Solved: Re: Aruba 2930F RADIUS authentication

lee2021 · ‎08-24-2021

I'm trying to get my switches to do RADIUS authentication, but whatever I try on the NPS (win server 2019)doesn't work. I keep getting the following on the event viewer:

Reason code 66

The User attempts to use an authentication method that is not enabled on the matching network policy.

I have tried multiple guides that I found but nothing seems to work.
I have unencrypted authentication [PAP, SPAP] ticked in the constraints authentication methods section.

Anyone has any guides that definitely work or any idea of why else I might be getting the above error?

On the switch, the radius servers are configured/added and enable/login are set to radius

Thanks

akg7 · ‎08-24-2021

Hello @lee2021 ,

It seems an issue with the policy.

Please share switch radius config and below commands output:

show authentication
show radius
show version
show log -r

Also check the server end policy settings?

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company

lee2021 · ‎08-25-2021

Hi akg7

Yes I think its something on ther server as well, but I can't figure out why. I tried every which way as advised on several different guides, but I still get the same error on the event viewer. Can't find any standard guides just for aruba however, so maybe there is something I'm missing. Is there something I can follow to try again?

Below are the results from the commands. (replaced the ips and user names)

----------------------------------

Status and Counters - Authentication Information

Authorized enabled as backup for secondary login are preceded by *

Login Attempts : 3

Lockout Delay : 0

Respect Privilege : Enabled

Bypass Username For Operator and Manager Access : Disabled

| Login Login Login

Access Task | Primary Server Group Secondary

-------------- + ----------- ------------ ----------

Console | Local None

Telnet | Local None

Port-Access | EapRadius radius None

Webui | Local None

SSH | Radius radius Local

Web-Auth | ChapRadius radius None

MAC-Auth | ChapRadius radius None

SNMP | Local None

Local-MAC-Auth | Local radius None

REST | Radius Local

| Enable Enable Enable

Access Task | Primary Server Group Secondary

-------------- + ----------- ------------ ----------

Console | Local None

Telnet | Local None

Webui | Local None

SSH | Radius radius Local

REST | Radius None

----------------

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0

Timeout (seconds) : 5 TLS Timeout (seconds) : 30

Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30

Global Encryption Key :

Dynamic Authorization UDP Port : 3799

Source IP Selection : Outgoing Interface

Source IPv6 Selection : Outgoing Interface

Tracking : Disabled

Request Packet Count : 3

Track Dead Servers Only : Disabled

Tracking Period (seconds) : 300

ClearPass Identity :

Auth Acct DM/ Time |

Server IP Addr Port Port CoA Window | Encryption Key OOBM

--------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----

1.1.1.1 1812 1813 No 300 | xxxxxxx No

-----------

Image stamp: /ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)

Jun 7 2021 21:35:47

WC.16.10.0015

516

Boot Image: Primary

Boot ROM Version: WC.16.01.0008

Active Boot ROM: Primary

------------

W 08/24/21 13:13:33 00419 auth: Invalid user name/password on SSH session User

'luser' is trying to login from 1.1.1.1

I 08/24/21 13:08:11 04694 auth: Authentication and authorization are configured

with the same method.Command authorization will be performed for all

SSH users.

W 08/24/21 13:07:51 04693 auth: Authentication and authorization are configured

with different methods. Command authorization may be skipped for

some SSH users.

W 08/24/21 13:07:11 04693 auth: Authentication and authorization are configured

with different methods. Command authorization may be skipped for

some SSH users.

W 08/24/21 13:07:04 04693 auth: Authentication and authorization are configured

with different methods. Command authorization may be skipped for

some SSH users.

