This post is more than 5 years old
6 Posts
0
2959
PowerConnect 5548P: Radius API returned error
Hi,
Since few months, I working to deploy the security protocol 802.1x on wired network of enterprise. It's work well, but since two weeks one of our switches is not more able to authenticate users.
It's a DELL PowerConnect 5548p - firmware version 4.1.0.20
I get the same message in logs for every try:
Warning %SEC-W-SUPPLICANTUNAUTHORIZED: MAC was rejected on port gi1/0/1 because Radius API returned error (e.g. No Radius server is configured)
Whereas the radius server are configured, there can ping and servers are ok: there works well with other switches
show radius-servers
IP address Port port Time- Ret- Dead- source IP Prio. Usage
Auth Acct Out rans Time
--------------- ----- ----- ------ ------ ------ --------------- ----- -----
1812 1813 Global Global Global Global 0 all
1812 1813 Global Global Global Global 1 all
Global values
--------------
TimeOut : 1
Retransmit : 4
Deadtime : 10
Source IP : 0.0.0.0
Source IPv6 : ::
I try to remove then re-add servers or reboot switches: not better.
Do you have any idea ?
Ch.
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
June 30th, 2017 10:00
It may not be rechecking, can you reboot the switch?
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
June 29th, 2017 12:00
Hi,
Does radius work still even though you get the message? Is the radius server on the same VLAN? It does look like the source ip is missing, that should have a value.
Ch.bong
6 Posts
0
June 30th, 2017 01:00
Thanks for your message.
Yes, radius servers are still up (working for other switches on the network) but any message on the windows event viewer for this switch.
They are on the same VLAN. For the result of the command show radius-servers, I just changed the ip of servers (I edited the previous post for simplify).
It looks like the switch think there is no radius server on the config whereas there are here. Does the switch have a cache and by the timeout, thinks servers are still down?
Thanks
Ch.
Ch.bong
6 Posts
0
July 3rd, 2017 08:00
I try to reboot the first day, but without success. The switch is using in prod, so we'll reboot it this night.
Similarly, this week-end, another switch 5548p with port control get the same trouble:
DELL PowerConnect 5548p - firmware version 4.1.0.16
Whereas other switches 2048p still work well.
With two switches, configuration is maybe the source of the trouble?
aaa authentication dot1x default radius
radius-server host key
radius-server host key priority 1
radius-server retransmit 4
radius-server timeout 1
radius-server deadtime 10
dot1x system-auth-control
And for a port:
interface gigabitethernet 1/0/1
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x port-control auto
It looks good or I forgot something ?
Ch.
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
July 5th, 2017 10:00
You may want to try to increase the timeouts.
Ch.bong
6 Posts
0
July 11th, 2017 01:00
Hi,
I reset the timeout at the default value (3) and reduce the deadtime (5).
During previous nights, I remove all radius configuration on the two switches, reboot them and re enable the security configuration.
Finally, the first switch works well again unlike the second have still the same trouble (and few more reboot, didn't work too).
I don't know what do more T-T
Ch.
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
July 11th, 2017 11:00
So the first switch is still working after the reset but the second one still isn’t? What are you using for your radius server?
Ch.bong
6 Posts
0
July 17th, 2017 06:00
Exactly, the first switch working now after the reboot, but the second not.
My radius server is a VM running Windows Server 2016 Standard with NPS.
Ch.
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
July 17th, 2017 10:00
Can you check the windows event logs and see if there are any radius errors. https://technet.microsoft.com/en-us/library/cc735406(v=ws.10).aspx
Ch.bong
6 Posts
0
July 18th, 2017 01:00
I see no radius errors on the windows event logs.
To be sure, I use Wireshark to check. There is no communication between the switch and the server during the port authentication. But the ping works and I see it on Wireshark.
Ch.
DELL-Josh Cr
Moderator
Moderator
•
8.7K Posts
0
July 18th, 2017 11:00
Can you private message me the show tech-support for the two switches so we can compare?