Networking General

Last reply by 04-14-2022 Unsolved
Start a Discussion
2 Bronze
2 Bronze
3689

[N20XX] RADIUS Server usage login does not work

Hello,

we are already using dot1x and want to add management access by SSH to the switches based on RADIUS authentication. As you can see in the configuration below, I want to use a different RADIUS Server for the login authentication than for dot1x.

I defined usages in the radius-server settings, but for some weird reason the switch still connect to 10.0.1.1 instead of 10.0.2.1.

What am I missing here?

aaa authentication login "networkList" local line
aaa authentication login "rad" radius local
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius

radius-server host auth 10.0.1.1
name "DOT1X_RADIUS"
usage 802.1x
key "KEYKEYKEYKEY"
exit
radius-server host auth 10.0.2.1
name "ADMIN_LOGIN_RADIUS"
usage login
key "KEYKEYKEYKEY"
exit

line console
exec-timeout 480
login authentication networkList
password PASSWORD
exit
line ssh
exec-timeout 480
login authentication rad
exit

Best regards

Replies (16)
2607

Hi,

What version of the firmware are you on? There have been a few fixes for Radius in different firmware revisions. What happens if you switch the order the commands?


Thanks,

DELL-Josh Cr
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

2 Bronze
2 Bronze
2607

Hello Josh,

we are currently using: 

6.2.7.6

I looked up the release notes of the last recent firmware version but I could not find any topic regarding the radius server usage field or something like that.

What to you mean by "switch the order of the commands" ?

Which commands and which order? :)

2607

The radius server hosts, so that 10.0.2.1 is the one they try to access first.


Thanks,

DELL-Josh Cr
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

2 Bronze
2 Bronze
2607

In my understanding, the switch should be able to query both radius servers, one for dot1x, the other one for login. Am I wrong here?

Which purpose has the "usage" command in the the radius-server context?

The switch itself says:

switch(config-auth-radius)#usage ?

  • 802.1x Select dot1x to have dot1x access authenticated against Radius.
  • all Select all to have both switch access and dot1x access authenticated against Radius.
  • login Select login to have switch access authenticated against Radius.

Since it is in the context of a specific host, it does not look global for all radius-servers to me.

2607

It should be able to, which is why I was wondering if it queried the other one first would it only access that one or is still skipping that one and only using 1.1. The other thing we could do is use wireshark to monitor the port and see if it is querying both.


Thanks,

DELL-Josh Cr
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

2 Bronze
2 Bronze
2607

I will try the swapped order on Monday.

What I can say by now is, that upgrading the firmware to the last recent one does not solve the issue.

I tried it.

Edit: The sniffing is a good Idea, I can perform it on the Firewall (Router)  inbetween the networks.

2 Bronze
2 Bronze
2608

I performed some sniffing and also changing the configuration order of both radius-servers.

According to the sniffing result, only one radius-server will be contacted by the switch.

  • If 1.1 is the first radius-server in the config, all requests (802.1x + login) are going here.
  • If 2.1 is the first radius-server in the config, all requests (802.1x + login) are going here.

But I noticed an odd behaviour: When I remove only one radius server from the config, and add it afterwards, to change the order in the config file, for 1.1 it did not change the order.

Edit:

After upgrading to 6.3.11 the following changed: Regardless which order the radius-servers have, the one with the usage 802.1x is queried for everything.  No packet is going to the login one anymore.

Edit 2:

Please note: I don't know if that is important, but the IPs (1.1 / 1.2) are fake IPs here. In fact the one with the usage 802.1x has the higher one.

Edit 3:

I noticed, if I remove one of the servers from the config and request something using radius (dot1x / login) the remaining radius-server will be queried. If I add the removed one afterwards, the switch will still use the server, which was queried before.

My idea here is, that in 6.3.1.11 the switch remembers, which radius-server has been contacted recently.

Also sadly, the "usage" is not interpreted by the switch in the way it should be. To be more specific, it will be ignored.

1104

Very old issue but I have the same issue with a N22xx system (running 6.6.3.14).

Did someone actually resolved the issue?

1098

Hello,

 

In order to provide assistance, I'd need to know what troubleshooting steps you've taken so far. I'd also recommend updating the firmware to current. If you're looking to see if someone in the community has corrected this issue in their circumstances, we can certainly wait for a community response, as well.

#Iwork4Dell
Latest Solutions
Top Contributor