Wired Intelligent Edge

 View Only
  • 1.  Aruba 2930F RADIUS authentication

    Posted Aug 24, 2021 09:40 AM

    I'm trying to get my switches to do RADIUS authentication, but whatever I try on the NPS (win server 2019)doesn't work. I keep getting the following on the event viewer:

    Reason code 66

    The User attempts to use an authentication method that is not enabled on the matching network policy. 

    I have tried multiple guides that I found but nothing seems to work. 
    I have unencrypted authentication [PAP, SPAP] ticked in the constraints authentication methods section. 

    Anyone has any guides that definitely work or any idea of why else I might be getting the above error?

    On the switch, the radius servers are configured/added and enable/login are set to radius

    Thanks


    #Switch_Router_Interconnect
    #Aruba


  • 2.  RE: Aruba 2930F RADIUS authentication

    Posted Aug 24, 2021 11:49 AM

    Hello @lee2021 ,

     

    It seems an issue with the policy.

    Please share switch radius config and below commands output:

     

    show authentication
    show radius
    show version
    show log -r

     

     

    Also  check the server end policy settings?

     

    Thanks!



  • 3.  RE: Aruba 2930F RADIUS authentication

    Posted Aug 25, 2021 06:50 AM

    Hi akg7

    Yes I think its something on ther server as well, but I can't figure out why. I tried every which way as advised on several different guides, but I still get the same error on the event viewer. Can't find any standard guides just for aruba however, so maybe there is something I'm missing. Is there something I can follow to try again?

    Below are the results from the commands. (replaced the ips and user names)

    ----------------------------------

    Status and Counters - Authentication Information

     Authorized enabled as backup for secondary login are preceded by *

     

      Login Attempts : 3

      Lockout Delay : 0

      Respect Privilege : Enabled

      Bypass Username For Operator and Manager Access : Disabled

     

                     | Login       Login        Login

      Access Task    | Primary     Server Group Secondary

      -------------- + ----------- ------------ ----------

      Console        | Local                    None

      Telnet         | Local                    None

      Port-Access    | EapRadius   radius       None

      Webui          | Local                    None

      SSH            | Radius      radius       Local

      Web-Auth       | ChapRadius  radius       None

      MAC-Auth       | ChapRadius  radius       None

      SNMP           | Local                    None

      Local-MAC-Auth | Local       radius       None

      REST           | Radius                   Local

     

                     | Enable      Enable       Enable

      Access Task    | Primary     Server Group Secondary

      -------------- + ----------- ------------ ----------

      Console        | Local                    None

      Telnet         | Local                    None

      Webui          | Local                    None

      SSH            | Radius      radius       Local

      REST           | Radius                   None

    ----------------

    Status and Counters - General RADIUS Information

     

     Dead RADIUS server are preceded by *

     

      Deadtime (minutes)             : 0           TLS Dead Time (minutes)          : 0

      Timeout (seconds)              : 5           TLS Timeout (seconds)            : 30

      Retransmit Attempts            : 3           TLS Connection Timeout (seconds) : 30

      Global Encryption Key          :

      Dynamic Authorization UDP Port : 3799

      Source IP Selection            : Outgoing Interface

      Source IPv6 Selection          : Outgoing Interface

      Tracking                       : Disabled

      Request Packet Count           : 3

      Track Dead Servers Only        : Disabled

      Tracking Period (seconds)      : 300

      ClearPass Identity             :

     

                      Auth  Acct  DM/ Time   |

      Server IP Addr  Port  Port  CoA Window | Encryption Key                                                                            OOBM

      --------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----

      1.1.1.1      1812  1813  No  300    | xxxxxxx                                                                              No

      1.1.1.1      1812  1813  No  300    | xxxxxxx                                                                         No

      1.1.1.1      1812  1813  No  300    | xxxxxxx                                                                              No

      1.1.1.1    1812  1813  No  300    | xxxxxxx                                                                           No

    -----------

    Image stamp:    /ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)

                    Jun  7 2021 21:35:47

                    WC.16.10.0015

                    516

    Boot Image:     Primary

     

    Boot ROM Version:    WC.16.01.0008

    Active Boot ROM:     Primary

    ------------

    W 08/24/21 13:13:33 00419 auth: Invalid user name/password on SSH session User

                'luser' is trying to login from 1.1.1.1

    I 08/24/21 13:08:11 04694 auth: Authentication and authorization are configured

                with the same method.Command authorization will be performed for all

                SSH users.

    W 08/24/21 13:07:51 04693 auth: Authentication and authorization are configured

                with different methods. Command authorization may be skipped for

                some SSH users.

    W 08/24/21 13:07:11 04693 auth: Authentication and authorization are configured

                with different methods. Command authorization may be skipped for

                some SSH users.

    W 08/24/21 13:07:04 04693 auth: Authentication and authorization are configured

                with different methods. Command authorization may be skipped for

                some SSH users.

