ā01-28-2024 03:13 AM
Hi,
1.Does 5520 /X440-g2 series switch supports MSCHAPV2 for radius authentication method?
2.if it is supports how to configure it?
Thanks
Solved! Go to Solution.
ā01-29-2024 10:50 AM
Ah! Sorry. Couldn't see anywhere specific in your request on this. Yes it supports MSCHAP V2.
First, you need to specify the RADIUS server that the switch will use for authentication.
configure radius add <RADIUS_Server_IP> <Server_Index> client-ip <Switch_IP> vr VR-Default configure radius <Server_Index> primary
The shared secret is used to encrypt communication between the switch and the RADIUS server.
configure radius <Server_Index> shared-secret <Shared_Secret>
Configure the timeout and retry values to determine how the switch interacts with the RADIUS server.
configure radius <Server_Index> timeout <Timeout_Value> configure radius <Server_Index> retries <Retry_Value>
Tell the switch to use RADIUS authentication for login.
configure radius netlogin primary configure radius mgmt-access primary
While the specific command can depend on the EXOS version, you generally need to ensure that the RADIUS server is configured to use MSCHAPv2 for authentication. This is typically configured on the RADIUS server side.
It's often wise to configure a fallback method, such as local authentication, in case the RADIUS server is unreachable.
configure account admin-password
To ensure that your settings persist after a reboot, save the configuration.
save configuration
ā07-15-2024 07:06 AM
Hi,
As far as I know EXOS doesn't support MSCHAPv2 for MGMT or MAC Auth. Only PAP.
Isn't that correct?
ā01-31-2024 11:26 AM
You're correct, and I appreciate your patience. In ExtremeXOS (EXOS), the specifics of configuring MSCHAPv2 for CLI access largely depend on the external RADIUS server's setup because the switch itself doesn't directly handle MSCHAPv2 configurations. Instead, it relies on the RADIUS server to perform the actual authentication using MSCHAPv2.
ā01-28-2024 10:54 AM
Hi,
You haven't been specific on which OS you are running, so I am going to assume XOS at this point.
FYI - If this is a new switch, it comes with an XiQ license,Although MSCHAP-V2 isn't supported right now, I would strongly recommend looking into using XiQ for administration.
To ensure that time-sensitive certificates and authentication protocols work correctly, it's good practice to configure NTP:
configure sntp primary <NTP Server IP> enable sntp-client
Set up your VLANs and assign ports to your VLANs as needed. MSCHAPV2 will be part of the 802.1X process, which requires a properly configured network.
create vlan "VLAN_NAME" configure vlan VLAN_NAME tag <VLAN_ID> configure vlan VLAN_NAME add ports <port_list> [untagged|tagged]
Enable 802.1X globally on the switch:
enable dot1x
Configure the ports that will use 802.1X:
configure ports <port_list> dot1x reauthentication
Configure the switch to use a RADIUS server that supports MSCHAPV2. The RADIUS server will handle the actual MSCHAPV2 authentication process.
configure netlogin primary-radius-server <RADIUS_SERVER_IP> client-ip <SWITCH_IP> vr <VR-Name> [shared-secret <SECRET>]
Configure NetLogin on the ports and specify the authentication type. For MSCHAPV2, the RADIUS server should be configured to handle MSCHAPV2 authentication requests.
configure netlogin ports <port_list> mode dot1x
Donāt forget to save your configuration:
save configuration
ā01-28-2024 11:29 PM - edited ā01-28-2024 11:30 PM
@Brent_Addis wrote:If this is a new switch, it comes with an XiQ license
I think this is no longer the case.
ā01-29-2024 10:44 AM
Ah! You are correct.
"Your universal switch includes a 1-year no cost subscription to ExtremeCloud IQ Pilot if purchased prior to July 1, 2023"