X440 G2 management login problem


Userlevel 2
Hello,

i have the following Problem. We authenticate to our Switches via Management Login and LDAP. Since the Firmware Upgrade to Version 22.1.1.5 the Management Login doesn´t work, but only with X440 G2 Switches. With X460 G2 it works. Does somebody have an idea?

8 replies

Userlevel 6
I suggest a downgrade to 21.1.1.5-Patch-1-5 - this should work!

If not work you have an other problem. If it is work then - open a GTAC case because of a bug.

I suggest only EXOS firmware with some Patchlevels - higher is better.

Regards
Userlevel 6
Hi Nico,

Could you please share the aaa config of X440-G2 devices after the upgrade?

We need to verify if the configuration is still in place.
Do we have the LDAP server logs indicating any clue why X440-G2 authentication fails?

Looking forward to the outputs requested.

Regards.
Userlevel 2
Prashanth KG wrote:

Hi Nico,

Could you please share the aaa config of X440-G2 devices after the upgrade?

We need to verify if the configuration is still in place.
Do we have the LDAP server logs indicating any clue why X440-G2 authentication fails?

Looking forward to the outputs requested.

Regards.

Hello,

i attached the aaa config for the X440-G2. I didn´t have a ldap log File at this Moment. But all Summit Switches and also S-Series and N-Series works fine. Only X440-G2 with Firmware 22.1.1.5 didn´t work. I can´t see any difference.

Before Upgrade:

configure radius 1 server 10.200.255.1 1812 client-ip 10.200.1.52 vr VR-Default
configure radius 1 shared-secret encrypted "#$Rf+ofQFdsdbudBh8FM2dna7gfTQnA6MuE8rj5Awj"
configure radius-accounting 1 server 10.200.255.1 1813 client-ip 10.200.1.52 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$9+LmVFAMk/a8FgPH9lZDxJlaPCwMiTXYyH69uwGT"
configure radius-accounting 1 timeout 10
configure radius-accounting 1 retries 1
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 10
configure radius retries 1
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
configure tacacs primary shared-secret encrypted "#$2WMCgJjVUomzJUAbQEVg6xLZCuJC/g=="
configure tacacs secondary shared-secret encrypted "#$i9YPdn4ETpWsnR5xl1H3WNrer6+p2Q=="
configure tacacs-accounting primary shared-secret encrypted "#$TgBXWmib4kT85fgBT+c2xBy17etBmg=="
configure account admin encrypted "$5$UnCsjn$QSelsQK56wiLIVZLW.6NzbzAT4QwLSmj13yRzbKWDYC"
disable account user

After Upgrade:

configure radius 1 server 10.200.255.1 1812 client-ip 10.200.1.52 vr VR-Default
configure radius 1 shared-secret encrypted "#$Rf+ofQFdsdbudBh8FM2dna7gfTQnA6MuE8rj5Awj"
configure radius-accounting 1 server 10.200.255.1 1813 client-ip 10.200.1.52 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$9+LmVFAMk/a8FgPH9lZDxJlaPCwMiTXYyH69uwGT"
configure radius-accounting 1 timeout 10
configure radius-accounting 1 retries 1
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 10
configure radius retries 1
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
configure tacacs primary shared-secret encrypted "#$3EOJXKPMSrwor25gxMq5owr1l5T/Fw=="
configure tacacs secondary shared-secret encrypted "#$J6bACYt6VdkX/ysrwM0XguqZInWqMg=="
configure tacacs-accounting primary shared-secret encrypted "#$/gzXQBp2Ur3O0gXCWrwXcrNXNGdIXg=="
configure account admin encrypted "$5$UnCsjn$QSelsQK56wiLIVZLW.6NzbzAT4QwLSmj13yRzbKWDYC"
disable account user
Userlevel 4
Prashanth KG wrote:

Hi Nico,

Could you please share the aaa config of X440-G2 devices after the upgrade?

We need to verify if the configuration is still in place.
Do we have the LDAP server logs indicating any clue why X440-G2 authentication fails?

Looking forward to the outputs requested.

Regards.

Nico,
can you please add these commands as defined.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-RADIUS-authentication-for...

Bastian
-
Userlevel 2
Hi Nico,
I would like to know, did you copying an existing AAA configuration from a switch and configured in this switch ? if so it might be the reason,

Because the hash algorithm used to store account passwords was changed from MD5 to SHA-256 in newer EXOS version.
Userlevel 2
No, i was not copying a config fron another switrch. You can see the follow. I was upgrade to Version 22.1.1.5. Thats what i mean with "after upgrade". Then i downgrade to Version 21.1.2.14. That´s what "before upgrade" means. I also saw that the config is the same. But the strange Thing is, after downgrade the mgmt Login works fine.
Userlevel 6
This confirm my assumption (unfortunately). Extreme QA as it best.
Userlevel 4
Nico,
please enforce the Radius config via the NAC manager again.
let us know if that fix the issue.
Bastian
-

Reply