topic Re: Radius reachability problem on VOSS in ExtremeSwitching (VSP/Fabric Engine)

Radius reachability problem on VOSS

Jave — Thu, 17 Mar 2022 16:57:00 GMT

Hi everybody,

Trying to set up a management radius connection on VOSS switch, all works fine but I'm unable to have a correct radius servers reachability.
Radius connection on CLI works well, but no dummy packets are sent to nac server (I can't see anything with tcpdump on server), so when it goes down, new connection lags because switch still try to authenticate towards server...
Any idea ?

(exemple here with web access)

Rodjeur

RE: Radius reachability problem on VOSS

Miguel-Angel_RO — Fri, 18 Mar 2022 01:02:00 GMT

Rodjeur,

This is working for me in production:
CORE-01:1#show radius-server
==================================================================================================================
Radius Server Entries
==================================================================================================================
ACCT ACCT SOURCE
NAME USEDBY SECRET PORT PRIO RETRY TIMEOUT ENABLED PORT ENABLED IP
------------------------------------------------------------------------------------------------------------------
10.10.10.56 cli ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.58 cli ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.56 eapol ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.58 eapol ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.56 web ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.58 web ****** 1812 10 1 8 true 1813 true 10.11.10.254


CORE-01:1#show radius reachability

EAP RADIUS reachability mode : use-radius
EAP RADIUS reachability status : reachable
EAP RADIUS reachable server : 10.10.10.56
Time until next check : 37
RADIUS username : reachme
RADIUS password : reachme
RADIUS keep-alive-timer : 180
RADIUS unreachable-timer : 60


CORE-01:1#show run modu radius

config terminal
# RADIUS CONFIGURATION
radius server host 10.10.10.56 key ****** source-ip 10.11.10.254
radius server host 10.10.10.58 key ****** source-ip 10.11.10.254
radius server host 10.10.10.56 key ****** used-by eapol source-ip 10.11.10.254
radius server host 10.10.10.58 key ****** used-by eapol source-ip 10.11.10.254
radius server host 10.10.10.56 key ****** used-by web source-ip 10.11.10.254
radius server host 10.10.10.58 key ****** used-by web source-ip 10.11.10.254
radius enable
radius accounting enable
radius sourceip-flag
radius reachability username reachme passwordreachme
end

Regards,

Mig

RE: Radius reachability problem on VOSS

Jave — Fri, 18 Mar 2022 10:46:00 GMT

Hello Miguel-Angel,

Thanks for your reply, but it seems that you're running on a VSP8600 Series, with specific command radius sourceip-flag, which doesn't exist on other models.
That's my current setup:

5520-24X-VOSS:1#sho run mod rad

config terminal

#
# RADIUS CONFIGURATION
#

radius server host 10.124.100.4 key ******  used-by web
radius enable
radius reachability keep-alive-timer 30 unreachable-timer 30

end

The strange thing is that radius request are well managed with this config, and UDP traffic on port 1812 reaches correctly the server, but it's not the case for radius reachability...

Rodjeur

RE: Radius reachability problem on VOSS

Miguel-Angel_RO — Sun, 20 Mar 2022 20:15:00 GMT

Rodjeur,

What you get is "EAP RADIUS reachability status = unreachable"
What is the output of the command "show eapol system"?

Mig

RE: Radius reachability problem on VOSS

Ludovico_Steven — Mon, 21 Mar 2022 11:15:00 GMT

VOSS RADIUS reachability only works in conjunction with RADIUS servers created with used-by = EAPoL
So if you only have RADIUS servers for CLI authentication (or Web, SNMP, Endpoint-tracking) then the reachability function won't run.
The intent of RADIUS reachability is to work in conjunction with EAPoL features like Fail-Open.

RE: Radius reachability problem on VOSS

Jave — Mon, 21 Mar 2022 15:24:00 GMT

Thanks for your response, I've finally got my mistake: EAPoL is disabled in my environnment. I don't need it at all, especially because I'm testing Fabric at edge deployment and NAC is not an option in my production network (too many complicated to manage with BYOD and unknown devices) and it's not possible to disable EAPoL on an auto-sense enabled port. So I must disable EAPoL globally, unless it exists an another way to achieve this.
@Ludovico Stevens, could this design evolved ? Without radius reachability for cli or web connections, in case of servers unavailability, timouts about 30 sec occur at each connection, which is not optimal...

Re: Radius reachability problem on VOSS

Ludovico_Steven — Wed, 04 Jun 2025 12:53:17 GMT

Sorry, do not recall getting any email alert about this... Giuseppe sent me the link now.
So, RADIUS reachability feature is only relevant for EAPoL, in particular fail-open and continuity modes. Basically, the EAPoL function needs to know when/if the RADIUS servers change or all fail. Endpoint-tracking also uses RADIUS reachability.

For CLI RADIUS authentication, what's the use ? If a RADIUS server is available it will be used, else, if not RADIUS response, it will fallback to local password.

Re: Radius reachability problem on VOSS

Jave — Fri, 13 Jun 2025 09:12:07 GMT

Hi Ludovico,

The use of Radius reachability for CLI access is to not waiting about 1 min before fallback to local password when radius servers are unreachable for any reason...

Regards.