cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

MSCHAPV2 CONFIGURATION in 5520 & X440 series switches for radius authentication.

MSCHAPV2 CONFIGURATION in 5520 & X440 series switches for radius authentication.

NN_QA
New Contributor

Hi,

1.Does 5520 /X440-g2 series switch supports MSCHAPV2 for radius authentication method?

2.if it is supports how to configure it?

 

Thanks

2 ACCEPTED SOLUTIONS

Ah! Sorry. Couldn't see anywhere specific in your request on this. Yes it supports MSCHAP V2.

 

First, you need to specify the RADIUS server that the switch will use for authentication.

 

configure radius add <RADIUS_Server_IP> <Server_Index> client-ip <Switch_IP> vr VR-Default
configure radius <Server_Index> primary
  • <RADIUS_Server_IP>: The IP address of your RADIUS server.
  • <Server_Index>: A unique index for the RADIUS server on the switch.
  • <Switch_IP>: The IP address of the switch that will be used as the source IP when contacting the RADIUS server.

2. Set the RADIUS Shared Secret

The shared secret is used to encrypt communication between the switch and the RADIUS server.

 

configure radius <Server_Index> shared-secret <Shared_Secret>
  • <Shared_Secret>: The secret key shared between the switch and the RADIUS server.

3. Configure RADIUS Timeout and Retries

Configure the timeout and retry values to determine how the switch interacts with the RADIUS server.

 

configure radius <Server_Index> timeout <Timeout_Value>
configure radius <Server_Index> retries <Retry_Value>
  • <Timeout_Value>: The time (in seconds) the switch waits for a response from the RADIUS server before timing out.
  • <Retry_Value>: The number of times the switch will retry contacting the RADIUS server if there's no response.

4. Configure RADIUS as the Authentication Method for CLI Access

Tell the switch to use RADIUS authentication for login.

 

configure radius netlogin primary
configure radius mgmt-access primary

5. Configure the Switch to Use MSCHAPv2

While the specific command can depend on the EXOS version, you generally need to ensure that the RADIUS server is configured to use MSCHAPv2 for authentication. This is typically configured on the RADIUS server side.

6. Optional: Configure a Fallback Method

It's often wise to configure a fallback method, such as local authentication, in case the RADIUS server is unreachable.

 

configure account admin-password

7. Save Your Configuration

To ensure that your settings persist after a reboot, save the configuration.

 
save configuration

8. Test Your Configuration

  • Try to access the management CLI of the switch using a separate shell for testing.
  • The switch should prompt you for a username and password and then authenticate using the RADIUS server with MSCHAPv2.

Note:

  • Ensure that your RADIUS server is correctly configured to support MSCHAPv2 and that the appropriate users are configured on the RADIUS server.
  • The specific commands can vary based on the switch model and EXOS version. Always refer to the official documentation for the most accurate information.
-----
-Brent Addis / Extreme Black Belt #491

New to Extreme? Check out the Welcome series here - https://training.extremenetworks.com/welcome-series-1
Want to join the official Extreme learners discord? Let me know!

View solution in original post

Chad5
Contributor

Hi,

As far as I know EXOS doesn't support MSCHAPv2 for MGMT or MAC Auth. Only PAP.

Isn't that correct?

View solution in original post

8 REPLIES 8

You're correct, and I appreciate your patience. In ExtremeXOS (EXOS), the specifics of configuring MSCHAPv2 for CLI access largely depend on the external RADIUS server's setup because the switch itself doesn't directly handle MSCHAPv2 configurations. Instead, it relies on the RADIUS server to perform the actual authentication using MSCHAPv2.



 

-----
-Brent Addis / Extreme Black Belt #491

New to Extreme? Check out the Welcome series here - https://training.extremenetworks.com/welcome-series-1
Want to join the official Extreme learners discord? Let me know!

Brent_Addis
Contributor

Hi,

You haven't been specific on which OS you are running, so I am going to assume XOS at this point.

FYI - If this is a new switch, it comes with an XiQ license,Although MSCHAP-V2 isn't supported right now, I would strongly recommend looking into using XiQ for administration.

 

1. Initial Setup

  • Ensure that you have administrative access to the switch.
  • Connect to the switch via console or SSH.

2. Configure NTP (Optional but Recommended)

To ensure that time-sensitive certificates and authentication protocols work correctly, it's good practice to configure NTP:

 

configure sntp primary <NTP Server IP>
enable sntp-client

 

3. Configure VLANs and Ports

Set up your VLANs and assign ports to your VLANs as needed. MSCHAPV2 will be part of the 802.1X process, which requires a properly configured network.

 

create vlan "VLAN_NAME"
configure vlan VLAN_NAME tag <VLAN_ID>
configure vlan VLAN_NAME add ports <port_list> [untagged|tagged]

 

4. Enable Dot1X on the Switch

Enable 802.1X globally on the switch:

 

enable dot1x

 

5. Configure 802.1X on Ports

Configure the ports that will use 802.1X:

 

configure ports <port_list> dot1x reauthentication

 

6. Configure RADIUS Server

Configure the switch to use a RADIUS server that supports MSCHAPV2. The RADIUS server will handle the actual MSCHAPV2 authentication process.

 

 

 

configure netlogin primary-radius-server <RADIUS_SERVER_IP> client-ip <SWITCH_IP> vr <VR-Name> [shared-secret <SECRET>]

 

7. Configure NetLogin (802.1X Authentication)

Configure NetLogin on the ports and specify the authentication type. For MSCHAPV2, the RADIUS server should be configured to handle MSCHAPV2 authentication requests.

 

configure netlogin ports <port_list> mode dot1x

 

8. Optional Configuration

  • Configure a guest VLAN or a fail VLAN if needed.
  • Set up logging and monitoring as per your network policy.

9. Save Configuration

Donā€™t forget to save your configuration:

 

save configuration

 

10. Test Your Setup

  • Connect a device and check if it is properly authenticated using MSCHAPV2.
  • Check logs to ensure the authentication process is occurring as expected.

 

 

-----
-Brent Addis / Extreme Black Belt #491

New to Extreme? Check out the Welcome series here - https://training.extremenetworks.com/welcome-series-1
Want to join the official Extreme learners discord? Let me know!


@Brent_Addis wrote:

 If this is a new switch, it comes with an XiQ license


I think this is no longer the case.

Ah! You are correct.

"Your universal switch includes a 1-year no cost subscription to ExtremeCloud IQ Pilot if purchased prior to July 1, 2023"

 

-----
-Brent Addis / Extreme Black Belt #491

New to Extreme? Check out the Welcome series here - https://training.extremenetworks.com/welcome-series-1
Want to join the official Extreme learners discord? Let me know!
GTM-P2G8KFN