Unsolved
This post is more than 5 years old
9 Posts
0
114994
N4032 login authentication using RADIUS (Windows Server 2008R2)
I'm having trouble getting authentication working. All of our Cisco switches are working and these are our first Dell switches.
The OOB port on the Dell switches are connected to a management network switch. That traffic is routed to our main site where we have a Windows server with the Network Protection Service role. After setting everything up I try to open an SSH session using putty. I get an Access Denied error. One the NPS server I see an audit failure saying wrong username or password. Any suggestions?
I'm using the same policy that the Cisco switches are using.
DELL-Josh Cr
Moderator
Moderator
•
8.5K Posts
0
January 18th, 2016 14:00
Hi,
How do you have authentication for the switch configured? What does the command “show authentication methods” return? What version of the firmware are you using?
Murisonc
9 Posts
0
January 18th, 2016 15:00
Note these are hand typed as the network is isolated from the Internet.
On the N4032:
aaa authentication login "RadAuth" radius
aaa authentication enable "RenEn" radius
radius-server source-ip 172.28.6.8
radius-server host auth 199.254.98.52
auth-port 1645
primary
name "Default-RADIUS-Server"
key "long key"
exit
ip ssh server
line ssh
login authentication RadAuth
enable authentication RadEn
Output from show authentication methods:
Login Authentication Method Lists
-----------------------
defaultList : none
networkList : local
RadAuth : radius
Enable Authentication Method Lists
-------------------
enableList : enable none
enableNetList : enable
RadEn : radius
Line Login Method List Enable Method List
------------------------------------------------------------------------------------
Console defaultList enableList
Telnet networkList enableList
SSH RadAuth RadEn
Firmware version is: 6.2.7.2
DELL-Josh Cr
Moderator
Moderator
•
8.5K Posts
0
January 18th, 2016 16:00
It looks like it is configured correctly to use SSH with RADIUS on the switch side. Did you use any guides or what specific steps did you do when setting up NPS? So we can try to replicate. Do you have the same issue when he removes the 'enable authentication RadEn' line from his line ssh config? Is the key you are using plain text or already encrypted?
Murisonc
9 Posts
0
January 18th, 2016 16:00
For the NPS side I used a guide that I created a few years back to get the Cisco switches to authenticate correctly rather than paying for an expensive TACACS appliance. murison.wordpress.com/.../cisco-radius-configuration-with-server-2008-r2
I'll have to test to see if we get all the same indicators when removing the enable auth RadEn line. I'll post the results in the morning. The key is plain text and just to simplify it I used a very basic 6 digit key.
Murisonc
9 Posts
0
January 20th, 2016 15:00
I was able to get login working with Radius but not the enable part. To get the login part working I removed the NAS Port Type restrictions on the NPS Policy. This is what I have and the error I'm getting.
aaa authentication login "RadAuth" radius
aaa authentication enable "RenEn" radius
radius-server source-ip 172.28.6.8
radius-server host auth 199.254.98.52
name "Default-RADIUS-Server"
key "long key"
exit
ip ssh server
line ssh
login authentication RadAuth
enable authentication RadEn
exit
On the NPS server policy I specify the following:
Setting: Cisco-AV-Pair
Value: Shell:priv-lvl=15
With that policy setting it automatically goes to enable on Cisco switches. But when I login to the Dell switch I'm at the normal user prompt. I then type enable and it prompts for a password. I type in my user password and it fails. the error on the NPS server is as follows:
User:
Security ID: NULL SID
Account Name: $enab15$
- and more stuff that is irrelevant -
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
The username being passed to the RADIUS server is incorrect when trying to enable. The username is correct for the login part.
So either I need a different setting on the NPS server policy to tell the switch to automatically go to enable or find a way for the switch to provide the correct user name when manually going to enable.
Murisonc
9 Posts
0
January 20th, 2016 16:00
I changed the RADIUS attribute being returned to Service-Type with a value of Administrative but that didn't automatically trigger enable mode.
Murisonc
9 Posts
1
January 20th, 2016 16:00
I finally figured it out. Here is the final configuration on the switch
aaa authentication login "RadAuth" radius local
aaa authorization exec "RenEn" radius local
radius-server source-ip 172.28.6.8
radius-server host auth 199.254.98.52
name "Default-RADIUS-Server"
key "long key"
exit
ip ssh server
line ssh
login authentication RadAuth
authorization exec RadEn
exit
The NPS server policy is configured to respond with RADIUS attribute Service-Type value of Administrative.