Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

TheUsD

8 Posts

3164

October 14th, 2019 11:00

N3048P Radius LDAP SSH login configuration

I have spent 3, 8hr days trying to get a N3048P on a radius login over SSH (no telnet)
I've used the following guides and have not made any progress: 
https://www.dell.com/support/article/us/en/04/how10768/how-to-configure-radius-or-tacacs-authentication-for-switch-management-on-n-series-switches?lang=en

https://gbe0.com/networking/dell/switch-radius-authentication

 

Here are my config setups. Please note, the switch I'm working on is a spare switch. Subnet 172.19.3.X is a subnet that's currently in use by production. Network settings on this is just so I can have a workstation reach the switch via SSH/Telnet. I've been doing the configuration through console. The 172.19.3.2 (test switch) can ping the Radius server. I've tried the following configurations:

Config 1
en
conf
interface vlan 1
ip address 172.19.3.2 255.255.255.0
exit
ip default-gateway 172.19.3.1
exit
conf
username admin password FakePassword privilege 15
radius server timeout 3
radius server attribute 8 include-in-access-req
radius server key
radius server attribute 31 mac format ietf lower-case
radius server auth 172.20.1.27
primary
name "RadiusServerName"
exit
aaa authentication login "networkList" local radius
aaa authentication enable "enableNetList" none
aaa authorization exec "Exec_Auth_List" local radius
ip https authentication local radius

Config2

en
conf
interface vlan 1
ip address 172.19.3.2 255.255.255.0
exit
ip default-gateway 172.19.3.1
exit
conf
username admin password FakePassword privilege 15
radius server timeout 3
radius server attribute 8 include-in-access-req
radius server key
radius server attribute 31 mac format ietf lower-case
radius server auth 172.20.1.27
primary
name "RadiusServerName"
exit
aaa authentication login "networkList" local radius
aaa authentication enable "enableNetList" none
aaa authorization exec "Exec_Auth_List" local radius
ip https authentication local radius

 

Config3
en
conf
interface vlan 1
ip address 172.19.3.2 255.255.255.0
exit
ip default-gateway 172.19.3.1
exit
conf
username admin password FakePassword privilege 15
exit
conf
crypto key generate rsa
y
crypto key generate dsa
y
ip ssh server
no ip http server
ip http secure-server
aaa authentication login "defaultList" radius local
aaa authentication enable "enableList" radius enable
aaa authorization exec "dfltExecAuthList" radius local
radius server auth 172.20.1.27
primary
name "RadiusServerName"
key FakeKey
exit
line ssh
enable authentication default
login authentication default



I've tried using the following username formats:
Username
domain\username
username@domain.com

DELL-Josh Cr

Moderator

 • 

9.4K Posts

October 15th, 2019 08:00

Hi,

Are you able to connect to ssh without radius? Does radius work with other connection methods? Is the switch firmware up to date? What error are you getting?

TheUsD

8 Posts

October 15th, 2019 11:00

"Are you able to connect to ssh without radius?"
Yes, I can login via SSH without using radius

"Does radius work with other connection methods?"
If I understand what you're asking, Yes. We use the Radius server for other methods of connection.

"Is the switch firmware up to date?"
Yes, the switch is on the latest 6.5.x.x firmware

"What error are you getting?"
I am prompted with a username screen, I enter the username, then password and then prompted with the username section again. 

 

console#show authentication methods

Login Authentication Method Lists
---------------------------------
defaultList : none
networkList : local
Radius : radius local

Enable Authentication Method Lists
----------------------------------
enableList : enable none
enableNetList : enable
RadEn : radius

Line Login Method List Enable Method List
------- ----------------- ------------------
Console defaultList enableList
Telnet Radius enableList
SSH networkList enableList

HTTPS :local
HTTP :local
DOT1X :

console#show radius statistics

RADIUS server name............................. Default-RADIUS-Server
Server Host Address............................ 172.20.1.27
Round Trip Time................................ 0.00
Access Requests................................ 8
Access Retransmissions......................... 3
Access Accepts................................. 0
Access Rejects................................. 0
Access Challenges.............................. 0
Malformed Access Responses..................... 0
Bad Authenticators............................. 0
Pending Requests............................... 0
Timeouts....................................... 11
Unknown Types.................................. 0
Packets Dropped................................ 0

console#show aaa servers

IP address Type Port TimeOut Retran. DeadTime Source IP Prio. Usage
---------------- ----- ----- ------- ------- -------- ------------- ----- ------
172.20.1.27 Auth 1812 Global Global Global Global 0 all

Global values
--------------------------------------------
Number of Configured Authentication Servers.... 1
Number of Configured Accounting Servers........ 0
Number of Named Authentication Server Groups... 1
Number of Named Accounting Server Groups....... 0
Number of retransmits.......................... 3
Timeout duration............................... 15
Deadtime....................................... 0
Source IP...................................... 0.0.0.0
Source Interface............................... Default
RADIUS accounting mode......................... Enable
RADIUS Attribute 4 Mode........................ Disable
RADIUS Attribute 4 Value....................... 0.0.0.0
RADIUS Attribute 6 Mode........................ Disable
RADIUS Attribute 8 Mode........................ Disable
RADIUS Attribute 168 Mode...................... Disable
RADIUS Attribute 25 Mode....................... Enable

 

 

Machine Description............... Dell EMC Networking Switch
System Model ID................... N3048P
Machine Type...................... Dell EMC Networking N3048P
Serial Number.....................
Manufacturer...................... 0xbc00
Burned In MAC Address............. 
System Object ID.................. 
SOC Version....................... BCM56340_A0
HW Version........................ 5
CPLD Version...................... 20
Image File........................ N3000AdvLitev6.5.4.4
Software Capability............... Stack Limit = 8, VLAN Limit = 1024

unit active backup current-active next-active
---- ----------- ----------- -------------- --------------
1 6.5.4.4 6.5.3.4 6.5.4.4 6.5.4.4

DELL-Josh Cr

Moderator

 • 

9.4K Posts

October 15th, 2019 12:00

@TheUsD wrote:

Line Login Method List Enable Method List
------- ----------------- ------------------
Console defaultList enableList
Telnet Radius enableList
SSH networkList enableList


It looks like SSH is using networkList, but networkList isn't set to use radius.
@TheUsD wrote:



 

console#show authentication methods

Login Authentication Method Lists
---------------------------------
defaultList : none
networkList : local
Radius : radius local

 

TheUsD

8 Posts

October 16th, 2019 06:00

Could you please provide the correct CLI command to fix that? I tried the following:
aaa authentication enable networkList Radius

but the networkList is still showing local

Was this post helpful?

View All

No Events found!

Top