W 08/24/21 13:04:13 00419 auth: Invalid user name/password on SSH session User

'user' is trying to login from1.1.1.1

W 08/24/21 13:03:36 00419 auth: Invalid user name/password on SSH session User

'user' is trying to login from 11.1.1.1

I 08/24/21 12:49:40 03363 auth: User 'user' logged out of SSH session from

1.1.1.1

W 08/24/21 12:49:40 00641 ssh: read error Operation timed out, session aborted

W 08/24/21 10:59:33 00419 auth: Invalid user name/password on SSH session User

'user' is trying to login from 1.1.1.1

W 08/24/21 10:45:46 00419 auth: Invalid user name/password on SSH session User

'user' is trying to login from 1.1.1.1

W 08/24/21 10:45:05 00419 auth: Invalid user name/password on SSH session User

'user is trying to login from 1.1.1.1

lee2021 · ‎08-25-2021

Hi akg7 (already posted this but the site didn't post it it seems).. so here goes again

I think it's a server side issue as well more than switch side. I followed this guide and similar others, but no luck
https://fixitdave.wordpress.com/2015/02/14/hp-procurve-with-radius-authentication-using-nps/
and
https://www.frenchnetworkengineer.fr/forum/aruba/aruba-switch-2930-2530-radius-authentication

If there's any better guides to follow about this that would help, I'd be grateful as couldn't really find anything specific

Switch Results:
------------------------------
Status and Counters - Authentication Information

Authorized enabled as backup for secondary login are preceded by *

Login Attempts : 3

Lockout Delay : 0

Respect Privilege : Enabled

Bypass Username For Operator and Manager Access : Disabled

| Login Login Login

Access Task | Primary Server Group Secondary

-------------- + ----------- ------------ ----------

Console | Local None

Telnet | Local None

Port-Access | EapRadius radius None

Webui | Local None

SSH | Radius radius Local

Web-Auth | ChapRadius radius None

MAC-Auth | ChapRadius radius None

SNMP | Local None

Local-MAC-Auth | Local radius None

REST | Radius Local

| Enable Enable Enable

Access Task | Primary Server Group Secondary

-------------- + ----------- ------------ ----------

Console | Local None

Telnet | Local None

Webui | Local None

SSH | Radius radius Local

REST | Radius None

-----------------------

show radius

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0

Timeout (seconds) : 5 TLS Timeout (seconds) : 30

Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30

Global Encryption Key :

Dynamic Authorization UDP Port : 3799

Source IP Selection : Outgoing Interface

Source IPv6 Selection : Outgoing Interface

Tracking : Disabled

Request Packet Count : 3

Track Dead Servers Only : Disabled

Tracking Period (seconds) : 300

ClearPass Identity :

Auth Acct DM/ Time |

Server IP Addr Port Port CoA Window | Encryption Key OOBM

--------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----

1.1.1.1 1812 1813 No 300 | xxxxxxxxx No

---------------------------------------

show version

Image stamp: /ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)

Jun 7 2021 21:35:47

WC.16.10.0015

516

Boot Image: Primary

Boot ROM Version: WC.16.01.0008

Active Boot ROM: Primary

----------------------------------------

W 08/25/21 12:10:28 00419 auth: Invalid user name/password on SSH session User

'user' is trying to login from 1.1.1.1

W 08/25/21 12:03:37 00419 auth: Invalid user name/password on SSH session User

'user' is trying to login from 1.1.1.1

akg7 · ‎08-26-2021

Hello @lee2021 ,

Here switch is acting as Radius server or client?

From switch logs, it seems using different methods of authenticationa nd authorization.

W 08/24/21 13:07:51 04693 auth: Authentication and authorization are configured with different  methods. Command authorization may be skipped for some SSH users.

Can you check this and also config if Windows server and switch able to ping each other?

I am sharing link for switch for Radius configuration.

You can verify from switch if it is configured correctly in switch:

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00042657en_us

For server, let me search if find something.

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company

lee2021 · ‎08-26-2021

Hi, thanks for your reply

Switch would be the client. I can ping the radius server, and we also have 802.1x set up for wifi and switch ports which works fine with the radius.

I set it up as just radius to connect:
aaa authentication ssh login radius

And set the server to accept PAP. but no luck.

I will go through the link you sent as well to make sure all is setup correct, but everything should be ok switch wise

Thanks

lee2021 · ‎09-06-2021

So far no luck still. Is there any vendor specific information to add on the nps side?

Guides we found for other types of switches have vendo specific information added on the network policy

lee2021 · ‎09-08-2021

Just to advise that I managed to resolve it.

I think I was missing the following:

aaa authentication login privilege-mode

aaa authorization commands none

And had to set NAS Prompt instead of Adminstrative for the Operator role. Didn't need to use any vendor code it seems.

Thanks again