cancel
Showing results for 
Search instead for 
Did you mean: 

EXOS does not attempt RADIUS authentication with Secondary server.

EXOS does not attempt RADIUS authentication with Secondary server.

johnwcalder
New Contributor II
At the moment I have a problem where a group of Extreme switches configured to use RADIUS authentication do not automatically attempt authentication with the secondary server when the primary server is down.
I have been able to replicate this problem in GNS3 with a more simplified setup than what we have in the production environment. I have two radius servers that are identical in every way except their IP addresses, and I have an Extreme switch that is configured to use those servers for authentication.
There are no problems authenticating when the primary RADIUS server is running, however, when I shut it down I am no longer able to authenticate when I connect to the Extreme switch. I even did a packet capture on the link and I noticed that the switch doesn't even attempt to send any traffic to the secondary server even when I have shut down RADIUS on the primary server. Is there something I'm missing?

code:
Primary Switch Management RADIUS server: Status is Active
host name :
IP address : 192.168.1.102
Server IP Port: 1812
Client address: 192.168.1.1 (VR-Default)
Retries : 3 *
Timeout : 3 *
shared secret : #$h+DxdMlNe3EYSMxwsPsNlYj2LWWYxw==
Access Requests : 33 Access Accepts : 5
Access Rejects : 2 Access Challenges : 0
Access Retransmits: 20 Client timeouts : 26
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 1

Secondary Switch Management RADIUS server: Status is Active
host name :
IP address : 192.168.1.101
Server IP Port: 1812
Client address: 192.168.1.1 (VR-Default)
Retries : 3 *
Timeout : 3 *
shared secret : #$JxV/rt7kEyedqcs23mzy3LBwXaPJIw==
Access Requests : 12 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 12 Client timeouts : 12
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0

Primary Netlogin RADIUS server: Status is Active
host name :
IP address : 192.168.1.102
Server IP Port: 1812
Client address: 192.168.1.1 (VR-Default)
Retries : 3 *
Timeout : 3 *
shared secret : #$e9OdqIFaHYGPuQcHF3wdhaZCsvWB5Q==
Access Requests : 0 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0

Secondary Netlogin RADIUS server: Status is Active
host name :
IP address : 192.168.1.101
Server IP Port: 1812
Client address: 192.168.1.1 (VR-Default)
Retries : 3 *
Timeout : 3 *
shared secret : #$jcBzMhO5yJzEuzDJ8M5mt8h3g0Wjvw==
Access Requests : 0 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0

Legend: An asterisk (*) indicates a global value is in use.
1 ACCEPTED SOLUTION

johnwcalder
New Contributor II
I was able to resolve the issue. In the production environment, it turned out that there was a second firewall that had to be configured to allow traffic to the secondary server. In the GNS3 simulation I have no idea what happened but I rebuilt it and it also works there now. I am aware of that bug but I was using later versions of EXOS.

View solution in original post

3 REPLIES 3

johnwcalder
New Contributor II
I was able to resolve the issue. In the production environment, it turned out that there was a second firewall that had to be configured to allow traffic to the secondary server. In the GNS3 simulation I have no idea what happened but I rebuilt it and it also works there now. I am aware of that bug but I was using later versions of EXOS.

David_Choi
Extreme Employee
Hi John,

What is the EXOS version? As there is a known bug for that in prior EXOS 16.1 version.

Regards,
David

Tomasz
Valued Contributor II
Hi John,

Just to make sure - what version of EXOS do you use for your production and GNS3 testing?
Is it ok for you to share the output of 'show configuration aaa'?

Kind regards,
Tomasz
GTM-P2G8KFN