Ethernet Switches & Routers

Reply
Broadcom Moderator
Posts: 238
Registered: ‎06-30-2010

Re: Radius W2k8 + ICX6450 Config

Hi Nicolas,

 

You are still getting access reject from the RADIUS server so whatever username / password combination you are using on the switch is being rejected by RADIUS.

 

As I mentioned before I would suggest you try as simplified a configuration as possible, keep PAP rather than CHAP, at least this allows you to see the contents of the RADIUS requests when capturing.

 

I am sure that for some reason your RADIUS server is not matching user correctly

 

Everything on the switch looks OK

 

Can you set up test user perhaps rather than domain user?

 

Regards

Mick 


If my response has solved your query please click the "Accept as Solution" button.

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers.

All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider.
Contributor
Posts: 21
Registered: ‎02-01-2013

Re: Radius W2k8 + ICX6450 Config

Hi Mick, what RADIUS Server you recommend me? (someone different like the windows 2008)

thanks

Broadcom Moderator
Posts: 238
Registered: ‎06-30-2010

Re: Radius W2k8 + ICX6450 Config

Hi Nicolas,

 

I have set up Win2k8 to test with icx6450, the only difference is that I have used local configured account on Win2k8 server rather than AD user as I do not have AD configured.

 

The only steps I have not seen from your configuration are registration of NPS server in AD, not sure if this has been done to allow domain users

2.PNG

 

I also have not seen exactly how your users / groups and group memberships have been configured for NPS

 

Also can you confirm that switch is correctly specified as RADIUS client

 

3.PNG

 

I see no reason why Win2k8 should not work for you as RADIUS server.

 

I am still sure that your problem relates to username / password combination

 

Can you set up a non domain user local to NPS server to test to see if this works?

 

Regards

Mick


If my response has solved your query please click the "Accept as Solution" button.

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers.

All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider.
Contributor
Posts: 21
Registered: ‎02-01-2013

Re: Radius W2k8 + ICX6450 Config

MIck, Thanks for you help!!

 

I find the error and I see that it was another network policy that I was canceling the authentication and now is working!

 

I bother you with another question. What happens if the radius server stops working? No way to authenticate? Just for console?

Thank you!

Contributor
Posts: 21
Registered: ‎02-01-2013

Re: Radius W2k8 + ICX6450 Config

And adding another question please.

With "aaa authentication login default radius
"Configure the first authentication but what is the option to configure to authenticate when trying to enter in" configure console ?

Thanks!
Broadcom Moderator
Posts: 238
Registered: ‎06-30-2010

Re: Radius W2k8 + ICX6450 Config

Hi,

 

To answer your two questions

 

First with regards to failure of RADIUS server, you should configure a secondary authentication method in the event that RADIUS is unavailable

 

aaa authentication enable default radius local
aaa authentication login default radius local

 

This would configure local as the secondary authentication method for login and enable, it would require you to configure a local user account to authenticate with in the event that RADIUS was unavailable. e.g.

 

icx6450(config)#username fallback privilege 0 password password

 

To get AAA to work on console connections you need to add the following configuration

 

icx6450(config)#enable aaa console

Regards

Mick


If my response has solved your query please click the "Accept as Solution" button.

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers.

All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider.
Contributor
Posts: 21
Registered: ‎02-01-2013

Re: Radius W2k8 + ICX6450 Config

Perfect, thanks for all!
Frequent Contributor
Posts: 137
Registered: ‎07-20-2015

Re: Radius W2k8 + ICX6450 Config

How do you specifiy the privledge level it returns?

 

 

Highlighted
Broadcom Moderator
Posts: 238
Registered: ‎06-30-2010

Re: Radius W2k8 + ICX6450 Config

Hi,

 

You need to configure the vendor specific attribute for foundry-privilege-level

 

http://www.brocade.com/content/html/en/configuration-guide/fastiron-08020c-securityguide/GUID-A3193D90-3FF4-4B04-8C6D-084743FDE91C.html

 

4.PNG

 

Hope this is what you are looking for

 

Regards

Mick


If my response has solved your query please click the "Accept as Solution" button.

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers.

All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook