This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (Other)
- RE: G3 Switch If SACL's are configured it is not ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
G3 Switch If SACL's are configured it is not possible to login to switch with radius account
G3 Switch If SACL's are configured it is not possible to login to switch with radius account
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-20-2016 08:35 AM
If SACL's are configured it is not possible to login to switch with radius account.
If you configure a SACL that contains a service, it is NOT possible to login to the switch with your radius users anymore, only local users are able to login like "admin".
Firmware on this G3 is: 06.61.15.0003
Radius login credentials are on the NAC Gateways.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-21-2016 07:32 AM
it shouldn't be. in the CLI guide on pg 34-3 it says: G3(su)->set system service-acl my-sacl permit ip-source 10.10.22.2 port 123 to allow NTP. so you should be able to replace that with 1812 for RADIUS. unless there is a bug in the code...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-21-2016 07:32 AM
Such a line he did not exept.
Command:
set system service-acl sacl permit ip-source 10.1.1.250 port 1812
Error:
Invalid Media in [port-string]. ERROR: Invalid interface - 1812
In this constellation the "port" 1812 means a physical interface on the switch....
Command:
set system service-acl sacl permit ip-source 10.1.1.250 port 1812
Error:
Invalid Media in [port-string]. ERROR: Invalid interface - 1812
In this constellation the "port" 1812 means a physical interface on the switch....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-21-2016 07:15 AM
I am not allowed to post here the correct ip addresses, but booth devices are in this list, the NAC Gatways (2 in this case) and the Netsight Server and the Backup Netsight server. You are not able to allow "radius" traffic. It is not bounded to a physical interface. So this does'nt make sense, the customer has more then 50 of these G3 switches in his edge.
That the commands I have used, but with different real IP addresses.
here the config
set system service-acl sacl permit service telnet
set system service-acl sacl permit service ssh
set system service-acl sacl permit service tftp
set system service-acl sacl permit service sntp
set system service-acl sacl permit ip-source 10.1.1.250 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.2.1.250 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.247 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.237 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.249 wildcard 0.0.0.0 service snmp
set system service-class sacl
the ip's with .250 are the NAC Gateways, 237 and 247 are the Netsight Servers and .249 is a Spectrum maschine.
For this I have opend also a GTAC Ticket with ID 01182646
I have opended this here that other users may find it if they found the same problem.
That the commands I have used, but with different real IP addresses.
here the config
set system service-acl sacl permit service telnet
set system service-acl sacl permit service ssh
set system service-acl sacl permit service tftp
set system service-acl sacl permit service sntp
set system service-acl sacl permit ip-source 10.1.1.250 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.2.1.250 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.247 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.237 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.249 wildcard 0.0.0.0 service snmp
set system service-class sacl
the ip's with .250 are the NAC Gateways, 237 and 247 are the Netsight Servers and .249 is a Spectrum maschine.
For this I have opend also a GTAC Ticket with ID 01182646
I have opended this here that other users may find it if they found the same problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-20-2016 11:02 AM
Does the SACL include access to the RADUS server/NAC Gateway? Can you post the SACLs here?
Service ACLs are applied on the host interface of the switch and apply to all traffic destined to the switch management. Therefore this will also apply to RADIUS traffic, so they will block the access-accept RADIUS return that will allow the user to login.
Another indication that this is the case is that the local login will only work on RADIUS timeout. if the RADIUS server actually sent a Access-Reject then the local user would not be able to login. So the local management falls back when the response does not reach the switch management.
Service ACLs are applied on the host interface of the switch and apply to all traffic destined to the switch management. Therefore this will also apply to RADIUS traffic, so they will block the access-accept RADIUS return that will allow the user to login.
Another indication that this is the case is that the local login will only work on RADIUS timeout. if the RADIUS server actually sent a Access-Reject then the local user would not be able to login. So the local management falls back when the response does not reach the switch management.
