This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

VSP5520 SSH/Mgmt

VSP5520 SSH/Mgmt

Go to solution
bfaltys
Contributor II

ā€Ž08-24-2021 02:36 PM

Iā€™m trying to test one of our new VSP5520s. I had been under the impression that VOSS is VOSS regardless of which switch, but maybe I was wrong. I have configured a loopback with an IP and SPBM/ISIS. I have an adjacency and I can ping the switch via that loopback. However, I cannot SSH to the switch and pings from the switch only work if I specify the loopback as the source. We also have new VSP4900 and VSP7400 that didnā€™t require anything special to be able to SSH to the loopback IP. Pings from those models also didnā€™t require me to specify a source. What am I missing? SSHD is enabled. I see a route to the subnet Iā€™m SSHing from. Iā€™m guessing this has something to do with the mgmt VRF or something along those lines, but Iā€™ve not been able to sort it out.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
bfaltys
Contributor II

ā€Ž08-26-2021 02:13 PM

Success. It was the RADIUS attribute. Here are screenshots of NPS.

ca62521bcc4543949d387fe9553a990e_8806b98a-bea7-49c2-af2c-b58e7a5b194e.png
ca62521bcc4543949d387fe9553a990e_fe9f2c2c-e48e-4367-8216-1d510a506e62.png

 

View solution in original post

0 Kudos
14 REPLIES 14

Go to solution
bfaltys
Contributor II

ā€Ž08-26-2021 01:28 PM

Iā€™ll see if I can make sense of that. Weā€™re using Windows Server for NPS and it has worked for all other Extreme models without setting other attributes.

 

Iā€™m trying another switch this morning to see if it has the same issue. Of course now I get a different error. When trying to configure an IP on the mgmt CLIP it give the message ā€œError: Cannot use Dynamic nick-name subnet 172.16.0.0/12.ā€

 

**UPDATE**

I donā€™t get the error after a factory default and then configure the CLIP.

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

ā€Ž08-26-2021 07:51 AM

Please review this to be sure that you send the correct radius attributes with the NPS:

Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%

Service-Type=%MGMT_SERV_TYPE%

Passport-Access-Priority=%CUSTOM1%

 

https://extremeportal.force.com/ExtrArticleDetail?an=000082104&q=voss%20radius%20attribute

 

0 Kudos

Go to solution
bfaltys
Contributor II

ā€Ž08-25-2021 02:22 PM

I also see a message stating ā€œx509v3 host certificate is unavailableā€

0 Kudos

Go to solution
bfaltys
Contributor II

ā€Ž08-25-2021 02:10 PM

Just did a confirmation. Both keys are the same. I would expect the server to not even get to the point of  access-accept if the switch had the wrong key. Here is the Wireshark capture that shows the success and the switch showing invalid credentials.

 

699909d14a3941d6889afdd2af8716ac_9fc16539-80ca-48b8-94a2-0a27a9918ccf.png

 

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

ā€Ž08-25-2021 01:46 PM

Usual suspect is the shared secret.

Could you double check?

0 Kudos
GTM-P2G8KFN