- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Odd RADIUS behavior
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2012 06:54 AM - edited 06-29-2012 07:11 AM
06-29-2012 06:54 AM - edited 06-29-2012 07:11 AM
Odd RADIUS behavior
Hi all
I've configured a couple of switches for RADIUS use, and set up NPS on Windows Server 2008 R2.
The first switch, a 3500-24, works flawlessly. The second one (5412zl) is slightly different.
If I enable local authentication as the secondary authentication method, via:
aaa authentication ssh login peap-mschapv2 local
Then I don't appear to be being authenticated properly via RADIUS. Here's what happens:
1) Switch prompts for username, I enter my domain username, which works for the other switch
2) I am then taken straight to operator mode ( > at each prompt) without being prompted for a password
3) I'll type enable, and the local password is required
If I then alter the config to this
aaa authentication ssh login peap-mschapv2 none
Then I am able to log into the switch with my AD credentials, just as it should do. However, I now no longer have a secondary means of authentication if the RADIUS server breaks.
Has anyone heard of this before? I am trying to avoid a firmware upgrade as this is a production switch. I just wonder if anyone can think of a reason for this happening, if I'm doing something wrong.
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2012 01:57 AM
07-02-2012 01:57 AM
Re: Odd RADIUS behavior
Moin,
You should set the command:
aaa authentication ssh enable peap-mschapv2 local
the default enable ssh authentification is the local account...
btw u should inform yourself about this command:
aaa authentication login privilege-mode
if u send the right radius attributes, your user will automaticly login to ena-level.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2012 01:00 AM
07-04-2012 01:00 AM
Re: Odd RADIUS behavior
Hi Pourl,
Thanks for your reply
I'm sorry I didn't show the rest of my config, I already have these set. My RADIUS related config is
radius-server host <ip> key <key>
radius-server timeout 1
radius-server retransmit 1
aaa authentication login privilege-mode
aaa authentication ssh login peap-mschapv2 local
aaa authentication ssh enable peap-mschapv2 local
I have this identical config on another switch that works perfectly as intended, and both switches are being authenticated against the same policy.
I had to add radius-server timeout 1 and radius-server retransmit 1 as I was getting delays of between 8-12 seconds between the username and password prompt. I removed this config on the troublesome switch but it did not resolve the problem.
I'm stuck!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2012 02:47 AM
07-04-2012 02:47 AM
Re: Odd RADIUS behavior
I haven't worked with the MS NPS, we use cisco ACS as AAA-Server.
There I would look for the log of auth, if there was a auth request. Perhaps the is a connection probleme.
Sometimes new devices (switches) I added to the aaa-client base, couldn't auth to acs. Then I had to restart the server/service and everything worked.