Aruba & ProVision-based

Aruba 2930F RADIUS authentication

 
SOLVED
Go to solution
lee2021
Occasional Advisor

Aruba 2930F RADIUS authentication

I'm trying to get my switches to do RADIUS authentication, but whatever I try on the NPS (win server 2019)doesn't work. I keep getting the following on the event viewer:

Reason code 66

The User attempts to use an authentication method that is not enabled on the matching network policy. 

I have tried multiple guides that I found but nothing seems to work. 
I have unencrypted authentication [PAP, SPAP] ticked in the constraints authentication methods section. 

Anyone has any guides that definitely work or any idea of why else I might be getting the above error?

On the switch, the radius servers are configured/added and enable/login are set to radius

Thanks

7 REPLIES 7
akg7
HPE Pro

Re: Aruba 2930F RADIUS authentication

Hello @lee2021 ,

 

It seems an issue with the policy.

Please share switch radius config and below commands output:

 

show authentication
show radius
show version
show log -r

 

 

Also  check the server end policy settings?

 

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
lee2021
Occasional Advisor

Re: Aruba 2930F RADIUS authentication

Hi akg7

Yes I think its something on ther server as well, but I can't figure out why. I tried every which way as advised on several different guides, but I still get the same error on the event viewer. Can't find any standard guides just for aruba however, so maybe there is something I'm missing. Is there something I can follow to try again?

Below are the results from the commands. (replaced the ips and user names)

----------------------------------

Status and Counters - Authentication Information

 Authorized enabled as backup for secondary login are preceded by *

 

  Login Attempts : 3

  Lockout Delay : 0

  Respect Privilege : Enabled

  Bypass Username For Operator and Manager Access : Disabled

 

                 | Login       Login        Login

  Access Task    | Primary     Server Group Secondary

  -------------- + ----------- ------------ ----------

  Console        | Local                    None

  Telnet         | Local                    None

  Port-Access    | EapRadius   radius       None

  Webui          | Local                    None

  SSH            | Radius      radius       Local

  Web-Auth       | ChapRadius  radius       None

  MAC-Auth       | ChapRadius  radius       None

  SNMP           | Local                    None

  Local-MAC-Auth | Local       radius       None

  REST           | Radius                   Local

 

                 | Enable      Enable       Enable

  Access Task    | Primary     Server Group Secondary

  -------------- + ----------- ------------ ----------

  Console        | Local                    None

  Telnet         | Local                    None

  Webui          | Local                    None

  SSH            | Radius      radius       Local

  REST           | Radius                   None

----------------

Status and Counters - General RADIUS Information

 

 Dead RADIUS server are preceded by *

 

  Deadtime (minutes)             : 0           TLS Dead Time (minutes)          : 0

  Timeout (seconds)              : 5           TLS Timeout (seconds)            : 30

  Retransmit Attempts            : 3           TLS Connection Timeout (seconds) : 30

  Global Encryption Key          :

  Dynamic Authorization UDP Port : 3799

  Source IP Selection            : Outgoing Interface

  Source IPv6 Selection          : Outgoing Interface

  Tracking                       : Disabled

  Request Packet Count           : 3

  Track Dead Servers Only        : Disabled

  Tracking Period (seconds)      : 300

  ClearPass Identity             :

 

                  Auth  Acct  DM/ Time   |

  Server IP Addr  Port  Port  CoA Window | Encryption Key                                                                            OOBM

  --------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----

  1.1.1.1      1812  1813  No  300    | xxxxxxx                                                                              No

  1.1.1.1      1812  1813  No  300    | xxxxxxx                                                                         No

  1.1.1.1      1812  1813  No  300    | xxxxxxx                                                                              No

  1.1.1.1    1812  1813  No  300    | xxxxxxx                                                                           No

-----------

Image stamp:    /ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)

                Jun  7 2021 21:35:47

                WC.16.10.0015

                516

Boot Image:     Primary

 

Boot ROM Version:    WC.16.01.0008

Active Boot ROM:     Primary

------------

W 08/24/21 13:13:33 00419 auth: Invalid user name/password on SSH session User

            'luser' is trying to login from 1.1.1.1

I 08/24/21 13:08:11 04694 auth: Authentication and authorization are configured

            with the same method.Command authorization will be performed for all

            SSH users.

W 08/24/21 13:07:51 04693 auth: Authentication and authorization are configured

            with different methods. Command authorization may be skipped for

            some SSH users.

W 08/24/21 13:07:11 04693 auth: Authentication and authorization are configured

            with different methods. Command authorization may be skipped for

            some SSH users.

W 08/24/21 13:07:04 04693 auth: Authentication and authorization are configured

            with different methods. Command authorization may be skipped for

            some SSH users.

