topic Re: VSP5520 SSH/Mgmt in ExtremeSwitching (VSP/Fabric Engine)

VSP5520 SSH/Mgmt

bfaltys — Tue, 24 Aug 2021 21:36:08 GMT

I’m trying to test one of our new VSP5520s. I had been under the impression that VOSS is VOSS regardless of which switch, but maybe I was wrong. I have configured a loopback with an IP and SPBM/ISIS. I have an adjacency and I can ping the switch via that loopback. However, I cannot SSH to the switch and pings from the switch only work if I specify the loopback as the source. We also have new VSP4900 and VSP7400 that didn’t require anything special to be able to SSH to the loopback IP. Pings from those models also didn’t require me to specify a source. What am I missing? SSHD is enabled. I see a route to the subnet I’m SSHing from. I’m guessing this has something to do with the mgmt VRF or something along those lines, but I’ve not been able to sort it out.

Re: VSP5520 SSH/Mgmt

Miguel-Angel_RO — Tue, 24 Aug 2021 21:42:24 GMT

bfaltys,

read here: https://extremeportal.force.com/ExtrArticleDetail?an=000079664&q=voSS%208.2%20mgmt

Mig

Re: VSP5520 SSH/Mgmt

Roger_Lapuh — Tue, 24 Aug 2021 21:43:26 GMT

We have introduced a new segmented management stack with Release 8.2 which provides a set of benefits. So management of the systems has changed, this includes all VOSS switches which support 8.2 and onwards. I suggest you review the documentation for the Segmented Management Stack.

Roger

Re: VSP5520 SSH/Mgmt

bfaltys — Tue, 24 Aug 2021 22:11:11 GMT

It looks like this is really separated. As in I cannot use this IP as the source/destination for any tunnel and cannot enable OSPF so it can be advertised.

Re: VSP5520 SSH/Mgmt

Miguel-Angel_RO — Tue, 24 Aug 2021 22:23:51 GMT

bfaltys,

This IP (CLIP/OoB/mgmt) is to be used for management purposes only (Web/SSH/SNMP/TELNET).

You need another CLIP for service purposes (routing, tunnels, etc).

For the ping, you can use “ping a.b.c.d mgmt” if your mgmt interface is in the same VRF as what you want to reach.

Mig

Re: VSP5520 SSH/Mgmt

bfaltys — Wed, 25 Aug 2021 20:19:16 GMT

I have things mostly working with this newer method, but SSH isn’t working. I get prompted for credentials and the NPS server shows event 6272 so it should work, but the 5520 displays a message for invalid username/password. These credentials work on other devices so that rules out the server.

**UPDATE**

Wireshark capture shows access-request and access-accept so I am at a loss as to why the switch says invalid username or password.

Re: VSP5520 SSH/Mgmt

Miguel-Angel_RO — Wed, 25 Aug 2021 20:46:25 GMT

Usual suspect is the shared secret.

Could you double check?

Re: VSP5520 SSH/Mgmt

bfaltys — Wed, 25 Aug 2021 21:10:06 GMT

Just did a confirmation. Both keys are the same. I would expect the server to not even get to the point of access-accept if the switch had the wrong key. Here is the Wireshark capture that shows the success and the switch showing invalid credentials.

Re: VSP5520 SSH/Mgmt

bfaltys — Wed, 25 Aug 2021 21:22:32 GMT

I also see a message stating “x509v3 host certificate is unavailable”

Re: VSP5520 SSH/Mgmt

Miguel-Angel_RO — Thu, 26 Aug 2021 14:51:38 GMT

Please review this to be sure that you send the correct radius attributes with the NPS:

Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%

Service-Type=%MGMT_SERV_TYPE%

Passport-Access-Priority=%CUSTOM1%

https://extremeportal.force.com/ExtrArticleDetail?an=000082104&q=voss%20radius%20attribute

Re: VSP5520 SSH/Mgmt

bfaltys — Thu, 26 Aug 2021 20:28:27 GMT

I’ll see if I can make sense of that. We’re using Windows Server for NPS and it has worked for all other Extreme models without setting other attributes.

I’m trying another switch this morning to see if it has the same issue. Of course now I get a different error. When trying to configure an IP on the mgmt CLIP it give the message “Error: Cannot use Dynamic nick-name subnet 172.16.0.0/12.”

**UPDATE**

I don’t get the error after a factory default and then configure the CLIP.

Re: VSP5520 SSH/Mgmt

bfaltys — Thu, 26 Aug 2021 20:53:17 GMT

After getting the new switch up and running I get the same error when trying to SSH with RADIUS authentication. If I don’t enable RADIUS, local login works.

Re: VSP5520 SSH/Mgmt

bfaltys — Thu, 26 Aug 2021 21:13:15 GMT

Success. It was the RADIUS attribute. Here are screenshots of NPS.

Re: VSP5520 SSH/Mgmt

Miguel-Angel_RO — Thu, 26 Aug 2021 23:09:27 GMT

Glad to see it solved.

Enjoy

Mig

Re: VSP5520 SSH/Mgmt

bfaltys — Fri, 27 Aug 2021 22:52:03 GMT

Just wanted to add a couple of notes for anyone else that might run into this. The vendor code is 1584 (Nortel) and the attribute number is 192 (Access-Priority), format is decimal and value is 6 (RWA access).