Header Only - DO NOT REMOVE - Extreme Networks

G3 Switch If SACL's are configured it is not possible to login to switch with radius account


Userlevel 2
If SACL's are configured it is not possible to login to switch with radius account.

If you configure a SACL that contains a service, it is NOT possible to login to the switch with your radius users anymore, only local users are able to login like "admin".

Firmware on this G3 is: 06.61.15.0003
Radius login credentials are on the NAC Gateways.

8 replies

Userlevel 3
Does the SACL include access to the RADUS server/NAC Gateway? Can you post the SACLs here?

Service ACLs are applied on the host interface of the switch and apply to all traffic destined to the switch management. Therefore this will also apply to RADIUS traffic, so they will block the access-accept RADIUS return that will allow the user to login.

Another indication that this is the case is that the local login will only work on RADIUS timeout. if the RADIUS server actually sent a Access-Reject then the local user would not be able to login. So the local management falls back when the response does not reach the switch management.
Userlevel 2
I am not allowed to post here the correct ip addresses, but booth devices are in this list, the NAC Gatways (2 in this case) and the Netsight Server and the Backup Netsight server. You are not able to allow "radius" traffic. It is not bounded to a physical interface. So this does'nt make sense, the customer has more then 50 of these G3 switches in his edge.

That the commands I have used, but with different real IP addresses.

here the config

set system service-acl sacl permit service telnet
set system service-acl sacl permit service ssh
set system service-acl sacl permit service tftp
set system service-acl sacl permit service sntp
set system service-acl sacl permit ip-source 10.1.1.250 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.2.1.250 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.247 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.237 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.249 wildcard 0.0.0.0 service snmp
set system service-class sacl

the ip's with .250 are the NAC Gateways, 237 and 247 are the Netsight Servers and .249 is a Spectrum maschine.

For this I have opend also a GTAC Ticket with ID 01182646

I have opended this here that other users may find it if they found the same problem.
Userlevel 3
Yes, you need to either allow everything from the NAC Gateway or also allow RADIUS (port 1812) from theNAC Gateways.
try adding this:
set system service-acl sacl permit ip-source port 1812
Userlevel 2
Matthew Hum wrote:

Yes, you need to either allow everything from the NAC Gateway or also allow RADIUS (port 1812) from theNAC Gateways.
try adding this:
set system service-acl sacl permit ip-source port 1812

Such a line he did not exept.

Command:
set system service-acl sacl permit ip-source 10.1.1.250 port 1812

Error:

Invalid Media in [port-string]. ERROR: Invalid interface - 1812

In this constellation the "port" 1812 means a physical interface on the switch....
Userlevel 3
Matthew Hum wrote:

Yes, you need to either allow everything from the NAC Gateway or also allow RADIUS (port 1812) from theNAC Gateways.
try adding this:
set system service-acl sacl permit ip-source port 1812

it shouldn't be. in the CLI guide on pg 34-3 it says: G3(su)->set system service-acl my-sacl permit ip-source 10.10.22.2 port 123 to allow NTP. so you should be able to replace that with 1812 for RADIUS. unless there is a bug in the code...
Userlevel 2
10.1.1.250 and 10.2.1.250 in this case are the ip addresses from the NAC gateway. If I unterstood it correct my config will allow all the traffic from 10.1.1.250 and 10.2.1.250, right?
Userlevel 7
You've only allowed "service snmp" and not all traffic from this source as per your config.
Userlevel 2
Ron wrote:

You've only allowed "service snmp" and not all traffic from this source as per your config.

Oh my god, yes, thats it!

Reply