Comware Based
Showing results for 
Search instead for 
Did you mean: 

3Com 4500 fails Radius logins

Jose Raposo
Occasional Contributor

3Com 4500 fails Radius logins



I'm testing the Radius authentication on a 4500G switch and I need a little help here.

The Radius server is a Microsoft NPS, who already authenticates wifi access with wx1200 clients.
After enabled dot1x on the switch, the management login is authenticated on the Radius, so I created a user on AD.
When I login on the switch with that user, I have (on the Radius side) Connect Request:IAS_SUCCESS - the user is validated on AD.
However, on the switch side I have this:
2000 4500G %%10SHELL/4/LOGOUT(t): Trap<h3cLogOut>:netadmin logout from VTY
2000 4500G %%10SHELL/4/LOGINAUTHFAIL(t): Trap<h3cLogInAuthenFailure>:netadmin failed to login from VTY, reason is 2
2000 4500G %%10SHELL/4/LOGINFAIL(l): TELNET user netadmin failed to login from X.X.X.X on VTY1.


(part of) current config of the switch:
version 3Com OS V5.02.00s168p20,
dot1x authentication-method eap
radius scheme system
server-type extended
primary authentication 1645
primary accounting 1646
user-name-format without-domain
radius scheme my_domain
server-type extended
primary authentication A.B.C.D
primary accounting A.B.C.D
secondary authentication 1645
secondary accounting 1646
key authentication secret
key accounting secret
domain my_domain
authentication default radius-scheme my_domain
authorization default radius-scheme my_domain
accounting default radius-scheme my_domain
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
local-user admin
password simple XXX
authorization-attribute level 3
service-type telnet terminal
user-interface aux 0
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme

On the Radius side I have a network policy to grant access on the conditions:
Windows Group -> Group with the user
NAS Port Type -> Virtual(VPN)
Authentication Type -> EAP or PAP (actually...other than PAP gives a IAS_INVALID_AUTH_TYPE)
Authentication Methods->PEAP and PAP,SPAP
Radius Attributes-Standard-> Service Type=Administrative
Other settings are default.


What is missing to 4500G to accept the Radius IAS_SUCCESS and the user just validated ?