topic Re: RADIUS Authentication Failing VDX6720 in Data Center (VDX)

RADIUS Authentication Failing VDX6720

Russ — Fri, 29 May 2020 07:08:52 GMT

Hi,

We have a few VDX6720 running FW v4.1.3d. The RADIUS configuration is below. I cannot get RADIUS Auth. working. The Authenticating device is a FortiAuth which is functional and working for other devices.

Is the problem a known issue, or is that I’m missing something? Also with the ‘aaa authentication login radius local-auth-failback’, if that’s changed to ‘aaa authentication login radius local’ your effectively locked out of the device and cannot login at all.

Thanks in Advance.

switch-name# show run radius radius-server host xx.xx.xx.xx protocol pap key "radius_shared_key" encryption-level 7 retries 2 timeout 10 ! radius-server host xx.xx.xx.xx protocol pap key "radius_shared_key" encryption-level 7 retries 2 timeout 10 !

switch-name# show run aaa aaa authentication login radius local-auth-fallback aaa accounting exec default start-stop none aaa accounting commands default start-stop none

Re: RADIUS Authentication Failing VDX6720

Truyen_Phan — Fri, 29 May 2020 14:45:02 GMT

hi Russ,

No, this is not a known issue. The VDX works with radius servers.

Is it possible for you to get a wireshark/tcpdump capture from the FortiAuth device to confirm if the VDX is sending the authentication request and FortiAuth is responding back?

If the above capture shows that FortiAuth is sending the accept, you can run tcpdump on the management interface of VDX to also confirm that it received the accept packet.

sw0# oscmd ?
Possible completions:
  arp        List system ARP entries
  cat        Concatenate and print files
  cp         Copy files and directories in filesystem
  ifconfig   Configure a network interface
  ls         List files from filesystem
  mkdir      Create new directory in filesystem
  mv         Move files in the filesystem
  rm         Remove files from filesystem
  rmdir      Remove directories from filesystem
  tcpdump    Dump traffic on a network
sw0# ter len 0
Successfully set This Session Terminal Length to  0.
sw0# oscmd ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:27:F8:DC:17:7A
          inet addr:10.26.142.170  Bcast:10.26.255.255  Mask:255.255.128.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:372210744 errors:0 dropped:1676461 overruns:0 frame:0
          TX packets:110041 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          Memory:fe4e8000-fe4e8fff

sw0# oscmd tcpdump -nei eth0 <FortiAuth_IP>

Regarding the local-auth-fallback and local configuration options:

local-auth-fallback - If radius server is reachable, but fails authentication, then the VDX will fall back to using local users on the VDX.
local - If radius server is not reachable, then the VDX will fall back to using local users on the VDX.
- If you misconfigured this option, you are not locked out completely.
- you can remove the management cable, then login via console using a local user account

Re: RADIUS Authentication Failing VDX6720

Russ — Mon, 01 Jun 2020 05:35:09 GMT

Hi,

We’re not actually using the management interface, we’re using logical vlan interfaces for management connectivity. The same approach applies?

Re: RADIUS Authentication Failing VDX6720

Truyen_Phan — Mon, 01 Jun 2020 08:06:11 GMT

Yes, if you run ‘oscmd ifconfig’, you should see the logical vlan interface and IP that you’ve configured for it. Then, run tcpdump against that logical interface.

Re: RADIUS Authentication Failing VDX6720

Russ — Fri, 07 Feb 2025 03:53:00 GMT

HI,

I know this is an old question but I've got to get RADIUS Server Auth on the FAC working with the VDX.

I've configured the RADIUS Client, and the Policy on the FAC. Configured the VDX with the required config. Auth. is failing. I've done a packet capture on the FAC and I'm seeing RADIUS Access-Request from the IP on the switch (Not Management Interface, logical L3 VLAN), I'm seeing Access-Reject on the FAC packet capture. I've done a RADIUS Debug on the FAC, I'm seeing the below debug snippet.

I've got something wrong in my policy, but bc of lack of documentation I don't know what!

Received Access-Request Id 154 from x.x.x.x:7234 to x.x.x.x:1812 length 96
User-Name = ""
CHAP-Password = 0x1630ce05348e50fd6fd06c70613b37b741
NAS-IP-Address = x.x.x.x
NAS-Identifier = "SWITCH_NAME"
Calling-Station-Id = "x.x.x.x"
NAS-Port = 6209
NAS-Port-Type = Virtual
# Executing section authorize from file /usr/etc/raddb/sites-enabled/default
chap: &control:Auth-Type := CHAP
facauth: ===>NAS IP:x.x.x.x
facauth: ===>Username:
facauth: ===>Timestamp:1738898689.47577, age:0ms
facauth: Found authclient from preloaded authclients list for x.x.x.x: RADIUS_CLIENT
facauth: Did not find vendor 311, attr 58 --> "services\sg-gg-network"
facauth: ERROR: ERROR: unable to find matching authpolicy for Radius client with IP x.x.x.x