Network Management

 View Only
Back to discussions
Expand all | Collapse all

Aruba 2930F first time setup - RADIUS

This thread has been viewed 95 times

  • 1.  Aruba 2930F first time setup - RADIUS

    Posted Aug 22, 2023 01:41 PM

    I got a new 2930F switch, and I have everything setup except for RADIUS.  I copied the RADIUS server, keys etc. from an existing switch configuration where I'm able to login via my AD login.  I also added the new switch IP on NPS, and also added new switch IP on the Duo config file.

    I'm not able to figure out why only the local Manager account works, but not RADUIS.

    Please see this link for more details.  https://community.spiceworks.com/topic/2492432-aruba-switch-question?page=1#entry-10415826



  • 2.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 23, 2023 04:28 AM

    This video may help. It has the required configuration. It is with ClearPass, but if you send the same attributes, it should work similar with NPS.

    If you see that the switch immediately rejects authentication for a RADIUS account, you probably did not select radius for your administrative login, if it takes a few seconds, the radius server probably does not respond or is misconfigured. Checking the logs (show log -r) will probably give you further indication of what may be wrongly configured.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 23, 2023 11:33 AM

    Is it possible for you to paste the configuration sections (just mask the keys and other sensitive data) ?


    Original Message


  • 4.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 23, 2023 12:38 PM
    Edited by t.antony Aug 23, 2023 02:12 PM

    Thanks everyone,

    I changed the radius key so its not public here.

    10.0.0.15 & 16 are the 2 domain controllers (AD).  I have IP of the new switch (10.0.0.9) added as a new client on NPS since existing switch IPs were there also.

    10.0.0.17 is the Duo server.  I have the IP of the new switch (10.0.0.9) added in the config file, just like the other switches that were already there.

    Running configuration:

; JL262A Configuration Editor; Created on release #WC.16.11.0012
; Ver #14:67.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:44
hostname "Core-switch"
module 1 type jl262a
banner motd "#######################################################################\n# Authorized Users Only #\n# The information on this computer and network is the property of #\n# company and is protected by intellectual
 property #\n# rights. You must be assigned an account on this computer to #\n# access the information and are only allowed to access information as #\n# defined by the System Administrator(s). Your activities are #\n# monitored for
 security reasons. #\n########################################################################"
logging 10.0.0.20
radius-server host 10.0.0.15
radius-server host 10.0.0.16
radius-server host 10.0.0.17 key "key"
radius-server key "radiuskey"
timesync ntp
ntp unicast
ntp server 10.0.0.5
ntp enable
no telnet-server
time daylight-time-rule continental-us-and-canada
time timezone -300
web-management ssl
ip default-gateway 10.0.0.5
interface 49
   name "Uplink"
   exit
snmp-server community "companySNMP" operator
snmp-server contact "company IT" location "Office"
aaa server-group radius "8021x" host 10.0.0.15
aaa server-group radius "8021x" host 10.0.0.16
aaa server-group radius "mgmt" host 10.0.0.17
aaa authentication login privilege-mode
aaa authentication console login peap-mschapv2 server-group "mgmt" local
aaa authentication telnet login peap-mschapv2 server-group "mgmt" local
aaa authentication web login peap-mschapv2 server-group "mgmt" local
aaa authentication ssh login peap-mschapv2 server-group "mgmt" local
aaa authentication port-access eap-radius server-group "8021x"
aaa port-access authenticator active
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-48,50-52
   tagged 49
   ip address 10.0.0.9 255.255.255.0
   exit
vlan 4
   name "CNC Wireless"
   tagged 49
   no ip address
   exit
vlan 5
   name "CMM"
   tagged 49
   no ip address
   exit
vlan 100
   name "Voice"
   tagged 49
   no ip address
   voice
   exit
vlan 302
   name "Wireless"
   tagged 49
   no ip address
   exit
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
password manager
password operator


    Original Message


  • 5.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 23, 2023 02:23 PM
    Edited by t.antony Aug 23, 2023 02:55 PM

    I also looked at sh log -r, and I'm seeing this.  But when I do a ping to the radius server from the switch, its pinging it.

    I checked the NPS logs, and I don't see the IP of the new switch, 10.0.0.9 on the log so it seems like its not even getting to NPS.

