HPE Community
Switches, Hubs, and Modems
1753378 Members
4938 Online
108792 Solutions
New Discussion

Odd RADIUS behavior

 
type-r180
Occasional Contributor

‎06-29-2012 06:54 AM - edited ‎06-29-2012 07:11 AM

‎06-29-2012 06:54 AM - edited ‎06-29-2012 07:11 AM

Odd RADIUS behavior

Hi all

 

I've configured a couple of switches for RADIUS use, and set up NPS on Windows Server 2008 R2. 

 

The first switch, a 3500-24, works flawlessly. The second one (5412zl) is slightly different.

 

If I enable local authentication as the secondary authentication method, via:

 

aaa authentication ssh login peap-mschapv2 local

 

Then I don't appear to be being authenticated properly via RADIUS. Here's what happens:

 

1) Switch prompts for username, I enter my domain username, which works for the other switch

2) I am then taken straight to operator mode ( > at each prompt) without being prompted for a password

3) I'll type enable, and the local password is required

 

If I then alter the config to this

 

aaa authentication ssh login peap-mschapv2 none

 

Then I am able to log into the switch with my AD credentials, just as it should do. However, I now no longer have a secondary means of authentication if the RADIUS server breaks.

 

Has anyone heard of this before? I am trying to avoid a firmware upgrade as this is a production switch. I just wonder if anyone can think of a reason for this happening, if I'm doing something wrong.

 

Cheers

0 Kudos
3 REPLIES 3
Pourl
Frequent Advisor

‎07-02-2012 01:57 AM

‎07-02-2012 01:57 AM

Re: Odd RADIUS behavior

Moin,

 

You should set the command:

 

aaa authentication ssh enable peap-mschapv2 local

 

the default enable ssh authentification is the local account...

 

btw u should inform yourself about this command:

 

aaa authentication login privilege-mode

 

if u send the right radius attributes, your user will automaticly login to ena-level.

0 Kudos
type-r180
Occasional Contributor

‎07-04-2012 01:00 AM

‎07-04-2012 01:00 AM

Re: Odd RADIUS behavior

Hi Pourl,

 

Thanks for your reply

 

I'm sorry I didn't show the rest of my config, I already have these set. My RADIUS related config is

 

radius-server host <ip> key <key>
radius-server timeout 1
radius-server retransmit 1

aaa authentication login privilege-mode
aaa authentication ssh login peap-mschapv2 local
aaa authentication ssh enable peap-mschapv2 local

 

I have this identical config on another switch that works perfectly as intended, and both switches are being authenticated against the same policy. 


I had to add radius-server timeout 1 and radius-server retransmit 1 as I was getting delays of between 8-12 seconds between the username and password prompt. I removed this config on the troublesome switch but it did not resolve the problem.


I'm stuck!

0 Kudos
Pourl
Frequent Advisor

‎07-04-2012 02:47 AM

‎07-04-2012 02:47 AM

Re: Odd RADIUS behavior

I haven't worked with the MS NPS, we use cisco ACS as AAA-Server.

There I would look for the log of auth, if there was a auth request. Perhaps the is a connection probleme.

Sometimes new devices (switches) I added to the aaa-client base, couldn't auth to acs. Then I had to restart the server/service and everything worked.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.