- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Problem logging into switch using RADIUS authentic...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2007 08:20 AM
тАО11-27-2007 08:20 AM
I manage the network for a school district with a number of sites. All the ProCurve switches are configured for RADIUS authentication, so when I SSH to a device it authenticates me with my network account. The RADIUS server is located at our central office, and most of the sites are on the other side of T1's routing through Cisco routers.
I have one small school that shares the same physical network as the central office. The school's core switch - a 5300 - is connected to our core via 1000Gbps fiber. For security reasons, I subnetted them off using a VLAN, so now that fiber link has effectively become a WAN link. Since I did that the RADIUS auth will not work on the school's core switch (but it works on all the edge switches beyond that switch).
When I watch the RADIUS log during an auth request from that switch, the request is recognized as coming from the IP address assigned to the WAN VLAN, not the LAN IP. So the auth is successful, but the info from RADIUS never gets back to the site core switch.
How can I tell that switch to identify itself with the LAN IP instead of the WAN IP?
I've attached a crude diagram showing the network layout.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2007 09:42 AM
тАО11-27-2007 09:42 AM
Re: Problem logging into switch using RADIUS authentication
The command would be:
management-vlan (number of your LAN VLAN)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2007 10:00 AM
тАО11-27-2007 10:00 AM
Re: Problem logging into switch using RADIUS authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-10-2007 09:03 AM
тАО12-10-2007 09:03 AM
Re: Problem logging into switch using RADIUS authentication
a few questions:
1) in the radius srvr, what ip addr did you define for the 'client' of the 'site 5300'?
2) in the 5400, are you running routing, and if so, what is the route for the 10.2.1.1 net?
3) on the site 5300, are you running routing and if so, what is the route to the 10.0.x.x/16 network? (to get to the radius srvr)
4) are you running any routing protocols between the routers (rip or ospf)?
5) can you provide a scrn shot of the radius log entry where it shows "ok"?
6) what radius srvr product are you using?
with more info, i may be able to provide a possible idea for solution...
hth...jeff carrell
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-10-2007 09:33 AM
тАО12-10-2007 09:33 AM
Re: Problem logging into switch using RADIUS authentication
1. originally I'd defined the entire subnet range that the switches are using at that site (10.2.1.0/24 = RVHS_Devices). The RADIUS server was rejecting the queries though, because the switch wasn't reporting with an IP from 10.2.0.0. So I added a definition for the WAN IP (10.88.0.0/16 = WAN_CoreSwitches). This allowed me to connect, but the approval packet from RADIUS doesn't get back to the switch.
2. yes, using ospf with 'redistribute connected'.
3. Same as #2.
4. Same ospf config on both the 5300 and 5400.
router ospf
area backbone
redistribute connected
exit
5. Can't provide a screenshot, but here is the pertinent info from the radius log:
rad_recv: Access-Request packet from host 10.88.2.2:1098, id=61, length=79
User-Name = "vbutler"
User=Password = "xxxxxxxxxxxxxxxxxxxxxxxx"
NAS-IP-Address = 10.2.1.1
NAS-Identifier = "RVHS-5308-01"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
rlm_ldap: user vbutler authenticated successfully
modcall[authenticate]: module "ldap" returns ok for request 1
modcall: leaving group LDAP (returns ok) for request 1
Sending Access-Accept of id 61 to 10.88.2.2 port 1098
Service-Type = Administrative-User
Finished request 1
rad_recv: Access-Request packet from host 10.88.2.2:1098, id=61, length=79
Sending duplicate reply to client WAN_CoreSwitches:1098 - ID: 61
Re-sending Access-Accept of id 61 to 10.88.2.2 port 1098
6. Using FreeRADIUS 1.1.0-19.6
* I've also attached the config from the site switch.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-10-2007 10:11 AM
тАО12-10-2007 10:11 AM
Solutionare you using a radius 'shared secret' or 'password' between the switches and the radius srvr? if so, you are missing that in your switch config...
btw, if i were you i'd get that switch config off quick, alot of good info is in there for bad guys :-)
i'm gonna look a bit more here...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-10-2007 10:28 AM
тАО12-10-2007 10:28 AM
Re: Problem logging into switch using RADIUS authentication
I can't see a way to remove the attachment from the forum. I wasn't really concerned when I posted it because it's not a publicly-accessible switch and none of the IP's listed on there are really secret, but if you know how I can get it removed I'll do that as a precaution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-10-2007 10:58 AM
тАО12-10-2007 10:58 AM
Re: Problem logging into switch using RADIUS authentication
hmmm...the radius line on the switch should read:
radius-server host 10.0.5.20 key
from a CLI, if you do a 'show radius' it will diplay the radius config info and show the key there...
interestingly, when using MS/IAS (MS radius), a switch could have the wrong or no key, and the radius srvr doesn't care, it will pass, etc (just like you are getting) but when the switch gets the reply from radius it ignores that reply as it comes back encrypted "wrong"...i don't have 1st hand knowledge of freereadius, but this sounds kinda similar...
just for grins, you might try re-entering the radius config on the switch and on the radius srvr and see if things clear up...
i just found this forum a few weeks ago and don't know how it all works...
i'm down to pulling my hair on this....verrrryyy interesting...
cheers...jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2007 08:36 AM
тАО12-11-2007 08:36 AM
Re: Problem logging into switch using RADIUS authentication
I reapplied the radius key on the switch (it was there already though - I must have stripped it from the config before posting and forgot about it). After that didn't work, I was doing some poking and discovered that I can't ping the radius box from the switch. In fact, I can't ping ANYTHING from that switch across the link except for the remote switch (the 5400). Which is strange, because computers connected to the problem switch, and other switches on that LAN, can ping everything just fine.
What indicated this to me was when I connected to the problem switch via console, I noticed that the login prompt was giving a "Cannot connect to..." error before defaulting to a local login. I thought this was strange, because when I connect via SSH it actually sends to the radius box - the reply just never returns.
So at this point, I'm not sure if the problem is that the problem switch can't communicate with devices on the District Office LAN, or that the devices at the District Office can't find a path BACK to the problem switch. I'm thinking the latter, which would explain why pings fail and why radius auth partially succeeds via ssh.
Thoughts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2007 08:59 AM
тАО12-11-2007 08:59 AM
Re: Problem logging into switch using RADIUS authentication
1) if you run a 'sh ip route' on the 5300, what is the route to the 10.0.x.x/16 network? (to get to the radius srvr)
2) if you run a 'sh ip route' on the 5400, what is the route to 10.88.2.2?
everything going thru the 5300 by having no problems means that normal routing is of course working on its side, now its just figuring out why 10.88.2.2 is having problems....
you're close i think :-)
look at those route tables and see what (if anything) it takes to 'fix it'...
hth...jeff