[N20XX] RADIUS Server usage login does not work

Hi,

What version of the firmware are you on? There have been a few fixes for Radius in different firmware revisions. What happens if you switch the order the commands?

The radius server hosts, so that 10.0.2.1 is the one they try to access first.

In my understanding, the switch should be able to query both radius servers, one for dot1x, the other one for login. Am I wrong here?

Which purpose has the "usage" command in the the radius-server context?

The switch itself says:

switch(config-auth-radius)#usage ?

• 802.1x Select dot1x to have dot1x access authenticated against Radius.
• all Select all to have both switch access and dot1x access authenticated against Radius.
• login Select login to have switch access authenticated against Radius.

Since it is in the context of a specific host, it does not look global for all radius-servers to me.

It should be able to, which is why I was wondering if it queried the other one first would it only access that one or is still skipping that one and only using 1.1. The other thing we could do is use wireshark to monitor the port and see if it is querying both.

I will try the swapped order on Monday.

What I can say by now is, that upgrading the firmware to the last recent one does not solve the issue.

I tried it.

Edit: The sniffing is a good Idea, I can perform it on the Firewall (Router)  inbetween the networks.

I performed some sniffing and also changing the configuration order of both radius-servers.

According to the sniffing result, only one radius-server will be contacted by the switch.

• If 1.1 is the first radius-server in the config, all requests (802.1x + login) are going here.
• If 2.1 is the first radius-server in the config, all requests (802.1x + login) are going here.

But I noticed an odd behaviour: When I remove only one radius server from the config, and add it afterwards, to change the order in the config file, for 1.1 it did not change the order.

Edit:

After upgrading to 6.3.11 the following changed: Regardless which order the radius-servers have, the one with the usage 802.1x is queried for everything.  No packet is going to the login one anymore.

Edit 2:

Please note: I don't know if that is important, but the IPs (1.1 / 1.2) are fake IPs here. In fact the one with the usage 802.1x has the higher one.

Edit 3:

I noticed, if I remove one of the servers from the config and request something using radius (dot1x / login) the remaining radius-server will be queried. If I add the removed one afterwards, the switch will still use the server, which was queried before.

My idea here is, that in 6.3.1.11 the switch remembers, which radius-server has been contacted recently.

Also sadly, the "usage" is not interpreted by the switch in the way it should be. To be more specific, it will be ignored.

Very old issue but I have the same issue with a N22xx system (running 6.6.3.14).

Did someone actually resolved the issue?

Hello,

In order to provide assistance, I'd need to know what troubleshooting steps you've taken so far. I'd also recommend updating the firmware to current. If you're looking to see if someone in the community has corrected this issue in their circumstances, we can certainly wait for a community response, as well.

I’m having the exact same issue on N2000 and N1500 even with the latest firmware 6.7.1.9 . I thought it was me being stupid but I was able to verify using pcap. 

i need different radius servers for shell access vs MAB

Benjamin 

Hi Chris,

thanks for getting back to us. Radius Authentication for shell access in general works like specified in the doc you sent (been using this long time). The issue only arrises if there multiple radius servers as mentioned earlier in this thread exist in the switch configuration.

example:

radius server auth server1 1.1.1.1
usage login

exit

radius server auth server2 2.2.2.2
usage authmgr

Both radius servers serve different purposes (one for mab, one for login as admin). Having only 1 server in configuration works also with  corresponding "usage" specified.

This is a new setup as we are adding mab to our network environment.

Thanks

Benjamin

edit: I just realised theres someone with the exact same problem here https://www.dell.com/community/Networking-General/Radius-Problem-Dell-N1524P-Software-6-7-1-9/m-p/8182015#M103664

BenjiShi,

I am researching the issue, but wanted to confirm a couple things with you. 

Was this working on a previous version, or is this a new configuration?

If you review this article, where these steps performed?

Let me know.

Hi @BenjiShi,

So when you say having only 1 RADIUS server in the configuration, it works? Just an understanding, if you use only Login usage, it works. If you use only Authenticate Manager, it works. But having both doesn't. When you have both configured, are both of the server pingable from switch? 

When you said you had the same issue, the switch still connects to 1.1.1.1 instead of 2.2.2.2?

Hi Joey, 

thanks for getting back. 

I have verified the behaviour mentioned in this post this morning: https://www.dell.com/community/Networking-General/Radius-Problem-Dell-N1524P-Software-6-7-1-9/m-p/81...

I also get the error: RADIUS: Server Entry is Null or Could not allocate Radius Packet

Both RADIUS Servers are pingable from the switch to answer you question. 

Hi @BenjiShi,

I noticed the link previous post, just wanted to know about your issue in detail, since some configurations might not be same in terms of IP and steps. 

It may need to get more deep dive into the switch logs to find out what's the issue. But before that, I'll check with Chris if he has any further ideas. If he doesn't have any, you may need to contact the support to analyze the full configuration details. Be right back.