Radius Problem: Dell N1524P, Software 6.7.1.9.

Coobal,

I am researching the issue, but wanted to confirm a couple things with you. 

Was this working on a previous version, or is this a new configuration?

If you review this article, where these steps performed?

Lastly, would you confirm if you have anything seperating the Radius servers, as that would be required.

Hello Chris,

A similar article is what I followed initially for switch management. We have that working with MS 2fa authentication on about 30 Dell N1500 switches across my company.  We want to add dot1x as well, using another a second radius server.  I can confirm that it doesn't work with 6.6.0.2 (what is on the majority of the switches, as well as the last three iterations of the released software.  looking through the release notes on 6.7.1.9, i see that this is still an unresolved issue since 6.5.3.6:

Patch Release 6.5.3.6
Description/Summary
Radius server not selected based on usage type, when Radius servers are configured with different group names

User Impact
When using one radius server with type 802.1x and another with type login, authentication occasionally fails.
This is a legacy issue from previous builds.

Workaround

None.
To be fixed in a future release.

Coobal,

I apologize for that oversight, I wasn't personally aware of it. If you like you can private message me the svc tag and I can see about pushing this up. 

Let me know.

Thank you, Chris.  I have sent the private message to you.

Coobal, 

I have submitted it, I will let you know what I find as soon as possible. 

Thank you. 

Coobal, 

I apologize, I contacted you via private message a few days ago requesting some logs and other details. Would you look for the message and let me know if you got it, and if you can upload the requested details?

Thank you.

Good morning, Chris,

Have you heard anything back from Dell regarding this?

Thank you.

Hi Chris,

I found your message in my junk folder - i'll get the logs to you.

Hi Coobal, 

i received feedback from Tech Support - there is an issue with the "name" line in the radius configuration which causes this problem. 

If you remove "name" from all radius server contexts it starts working as expected:

radius server auth
name "server1"
usage authmgr
key 7
exit
radius server auth
name "server2"
usage login
key 7
exit
line ssh
login authentication radius_local
exit

Benjamin

Good morning, BenjiShi,

I tested your changes - it worked, until the switch reloaded.  I found out just removing the name (with a "no name" with a copy run start didn't save between reboots. The name would return once the reload completed.  I tested this scenario twice since long power outages are not unheard of here.  I had to remove all radius servers from the config and re-add them without the name option.

Hi Coobal, 

i will try to verify that behaviour. When i look at the running config after using  "no name" it shows as: 

radius server auth xx.xx.xx.xx
name "Default-RADIUS-Server"
timeout 20
attribute 6 mandatory
usage login

We deploy aaa settings via ansible and overwriting the name with name "Default-RADIUS-Server" manually also seems to work, even after reboot. So no need to use no name. Would you mind to confirm this?

I'm testing an a N1524 with Firmware Version N1500v6.7.1.9. 

How are people finding this.
I have had the same issue and have just updated to 6.7.1.20, which lists it as fixed yet I still seem to get dot1x going to the wrong server, even after reboot/ and name changes.
If I list the servers the currently selected server is that used with our MFA and our dot1x fails.