    W 08/24/21 13:04:13 00419 auth: Invalid user name/password on SSH session User

                'user' is trying to login from1.1.1.1

    W 08/24/21 13:03:36 00419 auth: Invalid user name/password on SSH session User

                'user' is trying to login from 11.1.1.1

    I 08/24/21 12:49:40 03363 auth: User 'user' logged out of SSH  session from

               1.1.1.1

    W 08/24/21 12:49:40 00641 ssh: read error Operation timed out, session aborted

     

    W 08/24/21 10:59:33 00419 auth: Invalid user name/password on SSH session User

                'user' is trying to login from 1.1.1.1

    W 08/24/21 10:45:46 00419 auth: Invalid user name/password on SSH session User

                'user' is trying to login from 1.1.1.1

    W 08/24/21 10:45:05 00419 auth: Invalid user name/password on SSH session User

                'user is trying to login from 1.1.1.1

     



  • 4.  RE: Aruba 2930F RADIUS authentication

    Posted Aug 25, 2021 07:28 AM

    Hi akg7 (already posted this but the site didn't post it it seems).. so here goes again  

    I think it's a server side issue as well more than switch side. I followed this guide and similar others, but no luck
    https://fixitdave.wordpress.com/2015/02/14/hp-procurve-with-radius-authentication-using-nps/
    and
    https://www.frenchnetworkengineer.fr/forum/aruba/aruba-switch-2930-2530-radius-authentication

    If there's any better guides to follow about this that would help, I'd be grateful as couldn't really find anything specific

    Switch Results:
    ------------------------------
    Status and Counters - Authentication Information

     Authorized enabled as backup for secondary login are preceded by *

     

      Login Attempts : 3

      Lockout Delay : 0

      Respect Privilege : Enabled

      Bypass Username For Operator and Manager Access : Disabled

     

                     | Login       Login        Login

      Access Task    | Primary     Server Group Secondary

      -------------- + ----------- ------------ ----------

      Console        | Local                    None

      Telnet         | Local                    None

      Port-Access    | EapRadius   radius       None

      Webui          | Local                    None

      SSH            | Radius      radius       Local

      Web-Auth       | ChapRadius  radius       None

      MAC-Auth       | ChapRadius  radius       None

      SNMP           | Local                    None

      Local-MAC-Auth | Local       radius       None

      REST           | Radius                   Local

     

                     | Enable      Enable       Enable

      Access Task    | Primary     Server Group Secondary

      -------------- + ----------- ------------ ----------

      Console        | Local                    None

      Telnet         | Local                    None

      Webui          | Local                    None

      SSH            | Radius      radius       Local

      REST           | Radius                   None      

     

    -----------------------

    show radius

     

     Status and Counters - General RADIUS Information

     

     Dead RADIUS server are preceded by *

     

      Deadtime (minutes)             : 0           TLS Dead Time (minutes)          : 0

      Timeout (seconds)              : 5           TLS Timeout (seconds)            : 30

      Retransmit Attempts            : 3           TLS Connection Timeout (seconds) : 30

      Global Encryption Key          :

      Dynamic Authorization UDP Port : 3799

      Source IP Selection            : Outgoing Interface

      Source IPv6 Selection          : Outgoing Interface

      Tracking                       : Disabled

      Request Packet Count           : 3

      Track Dead Servers Only        : Disabled

      Tracking Period (seconds)      : 300

      ClearPass Identity             :

     

                      Auth  Acct  DM/ Time   |

      Server IP Addr  Port  Port  CoA Window | Encryption Key                                                                            OOBM

      --------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----

     1.1.1.1      1812  1813  No  300    | xxxxxxxxx                                                                              No

     1.1.1.1      1812  1813  No  300    | xxxxxxxxx                                                                        No

     1.1.1.1      1812  1813  No  300    | xxxxxxxxx                                                                            No

     1.1.1.1      1812  1813  No  300    xxxxxxxxx                                                                       No  

    ---------------------------------------

    show version

     

    Image stamp:    /ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)

                    Jun  7 2021 21:35:47

                    WC.16.10.0015

                    516

    Boot Image:     Primary

     

    Boot ROM Version:    WC.16.01.0008

    Active Boot ROM:     Primary

    ----------------------------------------

     

    W 08/25/21 12:10:28 00419 auth: Invalid user name/password on SSH session User

                'user' is trying to login from 1.1.1.1

    W 08/25/21 12:03:37 00419 auth: Invalid user name/password on SSH session User

                'user' is trying to login from 1.1.1.1



  • 5.  RE: Aruba 2930F RADIUS authentication

    Posted Aug 26, 2021 03:03 AM

    Hello @lee2021 ,

    Here switch is acting as Radius server or client?

    From switch logs, it seems using different methods of authenticationa nd authorization.

    W 08/24/21 13:07:51 04693 auth: Authentication and authorization are configured with different  methods. Command authorization may be skipped for some SSH users.

    Can you check this and also config if Windows server and switch able to ping each other?

    I am sharing link for switch for Radius configuration.

    You can verify from switch if it is configured correctly in switch:

    https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00042657en_us

    For server, let me search if find something.

    Thanks!



  • 6.  RE: Aruba 2930F RADIUS authentication

    Posted Aug 26, 2021 10:27 AM

    Hi, thanks for your reply

    Switch would be the client. I can ping the radius server, and we also have 802.1x set up for wifi and switch ports which works fine with the radius.

    I set it up as just radius to connect:
    aaa authentication ssh login radius 

    And set the server to accept PAP. but no luck.

    I will go through the link you sent as well to make sure all is setup correct, but everything should be ok switch wise  

    Thanks



  • 7.  RE: Aruba 2930F RADIUS authentication

    Posted Sep 06, 2021 05:21 AM

    So far no luck still. Is there any vendor specific information to add on the nps side?

    Guides we found for other types of switches have vendo specific information added on the network policy



  • 8.  RE: Aruba 2930F RADIUS authentication

    Posted Sep 08, 2021 03:48 AM

    Just to advise that I managed to resolve it. 

    I think I was missing the following:

    aaa authentication login privilege-mode
    aaa authorization commands none
     

    And had to set NAS Prompt instead of Adminstrative for the Operator role. Didn't need to use any vendor code it seems.
    Thanks again