This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Radius reachability problem on VOSS

Radius reachability problem on VOSS

Go to solution
Jave
Contributor

‎03-17-2022 09:57 AM

Hi everybody,

Trying to set up a management radius connection on VOSS switch, all works fine but I'm unable to have a correct radius servers reachability.
Radius connection on CLI works well, but no dummy packets are sent to nac server (I can't see anything with tcpdump on server), so when it goes down, new connection lags because switch still try to authenticate towards server...
Any idea ?

6923ec9d54aa4498af814603f2a995b9.png
87ec216c5c864f9ca5009f56f681c083.png(exemple here with web access)

Rodjeur
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ludovico_Steven
Extreme Employee

a week ago

Sorry, do not recall getting any email alert about this... Giuseppe sent me the link now.
So, RADIUS reachability feature is only relevant for EAPoL, in particular fail-open and continuity modes. Basically, the EAPoL function needs to know when/if the RADIUS servers change or all fail. Endpoint-tracking also uses RADIUS reachability.

For CLI RADIUS authentication, what's the use ? If a RADIUS server is available it will be used, else, if not RADIUS response, it will fallback to local password.

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
Ludovico_Steven
Extreme Employee

a week ago

Sorry, do not recall getting any email alert about this... Giuseppe sent me the link now.
So, RADIUS reachability feature is only relevant for EAPoL, in particular fail-open and continuity modes. Basically, the EAPoL function needs to know when/if the RADIUS servers change or all fail. Endpoint-tracking also uses RADIUS reachability.

For CLI RADIUS authentication, what's the use ? If a RADIUS server is available it will be used, else, if not RADIUS response, it will fallback to local password.

0 Kudos

Go to solution
Jave
Contributor
In response to Ludovico_Steven

14 hours ago

Hi Ludovico,

The use of Radius reachability for CLI access is to not waiting about 1 min before fallback to local password when radius servers are unreachable for any reason...

Regards.

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎03-17-2022 06:02 PM

Rodjeur,

This is working for me in production:
CORE-01:1#show radius-server
==================================================================================================================
Radius Server Entries
==================================================================================================================
ACCT ACCT SOURCE
NAME USEDBY SECRET PORT PRIO RETRY TIMEOUT ENABLED PORT ENABLED IP
------------------------------------------------------------------------------------------------------------------
10.10.10.56 cli ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.58 cli ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.56 eapol ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.58 eapol ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.56 web ****** 1812 10 1 8 true 1813 true 10.11.10.254
10.10.10.58 web ****** 1812 10 1 8 true 1813 true 10.11.10.254

CORE-01:1#show radius reachability
EAP RADIUS reachability mode : use-radius
EAP RADIUS reachability status : reachable
EAP RADIUS reachable server : 10.10.10.56
Time until next check : 37
RADIUS username : reachme
RADIUS password : reachme
RADIUS keep-alive-timer : 180
RADIUS unreachable-timer : 60

CORE-01:1#show run modu radius
config terminal
# RADIUS CONFIGURATION
radius server host 10.10.10.56 key ****** source-ip 10.11.10.254
radius server host 10.10.10.58 key ****** source-ip 10.11.10.254
radius server host 10.10.10.56 key ****** used-by eapol source-ip 10.11.10.254
radius server host 10.10.10.58 key ****** used-by eapol source-ip 10.11.10.254
radius server host 10.10.10.56 key ****** used-by web source-ip 10.11.10.254
radius server host 10.10.10.58 key ****** used-by web source-ip 10.11.10.254
radius enable
radius accounting enable
radius sourceip-flag
radius reachability username reachme passwordreachme
end

Regards,

Mig
0 Kudos

Go to solution
Jave
Contributor
In response to Miguel-Angel_RO

‎03-18-2022 03:46 AM

Hello Miguel-Angel,

Thanks for your reply, but it seems that you're running on a VSP8600 Series, with specific command radius sourceip-flag, which doesn't exist on other models.
That's my current setup:
5520-24X-VOSS:1#sho run mod rad

config terminal

#
# RADIUS CONFIGURATION
#

radius server host 10.124.100.4 key ******  used-by web
radius enable
radius reachability keep-alive-timer 30 unreachable-timer 30

end​


The strange thing is that radius request are well managed with this config, and UDP traffic on port 1812 reaches correctly the server, but it's not the case for radius reachability...


Rodjeur
0 Kudos
GTM-P2G8KFN