Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Unable to reach the external Radius server for management authentication

Jump to Best Answer
  • 1.  Unable to reach the external Radius server for management authentication

    Posted May 21, 2020 12:52 AM

    Hello all,

     

    I have deployed standalone VMC in  cloud . I am trying to setup management authentication with external radius server 

     

    May 20 10:09:33 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 146 bytes on radius socket 63
    May 20 10:09:43 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 142 bytes on radius socket 63
    May 20 11:54:55 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 141 bytes on radius socket 63

    May 20 11:54:55 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 141 bytes on radius socket 63
    May 20 11:56:19 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 141 bytes on radius socket 63
    May 20 11:57:45 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 141 bytes on radius socket 63
    May 20 11:59:07 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 142 bytes on radius socket 63

     I keep seeing this message over and over in the error.log.

     

    I suspect , the radius server is unreachable from the VMC, I have the default route to the cloud gateway. SSH and WebGUI works fine on the public IP.

     

    (Batman) [mynode] #show ip route

    Codes: C - connected, O - OSPF, R - RIP, S - static
    M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

    Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
    Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
    Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
    C 10.1.96.0/24 is directly connected, VLAN1
    M X.246.X.0/23 is directly connected to mgmt interface

    Management Gateway of last resort is 207.246.120.1 to network 0.0.0.0
    M* 0.0.0.0/0 via X.246.X.1*

     

    Note: My management IP has the public address .

    Is there a difference between 

    #ip default-gateway mgmt <next hop>

    and  #ip default-gateway <next hop> cost ?.

     

    This is my radius config

    sidlegend_0-1590036193025.png

    sidlegend_1-1590036245841.pngsidlegend_2-1590036323975.png

    Is there anyway to check for specified destination IP what will be exit interface ?. 

    What am I missing here?.



  • 2.  RE: Unable to reach the external Radius server for management authentication
    Best Answer

    Posted May 21, 2020 03:42 AM

    Firstly check to see if the connectivity (so IP, ports, shared secret etc) is correct. Use the command to generate some fake credentials and an authentication request. It will tell you if the authentication fails or it times out.

     

    aaa test-server [pap/mschapv2][auth server name][username][password] verbose
    
    e.g 
    
    (Aruba7030) *[mynode] #aaa test-server mschapv2 RADIUS01 username password verbose

     

    At the moment it looks like, based on your configuration that you do not have a route to the auth server.

     

    What is the IP address of your RADIUS server and what should be doing the routing? 



  • 3.  RE: Unable to reach the external Radius server for management authentication

    Posted May 21, 2020 06:34 AM

    Hello Criag,

     

    Interface Mgmt has the public IP address in the same subnet as the cloud internet gateway . I have default route to the cloud internet gateway(207.246.120.1) . So if i try to reach the radius server(public IP) on the internet, should it not take the default route?. Is that only for management ?.

     

    (Batman) [mynode] #show ip route

    Codes: C - connected, O - OSPF, R - RIP, S - static
    M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

    Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
    Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
    Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
    C 10.1.96.0/24 is directly connected, VLAN1
    M 207.246.120.0/23 is directly connected to mgmt interface

    Management Gateway of last resort is 207.246.120.1 to network 0.0.0.0
    M* 0.0.0.0/0 via 207.246.120.1*

     

    (Batman) [mynode] #show configuration

    hostname "Batman"

    vlan 1
    interface vlan 1
    ip address 207.246.120.96 255.255.254.0
    !

    interface mgmt
    shutdown
    !
    interface gigabitethernet 0/0/0
    no shutdown
    no spanning-tree
    trusted vlan 1-4094
    trusted
    description "GE0/0/0"
    !
    interface gigabitethernet 0/0/1
    shutdown
    no spanning-tree
    trusted vlan 1-4094
    trusted
    description "GE0/0/1"
    !
    interface gigabitethernet 0/0/2
    shutdown
    no spanning-tree
    trusted vlan 1-4094
    trusted
    description "GE0/0/2"
    !
    interface port-channel 0
    trusted
    trusted vlan 1-4094
    !
    interface port-channel 1
    trusted
    trusted vlan 1-4094
    !
    interface port-channel 2
    trusted
    trusted vlan 1-4094
    !
    interface port-channel 3
    trusted
    trusted vlan 1-4094
    !
    interface port-channel 4
    trusted
    trusted vlan 1-4094
    !
    interface port-channel 5
    trusted
    trusted vlan 1-4094
    !
    interface port-channel 6
    trusted
    trusted vlan 1-4094
    !
    interface port-channel 7
    trusted
    trusted vlan 1-4094
    !
    controller-ip vlan 1
    ip default-gateway 207.246.120.1

    clock timezone PST -8 0

    mgmt-user admin root ffd5e29101c29090f6135e3fb609c9fdc4d2256d95a851bd12

    end

     

    The management interfaces shows shutdown  ,but I see it up and running 

     

    (Batman) [mynode] #show ip interface brief

    Interface IP Address / IP Netmask Admin Protocol VRRP-IP
    vlan 1 10.1.96.1 / 255.255.255.0 up up
    loopback unassigned / unassigned up up
    mgmt 207.246.120.96 / 255.255.254.0 up up

     

    (Batman) [mynode] #show interface vlan 1

    VLAN1 is up line protocol is up
    Hardware is CPU Interface, Interface address is 5A:00:02:C5:A9:21 (bia 5A:00:02:C5:A9:21)
    Description: 802.1Q VLAN
    Internet address is 10.1.96.1 255.255.255.0
    IPv6 Router Advertisements are disabled
    Routing interface is enable, Forwarding mode is enable
    Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP enable
    Encapsulation 802, loopback not set
    MTU 1500 bytes
    Last clearing of "show interface" counters 0 day 6 hr 33 min 14 sec
    link status last changed 0 day 6 hr 29 min 10 sec
    Proxy Arp is disabled for the Interface
    (Batman) [mynode] #show in
    interface Interface Status and Configuration
    inventory Show hardware inventory

    (Batman) [mynode] #show interface mgmt

    mgmt is up line protocol is up
    Hardware is Ethernet, address is 56:00:02:C5:A9:21
    Internet address is 207.246.120.96 255.255.254.0

     

    I don't see details on how it fails, even though says it authentication failed   

     

    (Batman) [mynode] #aaa test-server pap pfsense batman1 vpn123 verbose

    Authentication failed.

     

    Further , I setup pfsense as my external radius server , in the packet captures , I dont even see the radius access request from the controller's public IP.The controller should route the packets to default gateway of the cloud and thus make this work .It seems it acts as a management gateway rather than a default gateway for all the traffic in the controller.



  • 4.  RE: Unable to reach the external Radius server for management authentication
    Best Answer

    Posted May 21, 2020 06:51 AM

    Hi,

     

    Your controller ip is vlan 1 with IP 10.1.96.1 so traffic will be initiated with this IP.

     

    Did you do a write mem after doing the changes?

    What is the output of show running or show configuration effective?

     

    Batman) [mynode] #show ip interface brief

    Interface IP Address / IP Netmask Admin Protocol VRRP-IP
    vlan 1 10.1.96.1 / 255.255.255.0 up up
    loopback unassigned / unassigned up up
    mgmt 207.246.120.96 / 255.255.254.0 up up

     

    On a side note, make sure you add a restrictive ACL to block access from the internet. You don't want your switch to have a public IP and be reachable from outside..