Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-21-2019 11:35 AM
At the moment I have a problem where a group of Extreme switches configured to use RADIUS authentication do not automatically attempt authentication with the secondary server when the primary server is down.
I have been able to replicate this problem in GNS3 with a more simplified setup than what we have in the production environment. I have two radius servers that are identical in every way except their IP addresses, and I have an Extreme switch that is configured to use those servers for authentication.
There are no problems authenticating when the primary RADIUS server is running, however, when I shut it down I am no longer able to authenticate when I connect to the Extreme switch. I even did a packet capture on the link and I noticed that the switch doesn't even attempt to send any traffic to the secondary server even when I have shut down RADIUS on the primary server. Is there something I'm missing?
I have been able to replicate this problem in GNS3 with a more simplified setup than what we have in the production environment. I have two radius servers that are identical in every way except their IP addresses, and I have an Extreme switch that is configured to use those servers for authentication.
There are no problems authenticating when the primary RADIUS server is running, however, when I shut it down I am no longer able to authenticate when I connect to the Extreme switch. I even did a packet capture on the link and I noticed that the switch doesn't even attempt to send any traffic to the secondary server even when I have shut down RADIUS on the primary server. Is there something I'm missing?
code:
Primary Switch Management RADIUS server: Status is Active
host name :
IP address : 192.168.1.102
Server IP Port: 1812
Client address: 192.168.1.1 (VR-Default)
Retries : 3 *
Timeout : 3 *
shared secret : #$h+DxdMlNe3EYSMxwsPsNlYj2LWWYxw==
Access Requests : 33 Access Accepts : 5
Access Rejects : 2 Access Challenges : 0
Access Retransmits: 20 Client timeouts : 26
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 1
Secondary Switch Management RADIUS server: Status is Active
host name :
IP address : 192.168.1.101
Server IP Port: 1812
Client address: 192.168.1.1 (VR-Default)
Retries : 3 *
Timeout : 3 *
shared secret : #$JxV/rt7kEyedqcs23mzy3LBwXaPJIw==
Access Requests : 12 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 12 Client timeouts : 12
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
Primary Netlogin RADIUS server: Status is Active
host name :
IP address : 192.168.1.102
Server IP Port: 1812
Client address: 192.168.1.1 (VR-Default)
Retries : 3 *
Timeout : 3 *
shared secret : #$e9OdqIFaHYGPuQcHF3wdhaZCsvWB5Q==
Access Requests : 0 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
Secondary Netlogin RADIUS server: Status is Active
host name :
IP address : 192.168.1.101
Server IP Port: 1812
Client address: 192.168.1.1 (VR-Default)
Retries : 3 *
Timeout : 3 *
shared secret : #$jcBzMhO5yJzEuzDJ8M5mt8h3g0Wjvw==
Access Requests : 0 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
Legend: An asterisk (*) indicates a global value is in use.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-23-2019 07:24 AM
I was able to resolve the issue. In the production environment, it turned out that there was a second firewall that had to be configured to allow traffic to the secondary server. In the GNS3 simulation I have no idea what happened but I rebuilt it and it also works there now. I am aware of that bug but I was using later versions of EXOS.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-23-2019 07:24 AM
I was able to resolve the issue. In the production environment, it turned out that there was a second firewall that had to be configured to allow traffic to the secondary server. In the GNS3 simulation I have no idea what happened but I rebuilt it and it also works there now. I am aware of that bug but I was using later versions of EXOS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-22-2019 01:51 AM
Hi John,
What is the EXOS version? As there is a known bug for that in prior EXOS 16.1 version.
Regards,
David
What is the EXOS version? As there is a known bug for that in prior EXOS 16.1 version.
Regards,
David
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-21-2019 06:39 PM
Hi John,
Just to make sure - what version of EXOS do you use for your production and GNS3 testing?
Is it ok for you to share the output of 'show configuration aaa'?
Kind regards,
Tomasz
Just to make sure - what version of EXOS do you use for your production and GNS3 testing?
Is it ok for you to share the output of 'show configuration aaa'?
Kind regards,
Tomasz
