 1.1.1.1
W 08/25/21 12:03:37 00419 auth: Invalid user name/password on SSH session User
'user' is trying to login from 1.1.1.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā08-26-2021 12:02 AM - edited ā08-26-2021 12:32 AM
ā08-26-2021 12:02 AM - edited ā08-26-2021 12:32 AM
Re: Aruba 2930F RADIUS authentication
Hello @lee2021 ,
Here switch is acting as Radius server or client?
From switch logs, it seems using different methods of authenticationa nd authorization.
W 08/24/21 13:07:51 04693 auth: Authentication and authorization are configured with different methods. Command authorization may be skipped for some SSH users.
Can you check this and also config if Windows server and switch able to ping each other?
I am sharing link for switch for Radius configuration.
You can verify from switch if it is configured correctly in switch:
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00042657en_us
For server, let me search if find something.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā08-26-2021 07:27 AM
ā08-26-2021 07:27 AM
Re: Aruba 2930F RADIUS authentication
Hi, thanks for your reply
Switch would be the client. I can ping the radius server, and we also have 802.1x set up for wifi and switch ports which works fine with the radius.
I set it up as just radius to connect:
aaa authentication ssh login radius
And set the server to accept PAP. but no luck.
I will go through the link you sent as well to make sure all is setup correct, but everything should be ok switch wise
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā09-06-2021 02:21 AM
ā09-06-2021 02:21 AM
Re: Aruba 2930F RADIUS authentication
So far no luck still. Is there any vendor specific information to add on the nps side?
Guides we found for other types of switches have vendo specific information added on the network policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā09-08-2021 12:47 AM
ā09-08-2021 12:47 AM
SolutionJust to advise that I managed to resolve it.
I think I was missing the following:
And had to set NAS Prompt instead of Adminstrative for the Operator role. Didn't need to use any vendor code it seems.