32 Posts
0
1597
Dell N2048P / RADIUS CoA: DAC not found. Packet discarded.
Hi All,
I'm facing an issue where my radius server is sending a CoA packet to my Dell N2048P switch, but my radius server responds with 'No response from network device'. Once I debug the switch with command 'debug aaa coa' I get the following logs when sending a CoA:
../../../../src/application/base/das/das.c dasRequestProcess:1091 Process of request index = 0
../../../../src/application/base/das/das.c dasRequestProcess:1124 DAC not found. Packet discarded.
I checked the connectivity between the switch and radius server, the server can be reached from the switch. Next to that, the configuration of the aaa radius server seems normal:
RADIUS server name............................. CLEARPASS-RADIUS-VIP2
Current Server IP Address......................
Number of retransmits.......................... 3
Timeout duration............................... 15
Deadtime....................................... 0
RADIUS server auth-port........................ 1812
CoA port....................................... 3799
Source IP......................................
RADIUS accounting mode......................... Enable
Secret configured.............................. Yes
Message authenticator.......................... Enable
CoA Bounce-Host-Port........................... Accept
CoA Disable-Host-Port.......................... Accept
Number of CoA requests received................ 183
Number of CoA ACK responses sent............... 75
Number of CoA NAK responses sent............... 6
Number of CoA requests ignored................. 102
Number of CoA missing/unsupported attr reqs.... 0
Number of CoA session context not found reqs... 6
Number of CoA invalid attribute value reqs..... 0
Number of administratively prohibited reqs..... 0
Radius server VSA authentication:.............. Disable
RADIUS Attribute 6 Mode........................ Enable
RADIUS Attribute 8 Mode........................ Disable
RADIUS Attribute 168 Mode...................... Disable
RADIUS Attribute 25 Mode....................... Enable
RADIUS Attribute 30 MAC Format Value........... unformatted upper-case
RADIUS Attribute 31 MAC Format Value........... unformatted upper-case
RADIUS Attribute 32 MAC Format Value........... unformatted upper-case
RADIUS Attribute 32 Mode....................... Enable
RADIUS Attribute 32 format..................... %m
RADIUS Attribute 44 Mode....................... Disable
Server State................................... Up
Server Immortal State.......................... False
Test User......................................
Idle Time...................................... 60
Type........................................... Secondary
Number of Dead servers in Named Server Group... 0
Running on firmware:
Machine Description............... Dell EMC Networking Switch
System Model ID................... N2048P
Machine Type...................... Dell EMC Networking N2048P
Serial Number..................... <-->
Manufacturer...................... <-->
Burned In MAC Address............. <-->
System Object ID.................. <-->
SOC Version....................... <-->
HW Version........................ 5
CPLD Version...................... 20
Image File........................ N2000Stdv6.6.3.10
Software Capability............... Stack Limit = 8, VLAN Limit = 4093
unit active backup current-active next-active
---- ----------- ----------- -------------- --------------
1 6.6.3.10 6.6.3.8 6.6.3.10 6.6.3.10
Why is my switch not responding to the CoA packets it receives?
lk2819
32 Posts
0
April 13th, 2022 02:00
Hi All,
We've upgraded the firmware to 6.7.1.9 and the issue seems to be solved. Thanks for the help.
DELL-Chris H
Moderator
Moderator
•
8.6K Posts
0
March 21st, 2022 11:00
Would you do me a favor and confirm a couple things for me?
Is the radius server directly connected to this switch, and if so are they are on the same VLAN?
Is the the time on both the switch and the radius server the same?
Lastly, is the switch up to date on firmware, as some radius features were added in the most recent release and you may want to update the firmware, if you haven't already.
Let me know.
lk2819
32 Posts
0
March 22nd, 2022 09:00
Thanks for your reply Chris,
>>Is the radius server directly connected to this switch, and if so are they are on the same VLAN?
Yes, the radius server (ClearPass) and this switch are on the same VLAN. There is no firewall or ACLs in between the two network devices, and the connection is working (can ping).
>>Is the the time on both the switch and the radius server the same?
Yes, just verified and both the switch and all ClearPass virtual appliances have the same timestamp / date.
>>Lastly, is the switch up to date on firmware, as some radius features were added in the most recent release and you may want to update the firmware, if you haven't already.
I've got two more Dell N2048P switches on the same firmware version, with identical configuration working just fine when I try a CoA using ClearPass. I don't think a firmware upgrade will help resolve this issue to be honest..
What more options do I have? Are there any more debugging commando's to get more information back from the switch when trying a CoA?
DELL-Chris H
Moderator
Moderator
•
8.6K Posts
0
March 22nd, 2022 13:00
Lk2819,
I would suggest you try port mirroring and wireshark to see if it shows anything, since you have two working switches, it may be that it is a hardware issue.
Let me know what you see.
Marrisg
6 Posts
0
March 23rd, 2022 06:00
Could you please double-check a couple items for me? Is this switch connected to the radius server directly, and if so, are they on the same VLAN? Is the transition and the radius server separated in time? Is the switch's software up to date, as well? If you haven't already, you should upgrade the firmware because some radius features were added in the most recent release. Please let me know.
Marrisg
6 Posts
0
March 25th, 2022 07:00
Is the switch's software also up to date? If you haven't already, you need upgrade the firmware because the most current release has several radius features. Please notify me.
lk2819
32 Posts
0
March 27th, 2022 23:00
Based on the answers, I guess the only fix is to try and update the firmware to the latest version. I will plan to do so, but since we are in a production environment it can take some time.
The latest firmware for our switch as of now is: 'Dell EMC Networking N2000 Series Firmware Version 6.7.1.9', right?
DELL-Joey C
Moderator
Moderator
•
3.2K Posts
0
March 28th, 2022 01:00
Hi @lk2819,
Yes, 6.7.1.9 is the latest firmware. https://dell.to/3NvIxN4
Is the RADIUS server configured to send a Service-Type of "Framed-User"? Try running the command: radius-server attribute 6 nonmandatory
lk2819
32 Posts
0
March 28th, 2022 03:00
My global configuration is as following:
aaa accounting dot1x default start-stop radius
aaa accounting update newinfo
authentication enable
authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
aaa server radius dynamic-author
client server-key 7 " "
auth-type any
exit
radius server attribute 4
radius server attribute 6 on-for-login-auth
radius server source-ip
radius server key 7 " "
radius server auth
primary
name "CLEARPASS-RADIUS-VIP1"
usage authmgr
exit
radius server auth
name "CLEARPASS-RADIUS-VIP2"
usage authmgr
exit
radius server acct
name "CLEARPASS-RADIUS-VIP1"
exit
!
Please note that this exact same global configuration is fully functioning on another N2048P switch running on the same firmware version: 6.6.3.10.
DELL-Erman O
Moderator
Moderator
•
2.3K Posts
0
March 28th, 2022 04:00
Hi, thanks for the detailed information, it seems like you need to check if it will be fixed after taking downtime and updating FW.
Kr-johnson
6 Posts
0
April 1st, 2022 18:00
I'd appreciate it if you could double-check a few things for me. Is this switch connected to the radius server directly, and do they share a VLAN? Is there a difference in time between the switchover and the radius server? Is the software on the switch up to date as well? You should upgrade the firmware if you haven't previously done so because the most recent release has numerous radius enhancements. Please let me know. If your issue has not been resolved, please contact support or Go to Google and type in your issue. Perhaps you'll come upon a related website. Thanks,