Can't telnet to a slot in a stack with radius enabled

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
We have a network that consists of stacks for X460s and X440s. This district has several admins, so in an affort to provide accountability we recently enable radius login on all the stacks. Radius was and is working great except for today when investigating a slot failure we discovered we cannot telnet from the master to slot 5. 
The command works but login fails. The stacks are configured to accept the admin account and password if both radius servers are down, but the radius servers are up so the admin account does not work.
The slots do not have ip addresses which we are speculating is the reason radius won't work.

Inorder to telnet to slot 5 I had to disable radius on the stack and then re-enabled when I was done checking out the slot.

Do we have any options?
Photo of David Coglianese

David Coglianese, Embassador

  • 5,944 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Drew C.

Drew C., Community Manager

  • 37,366 Points 20k badge 2x thumb
Hi David,
At first pass here, it looks like it might be best for you to open a ticket with GTAC so someone can investigate and turn this over to engineering to see how best to fix this.
Photo of David Coglianese

David Coglianese, Embassador

  • 5,944 Points 5k badge 2x thumb
Thanks Drew,

The stack were we encountered the issue is running 15.5.3.4 and we have another stack running 16.1 that does not seem to have the same issue so we are going to test to see if the code version makes a difference. If that does not work I will most likely take your advice.
Photo of Drew C.

Drew C., Community Manager

  • 37,364 Points 20k badge 2x thumb
I'm curious to see what you find out here.  Let us know :)
Photo of David Coglianese

David Coglianese, Embassador

  • 5,944 Points 5k badge 2x thumb
All,

We did a packet capture and found that <telnet slot #> sends a NAS-Port value of "Async(0)" Our radius server was configured to only accept NAS-Port "VPN" hence the radious falure.

As a side note we found that Async(0) is the same value that serial port uses, so that was likly being blocked as well. 

Hope this helps someone down the road
Photo of Drew C.

Drew C., Community Manager

  • 37,364 Points 20k badge 2x thumb
Thanks for coming back with the solution!  This sounds like information for us to add to GTAC Knowledge.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi,

today I had a related, but slightly different problem with telnet from the standby slot to the master slot in a two switch stack of X670-G2s.

I could log in to the console port on the standby node (the master node is in a different location) using RADIUS authentication. But when I tried to connect to the master slot using telnet slot 2, the password was not accepted and an error message was logged:
<Erro:AAA.RADIUS.goLocal> Slot-2: Failed to send authentication to RADIUS servers, trying local.
<Warn:AAA.authFail> Slot-2: Login failed for user ****** through slot-1
Login to the stack via SSH works with RADIUS authentication as well.

The stack uses EXOS 16.1.3.6-patch1-8.

Is this a known issue? Does anybody have an idea what to check or what might cause an issue like this?

Thanks,
Erik