G3 Switch If SACL's are configured it is not possible to login to switch with radius account

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
If SACL's are configured it is not possible to login to switch with radius account.

If you configure a SACL that contains a service, it is NOT possible to login to the switch with your radius users anymore, only local users are able to login like "admin".

Firmware on this G3 is: 06.61.15.0003
Radius login credentials are on the NAC Gateways.
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
Does the SACL include access to the RADUS server/NAC Gateway? Can you post the SACLs here?

Service ACLs are applied on the host interface of the switch and apply to all traffic destined to the switch management. Therefore this will also apply to RADIUS traffic, so they will block the access-accept RADIUS return that will allow the user to login.

Another indication that this is the case is that the local login will only work on RADIUS timeout. if the RADIUS server actually sent a Access-Reject then the local user would not be able to login. So the local management falls back when the response does not reach the switch management.
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
I am not allowed to post here the correct ip addresses, but booth devices are in this list, the NAC Gatways (2 in this case) and the Netsight Server and the Backup Netsight server. You are not able to allow "radius" traffic. It is not bounded to a physical interface. So this does'nt make sense, the customer has more then 50 of these G3 switches in his edge. 

That the commands I have used, but with different real IP addresses.

here the config

set system service-acl sacl permit service telnet 
set system service-acl sacl permit service ssh
set system service-acl sacl permit service tftp
set system service-acl sacl permit service sntp
set system service-acl sacl permit ip-source 10.1.1.250 wildcard 0.0.0.0 service snmp 
set system service-acl sacl permit ip-source 10.2.1.250 wildcard 0.0.0.0 service snmp 
set system service-acl sacl permit ip-source 10.1.1.247 wildcard 0.0.0.0 service snmp 
set system service-acl sacl permit ip-source 10.1.1.237 wildcard 0.0.0.0 service snmp 
set system service-acl sacl permit ip-source 10.1.1.249 wildcard 0.0.0.0 service snmp 
set system service-class sacl

the ip's with .250 are the NAC Gateways, 237 and 247 are the Netsight Servers and .249 is a Spectrum maschine.

For this I have opend also a GTAC Ticket with ID 01182646

I have opended this here that other users may find it if they found the same problem.
(Edited)
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
Yes, you need to either allow everything from the NAC Gateway or also allow RADIUS (port 1812) from theNAC Gateways.
try adding this:
set system service-acl sacl permit ip-source <NAC Gateway> port 1812
(Edited)
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
Such a line he did not exept.

Command:
set system service-acl sacl permit ip-source 10.1.1.250 port 1812 

Error:

Invalid Media in [port-string]. ERROR: Invalid interface - 1812


In this constellation the "port" 1812 means a physical interface on the switch....
(Edited)
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
it shouldn't be. in the CLI guide on pg 34-3 it says:
G3(su)->set system service-acl my-sacl permit ip-source 10.10.22.2 port 123
to allow NTP. so you should be able to replace that with 1812 for RADIUS.
unless there is a bug in the code...
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
10.1.1.250 and 10.2.1.250 in this case are the ip addresses from the NAC gateway. If I unterstood it correct my config will allow all the traffic from 10.1.1.250 and 10.2.1.250, right?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,962 Points 20k badge 2x thumb
You've only allowed "service snmp" and not all traffic from this source as per your config.
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
Oh my god, yes, thats it!