Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

3Com 4500 fails Radius logins

Jose Raposo
Occasional Contributor

3Com 4500 fails Radius logins

Hi

 

I'm testing the Radius authentication on a 4500G switch and I need a little help here.

The Radius server is a Microsoft NPS, who already authenticates wifi access with wx1200 clients.
After enabled dot1x on the switch, the management login is authenticated on the Radius, so I created a user on AD.
When I login on the switch with that user, I have (on the Radius side) Connect Request:IAS_SUCCESS - the user is validated on AD.
However, on the switch side I have this:
2000 4500G %%10SHELL/4/LOGOUT(t): Trap 1.3.6.1.4.1.43.45.1.10.2.2.1.1.3.0.2<h3cLogOut>:netadmin logout from VTY
2000 4500G %%10SHELL/4/LOGINAUTHFAIL(t): Trap 1.3.6.1.4.1.43.45.1.10.2.2.1.1.3.0.3<h3cLogInAuthenFailure>:netadmin failed to login from VTY, reason is 2
2000 4500G %%10SHELL/4/LOGINFAIL(l): TELNET user netadmin failed to login from X.X.X.X on VTY1.

 

(part of) current config of the switch:
----------------
version 3Com OS V5.02.00s168p20,
dot1x authentication-method eap
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
radius scheme my_domain
server-type extended
primary authentication A.B.C.D
primary accounting A.B.C.D
secondary authentication 127.0.0.1 1645
secondary accounting 127.0.0.1 1646
key authentication secret
key accounting secret
domain my_domain
authentication default radius-scheme my_domain
authorization default radius-scheme my_domain
accounting default radius-scheme my_domain
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
local-user admin
password simple XXX
authorization-attribute level 3
service-type telnet terminal
user-interface aux 0
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
----------------

On the Radius side I have a network policy to grant access on the conditions:
Windows Group -> Group with the user
NAS Port Type -> Virtual(VPN)
Authentication Type -> EAP or PAP (actually...other than PAP gives a IAS_INVALID_AUTH_TYPE)
Conditions:
Authentication Methods->PEAP and PAP,SPAP
Settings:
Radius Attributes-Standard-> Service Type=Administrative
Other settings are default.

 

What is missing to 4500G to accept the Radius IAS_SUCCESS and the user just validated ?

 

Thanks