    I do have the latest 2930f firmware on this switch.

     ping 10.0.0.17
10.0.0.17 is alive, time = 1 ms

    08/23/23 14:19:41 00421 radius: Can't reach RADIUS server 10.0.0.17 (1 times
            in 60 seconds)


    Original Message


  • 6.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 23, 2023 03:58 PM

    I found this link, where the person removed RADIUS from switch and added back in.  When I do no radius server 10.0.16, its gone.

    But I'm not able to delete 10.0.0.15 and 10.0.0.17.  It says can't remove last RADIUS server.

    https://community.spiceworks.com/topic/2145233-nps-and-hp-2530-authentication-issues


    Original Message


  • 7.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 24, 2023 03:50 AM

    Can you run a packet capture (Wireshark/tcpdump or so) on your Duo server 10.0.0.17 and see if the RADIUS request from your switch reaches that server if you try to login?

    Do you see anything in the logs on the Duo server related to your switch?

    Is the Duo server supposed to respond to RADIUS at all?? I don't know Duo that well, so this may be a stupid question.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 8.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 24, 2023 03:39 AM

    Hi

    I shall propose to adopt the following syntax :

    aaa authentication console login radius server-group "mgmt" local
aaa authentication telnet login radius server-group "mgmt" local
aaa authentication web login radius server-group "mgmt" local
aaa authentication ssh login radius server-group "mgmt" local

    The switch succeeds in pinging the radius server's IP, so let's focus on the protocol side.

    You confirm that 10.0.0.17 is successfully serving other switches ?



    ------------------------------
    Frederic MEUNIER
    ------------------------------

    Original Message


  • 9.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 24, 2023 08:33 AM
    Edited by t.antony Aug 24, 2023 09:14 AM

    Thanks for helping out, really appreciate it.

    10.0.0.8 switch RADIUS works

    10.0.0.9, RADIUS doesn't work.

    10.0.0.15 is my DC

    10.0.0.17 is Duo server

    10.0.0.20 is the logging server

    I did a wireshark capture on a switch that RADIUS works and this switch.  On wireshark, I'm getting the same out put for both switches, so that tells me the new switch is also reaching Duo server (10.0.0.17)

    When I did a wireshark capture from both switches to the DC, 10.0.0.15, the existing switch is flagging no errors, but the new switch is flagging the errors boxed in Red.  Can't reach radius server 10.0.0.17, and invalid username or password on SSH.  I'm using the same username and password (AD) to login to both switches, but the same username and password works on 10.0.0.8, but not on the new 10.0.0.9.  I assume it says can't reach RADIUS server 10.0.0.17 because the DC 10.0.0.15 is not allowing it due to invalid username / password.  Because I can ping it, so its clearly reachable.

    The RADIUS keys and other stuff on 10.0.0.9, I copied it from the config of 10.0.0.8, so they all should be correct.  Both switches are Aruba 2930F family.  10.0.0.8 was already setup before I came to this company, 10.0.0.9 is the new Aruba switch I'm setting up that's why I copied the RADIUS config from the other switch.  This is also my first time setting up a brand new Aruba switch and also first time setting up RADIUS auth.  I'm used to Netgear.

    Also when I SSH to 10.0.0.8 switch (and other existing switches)  from putty, it takes couple of seconds for Putty to show login as:

    But this new switch, when I SSH, I immediately get the login as: prompt, so I don't know if its some kind of timing issue?

    Just something I observed, but not even might be the issue.


    Original Message


  • 10.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 24, 2023 08:51 AM

    This is RADIUS config from the 10.0.0.8 switch where RADIUS works.  RADIUS keys changed here since I'm posting it here.

    logging 10.0.0.20

radius-server host 10.0.0.15
radius-server host 10.0.0.16
radius-server host 10.0.0.17 key "key"
radius-server key "radiuskey"

snmp-server community "CompanySNMP" operator
snmp-server contact "Company" location "Office"
aaa server-group radius "8021x" host 10.0.0.15
aaa server-group radius "8021x" host 10.0.0.16
aaa server-group radius "mgmt" host 10.0.0.17
aaa authentication login privilege-mode
aaa authentication console login peap-mschapv2 server-group "mgmt" local
aaa authentication telnet login peap-mschapv2 server-group "mgmt" local
aaa authentication web login peap-mschapv2 server-group "mgmt" local
aaa authentication ssh login peap-mschapv2 server-group "mgmt" local
aaa authentication port-access eap-radius server-group "8021x"
aaa port-access authenticator active

    Original Message


  • 11.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 24, 2023 09:19 AM

    Config doesn't look too weird.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 12.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 24, 2023 09:18 AM

    I can't see any RADIUS traffic in those captures. I'm seeing Kerberos, LDAP, and in the second screenshot Syslog traffic. And that syslog traffic to a system 10.0.0.20 is the log messages, so it's not RADIUS traffic or related to RADIUS. That should look like:

    If you are unfamiliar with this type of deployments, it may be best to get some help from your Aruba partner or Aruba Support.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 13.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 24, 2023 09:38 AM
    Edited by t.antony Aug 24, 2023 09:39 AM

    Thanks, this is a new switch, does Aruba offer free support for that?

