Radius Problem: Dell N1524P, Software 6.7.1.9.

Question

We are having an issue with Radius usage for both dot1x, and User Authentication.  We have one radius server that handles logging into the switch directly, this performs 2 Factor authentication as given to us by the security team.  The second radius server we want to set up for dot1x.  We are experiencing a problem with whatever type of radius call is used first completely stops the other radius call from taking place. For example, immediately after a switch reboot, if we try to ssh into the switch first, that call works, but dot1x will fail: RADIUS: Server Entry is Null or Could not allocate Radius PacketLink Up: Gi1/0/1 However, if after a switch reboot, we first use dot1x, then ssh authentication will fail: server Entry is Null or Could not allocate Radius PacketradiusRequestInfoProcess: Radius server not selected. Request Type: 1 Requestor: 21, USER_MGRSSH session : Login to the switch is not successful, User ID: Source IP: Local port: 22 I have tried changing the order of the radius servers in the configuration, removing and re-adding them, and constantly trying different switch firmware.  The only solution is reload to the switch in order to get it to do what is needed at that moment. aaa authentication login 'defaultList' localaaa authentication login 'radius_local' radius localip http authentication radius localip https authentication radius localauthentication enableauthentication dynamic-vlan enabledot1x system-auth-controlaaa authentication dot1x default radiusaaa authorization network default radiusradius server auth name 'server1' usage authmgr key 7 exit radius server auth name 'server2' usage login key 7 exit line ssh login authentication radius_local exit Test port: show running-config interface gi1/0/1 storm-control broadcast action trapstorm-control multicast action trapspanning-tree portfastspanning-tree guard rootswitchport mode generalauthentication host-mode single-hostauthentication event fail action authorize vlan 5authentication event no-response action authorize vlan 5authentication timer reauthenticate 600dot1x timeout quiet-period 10dot1x timeout tx-period 10authentication order dot1xauthentication priority dot1xswitchport port-security

DELL-Chris H · Answer

Coobal,

I am researching the issue, but wanted to confirm a couple things with you.

Was this working on a previous version, or is this a new configuration?

If you review this article, where these steps performed?

Lastly, would you confirm if you have anything seperating the Radius servers, as that would be required.

coobal · Answer

Hello Chris,

A similar article is what I followed initially for switch management. We have that working with MS 2fa authentication on about 30 Dell N1500 switches across my company. We want to add dot1x as well, using another a second radius server. I can confirm that it doesn't work with 6.6.0.2 (what is on the majority of the switches, as well as the last three iterations of the released software. looking through the release notes on 6.7.1.9, i see that this is still an unresolved issue since 6.5.3.6:

Patch Release 6.5.3.6
Description/Summary
Radius server not selected based on usage type, when Radius servers are configured with different group names

User Impact
When using one radius server with type 802.1x and another with type login, authentication occasionally fails.
This is a legacy issue from previous builds.

Workaround

None.
To be fixed in a future release.

DELL-Chris H · Answer

Coobal,   I apologize for that oversight, I wasn't personally aware of it. If you like you can private message me the svc tag and I can see about pushing this up.    Let me know.

coobal · Answer

Thank you, Chris.  I have sent the private message to you.

DELL-Chris H · Answer

Coobal,    I have submitted it, I will let you know what I find as soon as possible.    Thank you.

DELL-Chris H · Answer

Coobal,

I apologize, I contacted you via private message a few days ago requesting some logs and other details. Would you look for the message and let me know if you got it, and if you can upload the requested details?

Thank you.

coobal · Answer

Good morning, Chris, Have you heard anything back from Dell regarding this? Thank you.

coobal · Answer

Hi Chris, I found your message in my junk folder - i'll get the logs to you.

BenjiShi · Answer

Hi Coobal,

i received feedback from Tech Support - there is an issue with the "name" line in the radius configuration which causes this problem.

If you remove "name" from all radius server contexts it starts working as expected:

radius server auth
~~name "server1"~~
usage authmgr
key 7
exit
radius server auth
~~name "server2"~~
usage login
key 7
exit
line ssh
login authentication radius_local
exit

Benjamin

coobal · Answer

Good morning, BenjiShi,

I tested your changes - it worked, until the switch reloaded. I found out just removing the name (with a "no name" with a copy run start didn't save between reboots. The name would return once the reload completed. I tested this scenario twice since long power outages are not unheard of here. I had to remove all radius servers from the config and re-add them without the name option.

BenjiShi · Answer

Hi Coobal,

i will try to verify that behaviour. When i look at the running config after using "no name" it shows as:

radius server auth xx.xx.xx.xx
name "Default-RADIUS-Server"
timeout 20
attribute 6 mandatory
usage login

We deploy aaa settings via ansible and overwriting the name with name "Default-RADIUS-Server" manually also seems to work, even after reboot. So no need to use no name. Would you mind to confirm this?

I'm testing an a N1524 with Firmware Version N1500v6.7.1.9.

coobal · Answer

If i get a chance later today, i'll test this out.

Simlinc · Answer

How are people finding this.I have had the same issue and have just updated to 6.7.1.20, which lists it as fixed yet I still seem to get dot1x going to the wrong server, even after reboot/ and name changes.If I list the servers the currently selected server is that used with our MFA and our dot1x fails.

Networking General

Was this post helpful?