W 08/24/21 13:04:13 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from1.1.1.1

W 08/24/21 13:03:36 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from 11.1.1.1

I 08/24/21 12:49:40 03363 auth: User 'user' logged out of SSH  session from

           1.1.1.1

W 08/24/21 12:49:40 00641 ssh: read error Operation timed out, session aborted

 

W 08/24/21 10:59:33 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from 1.1.1.1

W 08/24/21 10:45:46 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from 1.1.1.1

W 08/24/21 10:45:05 00419 auth: Invalid user name/password on SSH session User

            'user is trying to login from 1.1.1.1

 

lee2021
Occasional Advisor

Re: Aruba 2930F RADIUS authentication

Hi akg7 (already posted this but the site didn't post it it seems).. so here goes again  

I think it's a server side issue as well more than switch side. I followed this guide and similar others, but no luck
https://fixitdave.wordpress.com/2015/02/14/hp-procurve-with-radius-authentication-using-nps/
and
https://www.frenchnetworkengineer.fr/forum/aruba/aruba-switch-2930-2530-radius-authentication

If there's any better guides to follow about this that would help, I'd be grateful as couldn't really find anything specific

Switch Results:
------------------------------
Status and Counters - Authentication Information

 Authorized enabled as backup for secondary login are preceded by *

 

  Login Attempts : 3

  Lockout Delay : 0

  Respect Privilege : Enabled

  Bypass Username For Operator and Manager Access : Disabled

 

                 | Login       Login        Login

  Access Task    | Primary     Server Group Secondary

  -------------- + ----------- ------------ ----------

  Console        | Local                    None

  Telnet         | Local                    None

  Port-Access    | EapRadius   radius       None

  Webui          | Local                    None

  SSH            | Radius      radius       Local

  Web-Auth       | ChapRadius  radius       None

  MAC-Auth       | ChapRadius  radius       None

  SNMP           | Local                    None

  Local-MAC-Auth | Local       radius       None

  REST           | Radius                   Local

 

                 | Enable      Enable       Enable

  Access Task    | Primary     Server Group Secondary

  -------------- + ----------- ------------ ----------

  Console        | Local                    None

  Telnet         | Local                    None

  Webui          | Local                    None

  SSH            | Radius      radius       Local

  REST           | Radius                   None      

 

-----------------------

show radius

 

 Status and Counters - General RADIUS Information

 

 Dead RADIUS server are preceded by *

 

  Deadtime (minutes)             : 0           TLS Dead Time (minutes)          : 0

  Timeout (seconds)              : 5           TLS Timeout (seconds)            : 30

  Retransmit Attempts            : 3           TLS Connection Timeout (seconds) : 30

  Global Encryption Key          :

  Dynamic Authorization UDP Port : 3799

  Source IP Selection            : Outgoing Interface

  Source IPv6 Selection          : Outgoing Interface

  Tracking                       : Disabled

  Request Packet Count           : 3

  Track Dead Servers Only        : Disabled

  Tracking Period (seconds)      : 300

  ClearPass Identity             :

 

                  Auth  Acct  DM/ Time   |

  Server IP Addr  Port  Port  CoA Window | Encryption Key                                                                            OOBM

  --------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----

 1.1.1.1      1812  1813  No  300    | xxxxxxxxx                                                                              No

 1.1.1.1      1812  1813  No  300    | xxxxxxxxx                                                                        No

 1.1.1.1      1812  1813  No  300    | xxxxxxxxx                                                                            No

 1.1.1.1      1812  1813  No  300    xxxxxxxxx                                                                       No  

---------------------------------------

show version

 

Image stamp:    /ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)

                Jun  7 2021 21:35:47

                WC.16.10.0015

                516

Boot Image:     Primary

 

Boot ROM Version:    WC.16.01.0008

Active Boot ROM:     Primary

----------------------------------------

 

W 08/25/21 12:10:28 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from 1.1.1.1

W 08/25/21 12:03:37 00419 auth: Invalid user name/password on SSH session User

            'user' is trying to login from 1.1.1.1

akg7
HPE Pro

Re: Aruba 2930F RADIUS authentication

Hello @lee2021 ,

Here switch is acting as Radius server or client?

From switch logs, it seems using different methods of authenticationa nd authorization.

W 08/24/21 13:07:51 04693 auth: Authentication and authorization are configured with different  methods. Command authorization may be skipped for some SSH users.

Can you check this and also config if Windows server and switch able to ping each other?

I am sharing link for switch for Radius configuration.

You can verify from switch if it is configured correctly in switch:

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00042657en_us

For server, let me search if find something.

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
lee2021
Occasional Advisor

Re: Aruba 2930F RADIUS authentication

Hi, thanks for your reply

Switch would be the client. I can ping the radius server, and we also have 802.1x set up for wifi and switch ports which works fine with the radius.

I set it up as just radius to connect:
aaa authentication ssh login radius 

And set the server to accept PAP. but no luck.

I will go through the link you sent as well to make sure all is setup correct, but everything should be ok switch wise  

Thanks

lee2021
Occasional Advisor

Re: Aruba 2930F RADIUS authentication

So far no luck still. Is there any vendor specific information to add on the nps side?

Guides we found for other types of switches have vendo specific information added on the network policy

lee2021
Occasional Advisor
Solution

Re: Aruba 2930F RADIUS authentication

Just to advise that I managed to resolve it. 

I think I was missing the following:

aaa authentication login privilege-mode
aaa authorization commands none
 

And had to set NAS Prompt instead of Adminstrative for the Operator role. Didn't need to use any vendor code it seems.
Thanks again