    I don't see RADIUS for the 10.0.0.8 switch either and that I can login.  May be its setup to use CLDAP and that's why I'm seeing that.


    Original Message


  • 14.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 25, 2023 06:17 AM

    I think if you didn't get support with the switch, you can contact Aruba support for hardware issues and bugs that don't require any troubleshooting; that is not the case here. You could work with the supplier where you purchased the switch.

    The captures look incomplete, and not taken on/from your Duo server. It's really hard if things don't work at all to assist further, as the problem can be in the Duo server as well, which may not even be capable or configured for RADIUS. And if the working switch does not even send RADIUS, and may be configured for LDAP, then it's a full new deployment. The video that I posted in my first response may help you as it shows how it works with ClearPass. If Duo does RADIUS, and you want to configure it the same, you should just translate what is configured in ClearPass to something you configure in Duo.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 15.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 25, 2023 08:14 AM

    Thanks I have a case open with Aruba


    Original Message


  • 16.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 25, 2023 03:36 PM

    Aruba support remoted in, and said everything looks correct.  I send them my switch config file so they can test on the lab.

    What puzzles me is why on the NPS logs I don't see IP of the new switch.  I should see the new switch IP even if I type in the wrong password.  I see the other switches there.  Could this be a certificate issue?  


    Original Message


  • 17.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 25, 2023 04:28 PM

    I'm doing a comparison between the two switches, and I noticed there's difference in for example round trip time.

    This switch RADIUS works

    Status and Counters - RADIUS Server Information


  Server IP Addr : 10.0.0.17             TLS Enabled : No

  Authentication UDP Port : 1812         Accounting UDP Port  : 1813
  Round Trip Time         : 350          Round Trip Time      : 0
  Pending Requests        : 0            Pending Requests     : 0
  Retransmissions         : 24           Retransmissions      : 0
  Timeouts                : 24           Timeouts             : 0
  Malformed Responses     : 0            Malformed Responses  : 0
  Bad Authenticators      : 0            Bad Authenticators   : 0
  Unknown Types           : 0            Unknown Types        : 0
  Packets Dropped         : 0            Packets Dropped      : 0
  Access Requests         : 326          Accounting Requests  : 0
  Access Challenges       : 294          Accounting Responses : 0
  Access Accepts          : 29
  Access Rejects          : 3

    New switch RADIUS not working

    Status and Counters - RADIUS Server Information


  Server IP Addr : 10.0.0.17             TLS Enabled : No

  Authentication UDP Port : 1812         Accounting UDP Port  : 1813
  Round Trip Time         : 0            Round Trip Time      : 0
  Pending Requests        : 0            Pending Requests     : 0
  Retransmissions         : 9            Retransmissions      : 0
  Timeouts                : 12           Timeouts             : 0
  Malformed Responses     : 0            Malformed Responses  : 0
  Bad Authenticators      : 0            Bad Authenticators   : 0
  Unknown Types           : 0            Unknown Types        : 0
  Packets Dropped         : 0            Packets Dropped      : 0
  Access Requests         : 3            Accounting Requests  : 0
  Access Challenges       : 0            Accounting Responses : 0
  Access Accepts          : 0
  Access Rejects          : 0

    Original Message


  • 18.  RE: Aruba 2930F first time setup - RADIUS

    Posted Aug 26, 2023 09:18 PM

    I got RADIUS login to work.  So I did everything correct on the switch, NPS and Duo proxy server (or so I thought).

    There was a Duo proxy config file on the desktop, so I assumed it was a shortcut to the actual Duo proxy config file, but it wasn't.  So, when I added the IP of the new switch, to the config file it wasn't being updated in the actual config file location.

    Added new switch IP on the actual Duo config file, and this resolved the issue.  I also stopped and started the Duo service (not sure if I had to, but I did just in case).

    Hopefully someone can learn from my mistake.  I really appreciate everyone's help.


    Original Message


Related Content