This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MSCHAPV2 CONFIGURATION in 5520 & X440 series switches for radius authentication.

MSCHAPV2 CONFIGURATION in 5520 & X440 series switches for radius authentication.

Go to solution
NN_QA
New Contributor

‎01-28-2024 03:13 AM

Hi,

1.Does 5520 /X440-g2 series switch supports MSCHAPV2 for radius authentication method?

2.if it is supports how to configure it?

 

Thanks

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Brent_Addis
Contributor
In response to NN_QA

‎01-29-2024 10:50 AM

Ah! Sorry. Couldn't see anywhere specific in your request on this. Yes it supports MSCHAP V2.

 

First, you need to specify the RADIUS server that the switch will use for authentication.

 

configure radius add <RADIUS_Server_IP> <Server_Index> client-ip <Switch_IP> vr VR-Default
configure radius <Server_Index> primary
  • <RADIUS_Server_IP>: The IP address of your RADIUS server.
  • <Server_Index>: A unique index for the RADIUS server on the switch.
  • <Switch_IP>: The IP address of the switch that will be used as the source IP when contacting the RADIUS server.

2. Set the RADIUS Shared Secret

The shared secret is used to encrypt communication between the switch and the RADIUS server.

 

configure radius <Server_Index> shared-secret <Shared_Secret>
  • <Shared_Secret>: The secret key shared between the switch and the RADIUS server.

3. Configure RADIUS Timeout and Retries

Configure the timeout and retry values to determine how the switch interacts with the RADIUS server.

 

configure radius <Server_Index> timeout <Timeout_Value>
configure radius <Server_Index> retries <Retry_Value>
  • <Timeout_Value>: The time (in seconds) the switch waits for a response from the RADIUS server before timing out.
  • <Retry_Value>: The number of times the switch will retry contacting the RADIUS server if there's no response.

4. Configure RADIUS as the Authentication Method for CLI Access

Tell the switch to use RADIUS authentication for login.

 

configure radius netlogin primary
configure radius mgmt-access primary

5. Configure the Switch to Use MSCHAPv2

While the specific command can depend on the EXOS version, you generally need to ensure that the RADIUS server is configured to use MSCHAPv2 for authentication. This is typically configured on the RADIUS server side.

6. Optional: Configure a Fallback Method

It's often wise to configure a fallback method, such as local authentication, in case the RADIUS server is unreachable.

 

configure account admin-password

7. Save Your Configuration

To ensure that your settings persist after a reboot, save the configuration.

 
save configuration

8. Test Your Configuration

  • Try to access the management CLI of the switch using a separate shell for testing.
  • The switch should prompt you for a username and password and then authenticate using the RADIUS server with MSCHAPv2.

Note:

  • Ensure that your RADIUS server is correctly configured to support MSCHAPv2 and that the appropriate users are configured on the RADIUS server.
  • The specific commands can vary based on the switch model and EXOS version. Always refer to the official documentation for the most accurate information.
-----
-Brent Addis / Extreme Black Belt #491

New to Extreme? Check out the Welcome series here - https://training.extremenetworks.com/welcome-series-1
Want to join the official Extreme learners discord? Let me know!

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
NN_QA
New Contributor

‎01-29-2024 12:22 AM

Hi,

Thanks for your reply. but my scenario is to authenticate the switch for managing the switch not 

802.1X.

 

Thanks & regards

.

0 Kudos

Go to solution
Brent_Addis
Contributor
In response to NN_QA

‎01-29-2024 10:50 AM

Ah! Sorry. Couldn't see anywhere specific in your request on this. Yes it supports MSCHAP V2.

 

First, you need to specify the RADIUS server that the switch will use for authentication.

 

configure radius add <RADIUS_Server_IP> <Server_Index> client-ip <Switch_IP> vr VR-Default
configure radius <Server_Index> primary
  • <RADIUS_Server_IP>: The IP address of your RADIUS server.
  • <Server_Index>: A unique index for the RADIUS server on the switch.
  • <Switch_IP>: The IP address of the switch that will be used as the source IP when contacting the RADIUS server.

2. Set the RADIUS Shared Secret

The shared secret is used to encrypt communication between the switch and the RADIUS server.

 

configure radius <Server_Index> shared-secret <Shared_Secret>
  • <Shared_Secret>: The secret key shared between the switch and the RADIUS server.

3. Configure RADIUS Timeout and Retries

Configure the timeout and retry values to determine how the switch interacts with the RADIUS server.

 

configure radius <Server_Index> timeout <Timeout_Value>
configure radius <Server_Index> retries <Retry_Value>
  • <Timeout_Value>: The time (in seconds) the switch waits for a response from the RADIUS server before timing out.
  • <Retry_Value>: The number of times the switch will retry contacting the RADIUS server if there's no response.

4. Configure RADIUS as the Authentication Method for CLI Access

Tell the switch to use RADIUS authentication for login.

 

configure radius netlogin primary
configure radius mgmt-access primary

5. Configure the Switch to Use MSCHAPv2

While the specific command can depend on the EXOS version, you generally need to ensure that the RADIUS server is configured to use MSCHAPv2 for authentication. This is typically configured on the RADIUS server side.

6. Optional: Configure a Fallback Method

It's often wise to configure a fallback method, such as local authentication, in case the RADIUS server is unreachable.

 

configure account admin-password

7. Save Your Configuration

To ensure that your settings persist after a reboot, save the configuration.

 
save configuration

8. Test Your Configuration

  • Try to access the management CLI of the switch using a separate shell for testing.
  • The switch should prompt you for a username and password and then authenticate using the RADIUS server with MSCHAPv2.

Note:

  • Ensure that your RADIUS server is correctly configured to support MSCHAPv2 and that the appropriate users are configured on the RADIUS server.
  • The specific commands can vary based on the switch model and EXOS version. Always refer to the official documentation for the most accurate information.
-----
-Brent Addis / Extreme Black Belt #491

New to Extreme? Check out the Welcome series here - https://training.extremenetworks.com/welcome-series-1
Want to join the official Extreme learners discord? Let me know!
0 Kudos

Go to solution
NN_QA
New Contributor
In response to Brent_Addis

‎01-29-2024 10:25 PM

Hi Brent,

I am using exos 31.3.1.3.if i am not specifying anything about MSCHAP V2 in switch ,switch will sent request to radius server using unencrypted way such as PAP, etc.Then how radius server will authenticate?

Thanks& Regards

0 Kudos

Go to solution
Brent_Addis
Contributor
In response to NN_QA

‎01-31-2024 11:26 AM

You're correct, and I appreciate your patience. In ExtremeXOS (EXOS), the specifics of configuring MSCHAPv2 for CLI access largely depend on the external RADIUS server's setup because the switch itself doesn't directly handle MSCHAPv2 configurations. Instead, it relies on the RADIUS server to perform the actual authentication using MSCHAPv2.



 

-----
-Brent Addis / Extreme Black Belt #491

New to Extreme? Check out the Welcome series here - https://training.extremenetworks.com/welcome-series-1
Want to join the official Extreme learners discord? Let me know!
0 Kudos
GTM-P2G8KFN