Switches, Hubs, and Modems
1748093 Members
5998 Online
108758 Solutions
New Discussion юеВ

Problem logging into switch using RADIUS authentication

 
SOLVED
Go to solution
Vince Butler
Advisor

Problem logging into switch using RADIUS authentication

OK, I might get a little wordy here but I'm trying to give all the pertinent info. Bear with me :-)

I manage the network for a school district with a number of sites. All the ProCurve switches are configured for RADIUS authentication, so when I SSH to a device it authenticates me with my network account. The RADIUS server is located at our central office, and most of the sites are on the other side of T1's routing through Cisco routers.

I have one small school that shares the same physical network as the central office. The school's core switch - a 5300 - is connected to our core via 1000Gbps fiber. For security reasons, I subnetted them off using a VLAN, so now that fiber link has effectively become a WAN link. Since I did that the RADIUS auth will not work on the school's core switch (but it works on all the edge switches beyond that switch).

When I watch the RADIUS log during an auth request from that switch, the request is recognized as coming from the IP address assigned to the WAN VLAN, not the LAN IP. So the auth is successful, but the info from RADIUS never gets back to the site core switch.

How can I tell that switch to identify itself with the LAN IP instead of the WAN IP?

I've attached a crude diagram showing the network layout.
11 REPLIES 11
lrosales
Advisor

Re: Problem logging into switch using RADIUS authentication

This is just a thought, I'm sure others will correct me if I'm off. I think you have to set the management vlan ID to match that of your lan instead of the WAN VLAN as it is now.

The command would be:

management-vlan (number of your LAN VLAN)
Vince Butler
Advisor

Re: Problem logging into switch using RADIUS authentication

I'll double check (have to console into the switch next time I'm over there) but I don't think I have a management VLAN set. I thought the management VLAN was one that is only used for management of the switch, and can't be routed to any other VLAN.
Jeff Carrell
Honored Contributor

Re: Problem logging into switch using RADIUS authentication

i don't remember seeing a way to source a radius request from a specific ip addr, so this may have be solved via route definitions...

a few questions:

1) in the radius srvr, what ip addr did you define for the 'client' of the 'site 5300'?

2) in the 5400, are you running routing, and if so, what is the route for the 10.2.1.1 net?

3) on the site 5300, are you running routing and if so, what is the route to the 10.0.x.x/16 network? (to get to the radius srvr)

4) are you running any routing protocols between the routers (rip or ospf)?

5) can you provide a scrn shot of the radius log entry where it shows "ok"?

6) what radius srvr product are you using?

with more info, i may be able to provide a possible idea for solution...

hth...jeff carrell
Vince Butler
Advisor

Re: Problem logging into switch using RADIUS authentication

Good timing Jeff, I was just looking into this problem this morning. Here's the answers to your questions:

1. originally I'd defined the entire subnet range that the switches are using at that site (10.2.1.0/24 = RVHS_Devices). The RADIUS server was rejecting the queries though, because the switch wasn't reporting with an IP from 10.2.0.0. So I added a definition for the WAN IP (10.88.0.0/16 = WAN_CoreSwitches). This allowed me to connect, but the approval packet from RADIUS doesn't get back to the switch.

2. yes, using ospf with 'redistribute connected'.

3. Same as #2.

4. Same ospf config on both the 5300 and 5400.
router ospf
area backbone
redistribute connected
exit

5. Can't provide a screenshot, but here is the pertinent info from the radius log:
rad_recv: Access-Request packet from host 10.88.2.2:1098, id=61, length=79
User-Name = "vbutler"
User=Password = "xxxxxxxxxxxxxxxxxxxxxxxx"
NAS-IP-Address = 10.2.1.1
NAS-Identifier = "RVHS-5308-01"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User

rlm_ldap: user vbutler authenticated successfully
modcall[authenticate]: module "ldap" returns ok for request 1
modcall: leaving group LDAP (returns ok) for request 1
Sending Access-Accept of id 61 to 10.88.2.2 port 1098
Service-Type = Administrative-User
Finished request 1

rad_recv: Access-Request packet from host 10.88.2.2:1098, id=61, length=79
Sending duplicate reply to client WAN_CoreSwitches:1098 - ID: 61
Re-sending Access-Accept of id 61 to 10.88.2.2 port 1098

6. Using FreeRADIUS 1.1.0-19.6

* I've also attached the config from the site switch.
Jeff Carrell
Honored Contributor
Solution

Re: Problem logging into switch using RADIUS authentication

well, it all looks good, of course that doesn't help you...

are you using a radius 'shared secret' or 'password' between the switches and the radius srvr? if so, you are missing that in your switch config...

btw, if i were you i'd get that switch config off quick, alot of good info is in there for bad guys :-)

i'm gonna look a bit more here...
Vince Butler
Advisor

Re: Problem logging into switch using RADIUS authentication

Thanks Jeff. There is a shared secret which is input during configuration but doesn't display in the config (that must be correct because the RADIUS server is not rejecting the switch outright).

I can't see a way to remove the attachment from the forum. I wasn't really concerned when I posted it because it's not a publicly-accessible switch and none of the IP's listed on there are really secret, but if you know how I can get it removed I'll do that as a precaution.
Jeff Carrell
Honored Contributor

Re: Problem logging into switch using RADIUS authentication

thanx vince...

hmmm...the radius line on the switch should read:

radius-server host 10.0.5.20 key


from a CLI, if you do a 'show radius' it will diplay the radius config info and show the key there...

interestingly, when using MS/IAS (MS radius), a switch could have the wrong or no key, and the radius srvr doesn't care, it will pass, etc (just like you are getting) but when the switch gets the reply from radius it ignores that reply as it comes back encrypted "wrong"...i don't have 1st hand knowledge of freereadius, but this sounds kinda similar...

just for grins, you might try re-entering the radius config on the switch and on the radius srvr and see if things clear up...


i just found this forum a few weeks ago and don't know how it all works...


i'm down to pulling my hair on this....verrrryyy interesting...

cheers...jeff
Vince Butler
Advisor

Re: Problem logging into switch using RADIUS authentication

OK. I'm confused.

I reapplied the radius key on the switch (it was there already though - I must have stripped it from the config before posting and forgot about it). After that didn't work, I was doing some poking and discovered that I can't ping the radius box from the switch. In fact, I can't ping ANYTHING from that switch across the link except for the remote switch (the 5400). Which is strange, because computers connected to the problem switch, and other switches on that LAN, can ping everything just fine.

What indicated this to me was when I connected to the problem switch via console, I noticed that the login prompt was giving a "Cannot connect to..." error before defaulting to a local login. I thought this was strange, because when I connect via SSH it actually sends to the radius box - the reply just never returns.

So at this point, I'm not sure if the problem is that the problem switch can't communicate with devices on the District Office LAN, or that the devices at the District Office can't find a path BACK to the problem switch. I'm thinking the latter, which would explain why pings fail and why radius auth partially succeeds via ssh.

Thoughts?
Jeff Carrell
Honored Contributor

Re: Problem logging into switch using RADIUS authentication

more hmmm...i had thought that perhaps it was routing related.....

1) if you run a 'sh ip route' on the 5300, what is the route to the 10.0.x.x/16 network? (to get to the radius srvr)

2) if you run a 'sh ip route' on the 5400, what is the route to 10.88.2.2?

everything going thru the 5300 by having no problems means that normal routing is of course working on its side, now its just figuring out why 10.88.2.2 is having problems....


you're close i think :-)

look at those route tables and see what (if anything) it takes to 'fix it'...

hth...jeff