cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

G3 Switch If SACL's are configured it is not possible to login to switch with radius account

G3 Switch If SACL's are configured it is not possible to login to switch with radius account

Rainer_Adam
New Contributor III

If SACL's are configured it is not possible to login to switch with radius account.

If you configure a SACL that contains a service, it is NOT possible to login to the switch with your radius users anymore, only local users are able to login like "admin".

Firmware on this G3 is: 06.61.15.0003
Radius login credentials are on the NAC Gateways.

8 REPLIES 8

it shouldn't be. in the CLI guide on pg 34-3 it says: G3(su)->set system service-acl my-sacl permit ip-source 10.10.22.2 port 123 to allow NTP. so you should be able to replace that with 1812 for RADIUS. unless there is a bug in the code...

Such a line he did not exept.

Command:
set system service-acl sacl permit ip-source 10.1.1.250 port 1812

Error:

Invalid Media in [port-string]. ERROR: Invalid interface - 1812

In this constellation the "port" 1812 means a physical interface on the switch....

Rainer_Adam
New Contributor III
I am not allowed to post here the correct ip addresses, but booth devices are in this list, the NAC Gatways (2 in this case) and the Netsight Server and the Backup Netsight server. You are not able to allow "radius" traffic. It is not bounded to a physical interface. So this does'nt make sense, the customer has more then 50 of these G3 switches in his edge.

That the commands I have used, but with different real IP addresses.

here the config

set system service-acl sacl permit service telnet
set system service-acl sacl permit service ssh
set system service-acl sacl permit service tftp
set system service-acl sacl permit service sntp
set system service-acl sacl permit ip-source 10.1.1.250 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.2.1.250 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.247 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.237 wildcard 0.0.0.0 service snmp
set system service-acl sacl permit ip-source 10.1.1.249 wildcard 0.0.0.0 service snmp
set system service-class sacl

the ip's with .250 are the NAC Gateways, 237 and 247 are the Netsight Servers and .249 is a Spectrum maschine.

For this I have opend also a GTAC Ticket with ID 01182646

I have opended this here that other users may find it if they found the same problem.

Matthew_Hum1
Extreme Employee
Does the SACL include access to the RADUS server/NAC Gateway? Can you post the SACLs here?

Service ACLs are applied on the host interface of the switch and apply to all traffic destined to the switch management. Therefore this will also apply to RADIUS traffic, so they will block the access-accept RADIUS return that will allow the user to login.

Another indication that this is the case is that the local login will only work on RADIUS timeout. if the RADIUS server actually sent a Access-Reject then the local user would not be able to login. So the local management falls back when the response does not reach the switch management.
GTM-P2G8KFN