This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RADIUS Authentication Failing VDX6720

RADIUS Authentication Failing VDX6720

Russ
Contributor

‎05-29-2020 12:08 AM

Hi,

We have a few VDX6720 running FW v4.1.3d. The RADIUS configuration is below. I cannot get RADIUS Auth. working. The Authenticating device is a FortiAuth which is functional and working for other devices.

Is the problem a known issue, or is that I’m missing something? Also with the ‘aaa authentication login radius local-auth-failback’, if that’s changed to ‘aaa authentication login radius local’ your effectively locked out of the device and cannot login at all.

Thanks in Advance. 

 

switch-name# show run radius

radius-server host xx.xx.xx.xx

 protocol pap

 key "radius_shared_key"

 encryption-level 7

 retries 2

 timeout 10

!

radius-server host xx.xx.xx.xx

 protocol pap

 key "radius_shared_key"

 encryption-level 7

 retries 2

 timeout 10

!

 

switch-name# show run aaa

aaa authentication login radius local-auth-fallback

aaa accounting exec default start-stop none

aaa accounting commands default start-stop none

 

 

0 Kudos
3 REPLIES 3

Truyen_Phan
Extreme Employee

‎06-01-2020 01:06 AM

Yes, if you run ‘oscmd ifconfig’, you should see the logical vlan interface and IP that you’ve configured for it. Then, run tcpdump against that logical interface. 

0 Kudos

Russ
Contributor

‎05-31-2020 10:35 PM

 

Hi,

We’re not actually using the management interface, we’re using logical vlan interfaces for management connectivity. The same approach applies?

0 Kudos

Truyen_Phan
Extreme Employee

‎05-29-2020 07:45 AM

hi Russ,

No, this is not a known issue. The VDX works with radius servers. 

Is it possible for you to get a wireshark/tcpdump capture from the FortiAuth device to confirm if the VDX is sending the authentication request and FortiAuth is responding back? 

If the above capture shows that FortiAuth is sending the accept, you can run tcpdump on the management interface of VDX to also confirm that it received the accept packet. 

sw0# oscmd ?
Possible completions:
  arp        List system ARP entries
  cat        Concatenate and print files
  cp         Copy files and directories in filesystem
  ifconfig   Configure a network interface
  ls         List files from filesystem
  mkdir      Create new directory in filesystem
  mv         Move files in the filesystem
  rm         Remove files from filesystem
  rmdir      Remove directories from filesystem
  tcpdump    Dump traffic on a network
sw0# ter len 0
Successfully set This Session Terminal Length to  0.
sw0# oscmd ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:27:F8:DC:17:7A
          inet addr:10.26.142.170  Bcast:10.26.255.255  Mask:255.255.128.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:372210744 errors:0 dropped:1676461 overruns:0 frame:0
          TX packets:110041 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          Memory:fe4e8000-fe4e8fff

sw0# oscmd tcpdump -nei eth0 <FortiAuth_IP>

Regarding the local-auth-fallback and local configuration options: 

  • local-auth-fallback - If radius server is reachable, but fails authentication, then the VDX will fall back to using local users on the VDX. 
  • local - If radius server is not reachable, then the VDX will fall back to using local users on the VDX.
    • If you misconfigured this option, you are not locked out completely.
    • you can remove the management cable, then login via console using a local user account
0 Kudos
GTM-P2G8KFN