Radius configuration - E3800-48G-PoE+ J9574A

DavidSawyer · ‎06-08-2012

I've set up a radius server and all works fine...except one part.

Here is the config...

*************************************************************

radius-server host 192.168.x.x
radius-server key "xxxxxxxxxxxxxxxxxxxxx"

aaa accounting exec start-stop radius
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local

*************************************************************

The radius works fine, but it doesn't use local authentication as secondary, is there something else I need to configure?

JWag44 · ‎06-11-2012

What version software are you using?

I am using K.15.04.0003 and here is my config:

radius-server host 10.100.100.230 key "$XXXXXXXX"

radius-server host 10.100.100.1 key "$XXXXXXXX"

aaa authentication console login radius local
aaa authentication telnet login radius local
aaa authentication ssh login radius local

though it doesn't show in the config, did you use

password operator user-name XXXXXXX plaintext XXXXXXXX

to create a local user?

DavidSawyer · ‎06-12-2012

Yes, there is a local user account, I've removed the radius configuration and the local account works fine.

JWag44 · ‎06-12-2012

How are you testing the local account? I have noticed that if I try to use local credentials while the radius server is still accessible via the network, it will not work. Is it possible to test with the switch off the network? Or disable the radius server temporarily?

JWag44 · ‎06-12-2012

Also, what are you using for the radius server. I use Microsoft IAS, and I can use the server's System Event Log to find Event ID 13 messages like this:

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 13
Date:  6/12/2012
Time:  11:10:31 AM
User:  N/A
Computer: LPS-MONITOR2
Description:
A RADIUS message was received from the invalid RADIUS client IP address 10.100.5.10.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

James_Levit · ‎09-13-2012

Did you ever get this figured out? I still think that if you try to login with the local account, it is not going to work while the radius server is accessible.

Pete W · ‎09-18-2012

The secondary authentication method only comes into play if the primary method is unavailable/fails to respond/etc. For testing purposes, you could simulate this scenario with an ACL, or temporarily remove/modify the RADIUS client details in IAS.

boziah · ‎11-21-2012

Below is the error i get from my RADIUS server, the IP for my router is 1076.0.1 and not 10.76.12.1 as displayed by the router. I have vland 12 setup on my switch and scope for vlan 12 on my server. Any help will be greatly appreciated.

Thanks

Log Name:      System
Source:        NPS
Date:          11/21/2012 2:40:29 AM
Event ID:      13
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      moraa.rasugu.com
Description:
A RADIUS message was received from the invalid RADIUS client IP address 10.76.12.1.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="NPS" />
    <EventID Qualifiers="49152">13</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-11-21T08:40:29.000000000Z" />
    <EventRecordID>4149</EventRecordID>
    <Channel>System</Channel>
    <Computer>moraa.rasugu.com</Computer>
    <Security />
</System>
<EventData>
    <Data>10.76.12.1</Data>
</EventData>
</Event>

Jeff Carrell · ‎11-25-2012

"Below is the error i get from my RADIUS server, the IP for my router is 1076.0.1 and not 10.76.12.1 as displayed by the router." and "A RADIUS message was received from the invalid RADIUS client IP address 10.76.12.1."

I expect you have the "radius client" defined as 10.76.0.1....but the RADIUS request is "sourced" from the 10.76.12.1 interface, hence the error message.

If you add the following statement, the RADIUS request will source from the 10.76.0.1 address, regardless of the connected interface:

'ip sourceinterface radius 10.76.0.1'

----

A good source of info, the HP Networking and Cisco CLI Reference Guide. A free CLI ref of ProVision, Comware5, and Cisco in side-by-side comparison. Not all inclusive, but alot of the "daily" config needs. ....and it's free!

Also good if you have a single platform :-)

https://h30590.www3.hp.com/product/HP+Networking+and+Cisco+CLI+Reference+Guide-PDF-6997

-----

hth...Jeff

boziah · ‎12-12-2012

Thanks for the response Jeff,
but ip sourceinterface radius 10.76.0.1 returns Invalid input: sourceinterface

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Radius configuration - E3800-48G-​PoE+ J9574A