Solved

Enable RADIUS auth for CLI and EDM

  • 21 January 2021
  • 6 replies
  • 126 views

Userlevel 6
Badge

Hi,

Just in the process of configuring RADIUS on a 8404 using version 8.2.

First thing I notice is when I try and enter this command:

radius server host 172.9.99.120 key ****** source-ip 10.0.0.210

I get this error:

acli.pl: Redundant argument in sprintf

My assumption here is that this might be related to the new segmented management feature, so no longer need to define source-ip and enable

sourceip-flag

I see in the configuration guide there is this command:

radius server host WORD used-by {cli|snmp|web} 
  • cli—configure the server for CLI authentication.
  • eapol—configure the server for EAPoL authentication.
  • snmp—configure the server for SNMP authentication.
  • web—configure the server for Web authentication

I don’t think this is what I am expecting it to be, but confused why I can only select one at a time, The default is cli.

If I try this:

radius server host 158.119.128.243 used-by web enable

I get this error:

Error: setting RadiusServHostTbl, radius server does not exist

Although I think ‘used-by web’ isn’t related to the EDM, maybe web based authentication?

I have RADIUS configured just with the configuration below at the moment, and works when logging in for CLI access:

radius server host 158.119.128.243 key ******
radius server host 158.119.60.11 key ******
radius enable
radius accounting enable
radius accounting include-cli-commands

Issue is, how do I configure this so that (if its possible) that RADIUS auth is used for accessing the EDM? 

What about those other options, how do I use those if I can only select one at a time?

I know I’ve completely miss-understood here the purpose of the commands, but just trying to add some context to understand in bigger picture.

Maybe some examples of their use will help?

Many thanks in advance.

icon

Best answer by Ludovico Stevens 21 January 2021, 14:44

Martin

If you see an error message with “acli.pl” in front of it, that is a message from my ACLI terminal, not the switch itself.

Yes, the & character gets interpreted as an iteration of values by my terminal.

You can put double-quotes around the sharedSecret and ACLI terminal will not then interpret “&” inside the quotes and the VSP seems able to correctly process a secretKey inside double-quotes also, I just tested it (but not single quotes!! VSP then uses the single quotes as part of the shared secret!!).

Else you just hit CTRL-T and come out of interactive mode (% prompt) then issue the command there.

Best regards

Ludovico Stevens

View original

This topic has been closed for comments

6 replies

Userlevel 6
Badge +1

Hi Martin,

 

Here a working config in prod (obfuscated):

radius server host A.B.C.D key ******
radius server host A.B.C.E key ******
radius server host A.B.C.D key ******  used-by web
radius server host A.B.C.E key ******  used-by web
radius enable
radius reachability username USER password PASSWORD

 

Mig

 

Userlevel 6
Badge

Hi Mig,

Thanks for posting back.

I currently have this in place:

radius server host 10.119.128.243 key ****** 
radius server host 10.119.60.11 key ******
radius enable
radius accounting enable
radius accounting include-cli-commands

Which works for cli login, but when I try and add either:

radius server host 10.119.128.243 used-by web enable

or

radius server host 10.119.128.243 key ********* used-by web

I get this error:

acli.pl: Redundant argument in sprintf

if I try it this way around:

radius server host 10.119.128.243 used-by web key **********

I get this error:

Error: setting RadiusServHostTbl, radius server does not exist

Looking at the the ‘redundant argument in sprintf’ error I noticed that it didn't seem to get any arguments after the password, like ‘used-by web’, see below:

Yet if I used a different password it does!

I think the issue might be because I’m using characters in my password like $ # ! &, and something in that it doesn’t like.

I’ll have a play and post back

Cheers,

Martin

 

 

Userlevel 6
Badge

That worked!

Whether that is a bug or not I’m not sure, but one of these characters $ # ! & VOSS doesn’t like in the password?

Userlevel 6
Badge

Same thing seems to be is happening when configuring the radius reachability account, have a password that contains characters:

@=!@[/*+_:|&?

And this this same error:

acli.pl: Redundant argument in sprintf

 

Userlevel 5

Martin

If you see an error message with “acli.pl” in front of it, that is a message from my ACLI terminal, not the switch itself.

Yes, the & character gets interpreted as an iteration of values by my terminal.

You can put double-quotes around the sharedSecret and ACLI terminal will not then interpret “&” inside the quotes and the VSP seems able to correctly process a secretKey inside double-quotes also, I just tested it (but not single quotes!! VSP then uses the single quotes as part of the shared secret!!).

Else you just hit CTRL-T and come out of interactive mode (% prompt) then issue the command there.

Best regards

Ludovico Stevens

Userlevel 6
Badge

Hi Ludovico,

Need to change the answer to this post to your answer some how!

Hadn’t even dawned on me it could be that, gotten used to using the ACLI as a straight forward terminal emulator - taken it for granted :).

Interestingly I had been using Tera-Term, and just switched to the ACLI to get better outputs when using the cfg command.

Great to know as will bear this in mind in the future.

Thanks for testing, really appreciated.

Cheers,

Martin