X440 G2 management login problem

  • 0
  • 2
  • Problem
  • Updated 2 years ago
  • Solved

Hello,

i have the following Problem. We authenticate to our Switches via Management Login and LDAP. Since the Firmware Upgrade to Version 22.1.1.5 the Management Login doesn ́t work, but only with X440 G2 Switches. With X460 G2 it works. Does somebody have an idea?

Photo of Nico Willamowski

Nico Willamowski

  • 886 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 2
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
I suggest a downgrade to 21.1.1.5-Patch-1-5 - this should work!

If not work you have an other problem. If it is work then - open a GTAC case because of a bug.

I suggest only EXOS firmware with some Patchlevels - higher is better.


Regards
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Nico,

Could you please share the aaa config of X440-G2 devices after the upgrade?

We need to verify if the configuration is still in place.
Do we have the LDAP server logs indicating any clue why X440-G2 authentication fails?

Looking forward to the outputs requested.

Regards.
Photo of Nico Willamowski

Nico Willamowski

  • 886 Points 500 badge 2x thumb

Hello,

i attached the aaa config for the X440-G2. I didn ́t have a ldap log File at this Moment. But all Summit Switches and also S-Series and N-Series works fine. Only X440-G2 with Firmware 22.1.1.5 didn ́t work. I can ́t see any difference.


Before Upgrade:

configure radius 1 server 10.200.255.1 1812 client-ip 10.200.1.52 vr VR-Default
configure radius 1 shared-secret encrypted "#$Rf+ofQFdsdbudBh8FM2dna7gfTQnA6MuE8rj5Awj"
configure radius-accounting 1 server 10.200.255.1 1813 client-ip 10.200.1.52 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$9+LmVFAMk/a8FgPH9lZDxJlaPCwMiTXYyH69uwGT"
configure radius-accounting 1 timeout 10
configure radius-accounting 1 retries 1
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 10
configure radius retries 1
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
configure tacacs primary shared-secret encrypted "#$2WMCgJjVUomzJUAbQEVg6xLZCuJC/g=="
configure tacacs secondary shared-secret encrypted "#$i9YPdn4ETpWsnR5xl1H3WNrer6+p2Q=="
configure tacacs-accounting primary shared-secret encrypted "#$TgBXWmib4kT85fgBT+c2xBy17etBmg=="
configure account admin encrypted "$5$UnCsjn$QSelsQK56wiLIVZLW.6NzbzAT4QwLSmj13yRzbKWDYC"
disable account user


After Upgrade:

configure radius 1 server 10.200.255.1 1812 client-ip 10.200.1.52 vr VR-Default
configure radius 1 shared-secret encrypted "#$Rf+ofQFdsdbudBh8FM2dna7gfTQnA6MuE8rj5Awj"
configure radius-accounting 1 server 10.200.255.1 1813 client-ip 10.200.1.52 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$9+LmVFAMk/a8FgPH9lZDxJlaPCwMiTXYyH69uwGT"
configure radius-accounting 1 timeout 10
configure radius-accounting 1 retries 1
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 10
configure radius retries 1
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
configure tacacs primary shared-secret encrypted "#$3EOJXKPMSrwor25gxMq5owr1l5T/Fw=="
configure tacacs secondary shared-secret encrypted "#$J6bACYt6VdkX/ysrwM0XguqZInWqMg=="
configure tacacs-accounting primary shared-secret encrypted "#$/gzXQBp2Ur3O0gXCWrwXcrNXNGdIXg=="
configure account admin encrypted "$5$UnCsjn$QSelsQK56wiLIVZLW.6NzbzAT4QwLSmj13yRzbKWDYC"
disable account user


Photo of Baskar

Baskar, Employee

  • 518 Points 500 badge 2x thumb
Hi Nico,
I would like to know, did you copying an existing AAA configuration from a switch  and configured in this switch ? if so it might be the reason,  

Because  the hash algorithm used to store account passwords was changed from MD5 to SHA-256 in newer EXOS version.
Photo of Nico Willamowski

Nico Willamowski

  • 886 Points 500 badge 2x thumb

No, i was not copying a config fron another switrch. You can see the follow. I was upgrade to Version 22.1.1.5. Thats what i mean with "after upgrade". Then i downgrade to Version 21.1.2.14. That ́s what "before upgrade" means. I also saw that the config is the same. But the strange Thing is, after downgrade the mgmt Login works fine.

Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
This confirm my assumption (unfortunately).  Extreme QA as it best.
Photo of Bastian Sprotte

Bastian Sprotte, Employee

  • 1,610 Points 1k badge 2x thumb
Nico,
please enforce the Radius config via the NAC manager again.
let us know if that fix the issue.
Bastian
-