Security

Hi,

We have RadSec enabled on our FreeRadius servers, and it works well with most authenticators.

We're trying to get the 2930F switch to do authentication over RadSec.
Can see the tunnel being established, and an authentication in the 30s timeout window gets an Access-Accept.

After 30 seconds the RadSec connection is closed, and any subsequent authentications fail.

Server logs:

"Reached idle timeout on socket auth from client (xx.xx.xx.xx, 54492) -> (*, 2083, virtual-server=radsec)"

What is the process for establishing a new TCP connection for authentications?

Thanks,
Emile

------------------------------
Emile Swarts
------------------------------

The switch should automatically re-establish the RadSec connection, at least if there is none open but authentication needs to happen. Also, it is the switch that initiates the RadSec connection, not the server, so the switch logs probably will have the data to understand the issue and solve it.

Reading these logs may need some expert-level understanding of how the switch and RadSec work, so it may not harm to work with your Aruba partner or Aruba support to do the analysis.

Before you do, make sure that you are on a recent version of your switch firmware as issues like these may be fixed. I haven't seen many questions around RadSec before last summer, so I don't think that it has been widely deployed, which makes that limitations may go unnoticed for a long time.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 24, 2021 05:07 AM
From: Emile Swarts
Subject: Aruba 2930F Radsec TCP keepalive

Hi,

We have RadSec enabled on our FreeRadius servers, and it works well with most authenticators.

We're trying to get the 2930F switch to do authentication over RadSec.
Can see the tunnel being established, and an authentication in the 30s timeout window gets an Access-Accept.

After 30 seconds the RadSec connection is closed, and any subsequent authentications fail.

Server logs:

"Reached idle timeout on socket auth from client (xx.xx.xx.xx, 54492) -> (*, 2083, virtual-server=radsec)"

What is the process for establishing a new TCP connection for authentications?

Thanks,
Emile

------------------------------
Emile Swarts
------------------------------