Extreme Networks

Jave · ‎03-17-2022

Hi everybody,

Trying to set up a management radius connection on VOSS switch, all works fine but I'm unable to have a correct radius servers reachability.
Radius connection on CLI works well, but no dummy packets are sent to nac server (I can't see anything with tcpdump on server), so when it goes down, new connection lags because switch still try to authenticate towards server...
Any idea ?

(exemple here with web access)

Rodjeur

Miguel-Angel_RO · ‎03-17-2022

Rodjeur,

This is working for me in production:
CORE-01:1#show radius-server
==================================================================================================================
Radius Server Entries
==================================================================================================================
ACCT ACCT SOURCE
NAME USEDBY SECRET PORT PRIO RETRY TIMEOUT ENABLED PORT ENABLED IP
------------------------------------------------------------------------------------------------------------------
10.10.10.56 cli ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.58 cli ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.56 eapol ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.58 eapol ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.56 web ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.58 web ****** 1812 10 1 8 true 1813 true 10.11.10.254


CORE-01:1#show radius reachability

EAP RADIUS reachability mode : use-radius
EAP RADIUS reachability status : reachable
EAP RADIUS reachable server : 10.10.10.56
Time until next check : 37
RADIUS username : reachme
RADIUS password : reachme
RADIUS keep-alive-timer : 180
RADIUS unreachable-timer : 60


CORE-01:1#show run modu radius

config terminal
# RADIUS CONFIGURATION
radius server host 10.10.10.56 key ****** source-ip 10.11.10.254
radius server host 10.10.10.58 key ****** source-ip 10.11.10.254
radius server host 10.10.10.56 key ****** used-by eapol source-ip 10.11.10.254
radius server host 10.10.10.58 key ****** used-by eapol source-ip 10.11.10.254
radius server host 10.10.10.56 key ****** used-by web source-ip 10.11.10.254
radius server host 10.10.10.58 key ****** used-by web source-ip 10.11.10.254
radius enable
radius accounting enable
radius sourceip-flag
radius reachability username reachme passwordreachme
end

Regards,

Mig

Jave · ‎03-18-2022

Hello Miguel-Angel,

Thanks for your reply, but it seems that you're running on a VSP8600 Series, with specific command radius sourceip-flag, which doesn't exist on other models.
That's my current setup:

5520-24X-VOSS:1#sho run mod rad

config terminal

#
# RADIUS CONFIGURATION
#

radius server host 10.124.100.4 key ******  used-by web
radius enable
radius reachability keep-alive-timer 30 unreachable-timer 30

end

The strange thing is that radius request are well managed with this config, and UDP traffic on port 1812 reaches correctly the server, but it's not the case for radius reachability...

Rodjeur

Miguel-Angel_RO · ‎03-20-2022

Rodjeur,

What you get is "EAP RADIUS reachability status = unreachable"
What is the output of the command "show eapol system"?

Mig

Ludovico_Steven · ‎03-21-2022

VOSS RADIUS reachability only works in conjunction with RADIUS servers created with used-by = EAPoL
So if you only have RADIUS servers for CLI authentication (or Web, SNMP, Endpoint-tracking) then the reachability function won't run.
The intent of RADIUS reachability is to work in conjunction with EAPoL features like Fail-Open.

Extreme Networks

Radius reachability problem on VOSS

Radius reachability problem on VOSS