cancel
Showing results for 
Search instead for 
Did you mean: 

RADIUS Authentication Failing VDX6720

RADIUS Authentication Failing VDX6720

Russ
Contributor

Hi,

We have a few VDX6720 running FW v4.1.3d. The RADIUS configuration is below. I cannot get RADIUS Auth. working. The Authenticating device is a FortiAuth which is functional and working for other devices.

Is the problem a known issue, or is that I’m missing something? Also with the ‘aaa authentication login radius local-auth-failback’, if that’s changed to ‘aaa authentication login radius local’ your effectively locked out of the device and cannot login at all.

Thanks in Advance. 

 

switch-name# show run radius

radius-server host xx.xx.xx.xx

 protocol pap

 key "radius_shared_key"

 encryption-level 7

 retries 2

 timeout 10

!

radius-server host xx.xx.xx.xx

 protocol pap

 key "radius_shared_key"

 encryption-level 7

 retries 2

 timeout 10

!

 

switch-name# show run aaa

aaa authentication login radius local-auth-fallback

aaa accounting exec default start-stop none

aaa accounting commands default start-stop none

 

 

3 REPLIES 3

Truyen_Phan
Extreme Employee

Yes, if you run ‘oscmd ifconfig’, you should see the logical vlan interface and IP that you’ve configured for it. Then, run tcpdump against that logical interface. 

Russ
Contributor

 

Hi,

We’re not actually using the management interface, we’re using logical vlan interfaces for management connectivity. The same approach applies?

Truyen_Phan
Extreme Employee

hi Russ,

No, this is not a known issue. The VDX works with radius servers. 

Is it possible for you to get a wireshark/tcpdump capture from the FortiAuth device to confirm if the VDX is sending the authentication request and FortiAuth is responding back? 

If the above capture shows that FortiAuth is sending the accept, you can run tcpdump on the management interface of VDX to also confirm that it received the accept packet. 

sw0# oscmd ?
Possible completions:
arp List system ARP entries
cat Concatenate and print files
cp Copy files and directories in filesystem
ifconfig Configure a network interface
ls List files from filesystem
mkdir Create new directory in filesystem
mv Move files in the filesystem
rm Remove files from filesystem
rmdir Remove directories from filesystem
tcpdump Dump traffic on a network
sw0# ter len 0
Successfully set This Session Terminal Length to 0.
sw0# oscmd ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:27:F8:DC:17:7A
inet addr:10.26.142.170 Bcast:10.26.255.255 Mask:255.255.128.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:372210744 errors:0 dropped:1676461 overruns:0 frame:0
TX packets:110041 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
Memory:fe4e8000-fe4e8fff

sw0# oscmd tcpdump -nei eth0 <FortiAuth_IP>

Regarding the local-auth-fallback and local configuration options: 

  • local-auth-fallback - If radius server is reachable, but fails authentication, then the VDX will fall back to using local users on the VDX. 
  • local - If radius server is not reachable, then the VDX will fall back to using local users on the VDX.
    • If you misconfigured this option, you are not locked out completely.
    • you can remove the management cable, then login via console using a local user account
GTM-P2G8KFN